MQ

Expand all | Collapse all

runmqakm password generator

  • 1.  runmqakm password generator

    Posted 7 days ago
    Would it be considered a defect that runmqakm's password generator doesn't consistently make passwords that runmqakm itself is happy with?



    Attempt 1
    >runmqakm -random -create -length 14 -strong -fips
    z#HW)j+(RAb/'c

    >runmqakm -keydb -create -db mykeystore.kdb -pw " z#HW)j+(RAb/'c" -type cms -stash -fips -strong
    /usr/bin/runmqakm: eval: line 111: unexpected EOF while looking for matching `''
    /usr/bin/runmqakm: eval: line 112: syntax error: unexpected end of file


    Attempt 2
    >runmqakm -random -create -length 14 -strong -fips
    U$uK^_Ll,vpi)c

    >runmqakm -keydb -create -db mykeystore.kdb -pw "U$uK^_Ll,vpi)c" -type cms -stash -fips -strong
    CTGSK3048W The password is weak.


    Attempt 3
    >runmqakm -random -create -length 14 -strong -fips
    hidden

    Finally!, 3rd PW worked
    >runmqakm -keydb -create -db mykeystore.kdb -pw "hidden" -type cms -stash -fips -strong

    ------------------------------
    Peter Potkay
    ------------------------------


  • 2.  RE: runmqakm password generator

    Posted 7 days ago

    Hi Peter,

    that's a good question. I always considered that the function was generating random bytes, rather than actual passphrases or passwords.

    When using it to generate something I'm going to use as a passphrase, I always generate something quite large (120 bytes or so) and then filter out the characters that tend to cause problems to a shell ($\/'"@![] and a few others). Then I truncate the result down to 60 characters or so.

    There's some sample (linux shell) code for this in the Secure Messaging Scenarios using WebSphere MQ IBM Redbook publication in section 8.11. The command I used during the residency when writing the book was

    runmqakm -random -create -length 125 -strong | tr -d "'" | tr -d '\\\$\%\`\~\&\@\!\|\\[\]" ' | cut -c 2-65 > key.passwd

    These days I exclude a couple of other characters as well.

    Regards,



    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------



  • 3.  RE: runmqakm password generator

    Posted 6 days ago
    We will shamelessly steal your little trick to trim known problematic characters.

    We are still left with the problem of generated value lacking certain characters. I think it did not like our second use case because it lacked a number.

    But, if we also up the length significantly (while trimming problems) the odds go up significantly that what we are left with will be something its happy with.

    Thanks Neil!

    ------------------------------
    Peter Potkay
    ------------------------------



  • 4.  RE: runmqakm password generator

    Posted 6 days ago
    Edited by FJ Brandelik 6 days ago
    Hi Peter,
    You did not specify which OS you are using. My guess would be Linux because your attempt 2 works without a hitch in windows and I would guess would work quite ok for you if you'd use single quotes instead of double quotes (avoid substituting $).

    We encountered the problem with MQ Appliances where giving back the generated password did not work. We ended up changing it replacing spaces and other characters that did not work for scripting. Passing the password on the prompt to stash it seemed to work ok for us.

    Hope it helps a little

    ------------------------------
    FJ
    ------------------------------



  • 5.  RE: runmqakm password generator

    Posted 4 days ago
    FJ,
    This use case happens to be on RHEL x86-64, but I omitted the O/S in my original question on purpose. I think the compiled version of runmqakm for a particular O/S should have the sense to not produce passwords with characters that particular O/S will not be happy with. (says the guy with no idea on the actual complexities involved in the source code)


    ------------------------------
    Peter Potkay
    ------------------------------



  • 6.  RE: runmqakm password generator

    Posted 4 days ago
    I think you have a PMR that the use of eval in the /bin/runmqakm script needs to be removed/enhanced to not error with certain generated passwords.

    ------------------------------
    Tim Zielke
    ------------------------------