AMQ9660E: SSL 密钥存储库：密码存储文件不存在或不可用答案

【问题标题】：AMQ9660E: SSL key repository: password stash file absent or unusableAMQ9660E: SSL 密钥存储库：密码存储文件不存在或不可用
【发布时间】：2021-04-27 18:46:59
【问题描述】：

在使用 IBM MQ V9.2.0 的 Linux 上，我看到了以下错误

EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the location configured for the key repository,
(b) the key database file exists in the correct place but that no password stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is running does not have permission to read them,
(d) one or both of the files are corrupt.

我完成了 IBM 文档中提到的所有事情，但我无法解决。

SSLKEYR 值为/var/mqm/qmgrs/QMGRname/ssl/key

-rwxrwxr-x. 1 mqm mqm  80 Apr 21 14:31 key.rdb
-rwxrwxr-x. 1 mqm mqm 193 Apr 21 14:32 key.sth
-rwxrwxr-x. 1 mqm mqm 15K Apr 21 14:44 key.kdb

(mq:9.2.0.0)root@22955896bc26:/var/mqm/qmgrs/qmgr/ssl# runmqakm -cert -list -db /var/mqm/qmgrs/qmgr/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       "mns non-prod root ca"
!       "mns plc sub ca cate"
-       ibmwebspheremqqmgr
(mq:9.2.0.0)root@22955896bc26:/var/mqm/qmgrs/qmgr/ssl# runmqakm -cert -list -db /var/mqm/qmgrs/qmgr/ssl/key.kdb -stashed
CTGSK3026W The key file "/var/mqm/qmgrs/qmgr/ssl/key.kdb" does not exist or cannot be read.
CTGSK2101W The key database does not exist.
-Command usage-
-list                 Required <all | personal | ca>
-db | -crypto         Required
-tokenlabel           Required if -crypto present
-pw | -stashed        Optional
-type                 Optional <cms | kdb | pkcs12 | p12>
-secondarydb          Optional if -crypto present
-secondarydbpw        Optional if -secondarydb present
-secondarydbtype      Optional if -secondarydb present
-expiry               Optional
-rfc3339              Optional
-v                    Optional

$ runmqakm -cert -list -db /var/mqm/qmgrs/qmgr/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       "mns non-prod root ca"
!       "mns plc sub ca cate"
-       ibmwebspheremqqmgr

     1 : DIS QMGR SSLKEYR CERTLABL
AMQ8408I: Display Queue Manager details.
   QMNAME(qmgr)                        CERTLABL(ibmwebspheremqqmgr)
   SSLKEYR(/VAR/MQM/QMGRS/qmgr/SSL/KEY)

     1 : DIS QMGR SSLKEYR CERTLABL
AMQ8408I: Display Queue Manager details.
   QMNAME(qmgr)                        CERTLABL(ibmwebspheremqqmgr)
   SSLKEYR(/var/mqm/qmgrs/qmgr/ssl/key)

-rwxrwxr-x. 1 mqm mqm 15088 Apr 28 17:18 /var/mqm/qmgrs/AZMQGW02/ssl/key.kdb
-rwxrwxr-x. 1 mqm mqm    80 Apr 28 17:18 /var/mqm/qmgrs/AZMQGW02/ssl/key.rdb
-rwxrwxr-x. 1 mqm mqm   193 Apr 28 17:19 /var/mqm/qmgrs/AZMQGW02/ssl/key.sth

(mq:9.2.0.0)root@22955896bc26:/var/mqm/qmgrs/AZMQGW02/ssl# su - mqm
No directory, logging in with HOME=/
$ getfacl /var/mqm/qmgrs/AZMQGW02/ssl/key.*
-su: 1: getfacl: not found

【问题讨论】：

您是否尝试过使用 runmqakm 通过 stashed 选项访问 kdb。 runmqakm -cert -list -db key.kdb -stashed 应该列出 kdb 中的证书。
请告诉我们您在哪个平台上遇到此问题并显示目录列表和 SSLKEYR 值
@morag 我们使用的是Linux平台，SSLKEYR值为/var/mqm/qmgrs/QMGRname/ssl/key
@JoshMc 我使用 runmqckm -cert -list -db key.kdb -pw 密码命令列出 kdb 中的证书
您提供的命令不是我建议的命令。使用-stashed 而不是-pw 将使用 key.sth 文件并有助于证明它是有效的。还请提供您正在运行的 IBM MQ 的特定版本。

标签： ssl openssl ssl-certificate ibm-mq

【解决方案1】：

Unix 区分大小写，/VAR/MQM/QMGRS/AZMQGW02/SSL/KEY 与/var/mqm/qmgrs/AZMQGW02/ssl/key 不同。

要解决此问题，请运行以下命令：

printf "ALTER QMGR SSLKEYR('/var/mqm/qmgrs/AZMQGW02/ssl/key')\nREFRESH SECURITY TYPE(SSL)\n" | runmqsc  AZMQGW02

请注意，对于 MQSC 命令，如果您不使用单引号将字符串括起来，它将被折叠为大写。

【讨论】：