PY3MQI. AMQ9627 when use sco.CertificateLabel and os user does not match certificate label user

Question

Original issue: https://github.com/dsuch/pymqi/issues/181

Hello!

My MQ client version is 9.0.0.3-IBM-MQC-LinuxX64 Applications works in container, orchestra is Openshift 3.0.

Cert reqs was created by the following command:

runmqckm -certreq -create -db od99usr.kdb -pw pw -label ibmwebspheremqod99usr -dn dn -size 2048 -file od99usr.csr -sig_alg SHA256WithRSA

Part of code from my application:

key_repo_location = settings.MQ_KEY_REPO_LOCATION
conn_info = "%s(%s)" % (host, port)
ssl_cipher_spec = 'TLS_RSA_WITH_AES_128_CBC_SHA256'
cd = pymqi.CD()
cd.ChannelName = channel
cd.ConnectionName = conn_info
cd.ChannelType = pymqi.CMQC.MQCHT_CLNTCONN
cd.TransportType = pymqi.CMQC.MQXPT_TCP
cd.SSLCipherSpec = ssl_cipher_spec
cd.CertificateLabel = "ibmwebspheremqod99usr"
# SCO
sco = pymqi.SCO()
sco.CertificateLabel = "ibmwebspheremqod99usr"
sco.KeyRepository = key_repo_location

Whoaim from container:

whoami
whoami: cannot find name for user ID 1007400000

when I trying to connect I get the following python error:

Traceback (most recent call last):

  File "/usr/local/lib/python3.6/site-packages/celery/app/trace.py", line 385, in trace_task

    R = retval = fun(*args, **kwargs)

  File "/usr/local/lib/python3.6/site-packages/celery/app/trace.py", line 648, in __protected_call__

    return self.run(*args, **kwargs)

  File "/code/base/tasks.py", line 22, in get_create_incident_results

    mq = MQConnection()

  File "/code/base/mq.py", line 39, in __init__

    self.qmgr.connect_with_options(queue_manager, cd, sco)

  File "/usr/local/lib64/python3.6/site-packages/pymqi/__init__.py", line 1412, in connectWithOptions

    raise MQMIError(rv[1], rv[2])

pymqi.MQMIError: MQI Error. Comp: 2, Reason 2381: FAILED: MQRC_KEY_REPOSITORY_ERROR

In /var/mqm/errors/*log I have:

----- amqxfdcx.c : 891 --------------------------------------------------------
04/21/2020 03:27:36 PM - Process(37.1) User(UNKNOWN) Program(celery)
                    Host(sdsa-47-4rgwt) Installation(Installation1)
                    VRMF(9.0.0.3) QMgr(.)

AMQ9627: The path and stem name for the SSL key repository have not been
specified.

EXPLANATION:
The directory path and file stem name for the SSL key repository have not been
specified. On a MQ client system there is no default location for this file.
SSL connectivity is therefore impossible as this file cannot be accessed.
ACTION:
Use the MQSSLKEYR environment variable or MQCONNX API call to specify the
directory path and file stem name for the SSL key repository.

Can you explain me where is my mistake? I also tried to change sco.CertificateLabel to "od99usr" remove and add cd.CertificateLabel but get the same error =(

EDIT:

$ oc rsh pod
echo $HOME; ls -ls $HOME
/
total 0
0 lrwxrwxrwx.   1 root    root      7 Sep 19  2018 bin -> usr/bin
0 dr-xr-xr-x.   2 root    root      6 Dec 14  2017 boot
0 drwxrwxrwx.   1 od99usr od99usr  69 Apr 21 19:09 code
0 drwxr-xr-x.   5 root    root    360 Apr 21 19:08 dev
0 drwxr-xr-x.   1 root    root     66 Apr 21 19:08 etc
0 drwxr-xr-x.   2 root    root      6 Sep 19  2018 home
0 lrwxrwxrwx.   1 root    root      7 Sep 19  2018 lib -> usr/lib
0 lrwxrwxrwx.   1 root    root      9 Sep 19  2018 lib64 -> usr/lib64
0 drwxr-xr-x.   2 root    root      6 Dec 14  2017 media
0 drwxr-xr-x.   2 root    root      6 Dec 14  2017 mnt
0 drwxr-xr-x.   1 root    root     17 Apr 21 13:33 opt
0 drwxr-xr-x.   3 od99usr root     21 Apr 21 13:36 oracle
0 dr-xr-xr-x. 391 root    root      0 Apr 21 19:08 proc
0 dr-xr-x---.   1 root    root     23 Sep 19  2018 root
0 drwxrwxrwx.   1 root    root     23 Apr 21 19:08 run
0 lrwxrwxrwx.   1 root    root      8 Sep 19  2018 sbin -> usr/sbin
0 drwxr-xr-x.   2 root    root      6 Dec 14  2017 srv
0 dr-xr-xr-x.  13 root    root      0 Aug 30  2019 sys
0 drwxrwxrwx.   1 root    root     73 Apr 21 19:10 tmp
0 drwxr-xr-x.   1 root    root     19 Sep 19  2018 usr
0 drwxr-xr-x.   1 root    root     39 Apr 21 13:33 var

score 0 · Answer 1 · answered Apr 21 '20 at 18:24

0

You are missing the reference to the key repository. The program produced the following error:

pymqi.MQMIError: MQI Error. Comp: 2, Reason 2381: FAILED: MQRC_KEY_REPOSITORY_ERROR

And the AMQERR01.LOG showed this:

AMQ9627: The path and stem name for the SSL key repository have not been
specified.

Review the sample provided on the pymqi Git hub repository pymqi/code/examples/ssl_tls.py, this hows how to specify the location of the key repository:

key_repo_location = '/var/mqm/ssl-db/client/KeyringClient'

...

sco = pymqi.SCO()
sco.KeyRepository = key_repo_location

qmgr = pymqi.QueueManager(None)
qmgr.connect_with_options(queue_manager, cd, sco)

So in your code above you do reference this, but I don't see that you set the key_repo_location to any value.

sco.KeyRepository = key_repo_location

answered Apr 21 '20 at 18:24

JoshMc

10,239
2
19
38

I don't include assignment of that variable in my part of code. It is exactly exists. When I use od99usr with that code everything is OK. – Денис Apr 21 '20 at 18:48
Can you show your `connect_with_options line`? Also `CertificateLabel` is a `CD` property not a `SCO` property, can you remove this line `sco.CertificateLabel = "ibmwebspheremqod99usr"` and leave this line `cd.CertificateLabel = "ibmwebspheremqod99usr"` – JoshMc Apr 21 '20 at 19:34
Also can you try this in the non-working container `echo $HOME; ls -ld $HOME` – JoshMc Apr 21 '20 at 19:37
The same error after removing from eco and appending to cd (( queue_manager = "CLS1" # MNGR self.qmgr = pymqi.QueueManager(None) self.qmgr.connect_with_options(queue_manager, cd, sco) – Денис Apr 22 '20 at 09:19
Can you edit and update the code in the question to reflect the current state of just having CertificateLable on the cd as well as the connect_with_options. Also on the command I gave was specifically `ls -ld $HOME`, you provided output for `ls -ls $HOME`, can you please provide output for the command I provided? – JoshMc Apr 22 '20 at 09:30
oc set env dc/proj MQCERTLABL=ibmwebspheremqod99usr fix my problem – Денис Apr 22 '20 at 11:09

score 0 · Answer 2 · answered Apr 22 '20 at 11:11

0

cd.CertificateLabel = "ibmwebspheremqod99usr"
# SCO
sco = pymqi.SCO(Version=pymqi.CMQC.MQSCO_VERSION_5,
                KeyRepository=key_repo_location)

and

oc set env dc/proj MQCERTLABL=ibmwebspheremqod99usr

fix my problem

answered Apr 22 '20 at 11:11

Денис

23
5

setting ENV variable `MQCERTLABL=ibmwebspheremqod99usr` and `cd.CertificateLabel = "ibmwebspheremqod99usr"` should not both be needed, likely the second one is what is in use. If you had to specify `Version=pymqi.CMQC.MQSCO_VERSION_5` you may not be using the latest pymqi version 1.10.1. See these pymqi issues: [170](https://github.com/dsuch/pymqi/issues/170) and [141](https://github.com/dsuch/pymqi/issues/141). I think the issue with MQSCO Version needing to be set manually to 5 is corrected in the latest version. – JoshMc Apr 22 '20 at 11:32
Can you confirm which version of pymqi you are using? – JoshMc Apr 22 '20 at 18:05
I use py3mqi==1.6.0 – Денис Apr 25 '20 at 15:53
py3mqi is a fork of pymqi from before pymqi supported python 3. I suggest you get the latest pymqi 1.10.1, I think you should not need to set version or env variable. – JoshMc Apr 25 '20 at 16:42

PY3MQI. AMQ9627 when use sco.CertificateLabel and os user does not match certificate label user

2 Answers2