ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue betwen JAVA 6 client and IBM MQ 7.5

Post new topic  Reply to topic Goto page 1, 2  Next
 SSL Authentication issue betwen JAVA 6 client and IBM MQ 7.5 « View previous topic :: View next topic » 
Author Message
riyaz_tak
PostPosted: Thu Oct 31, 2019 1:05 am    Post subject: SSL Authentication issue betwen JAVA 6 client and IBM MQ 7.5 Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi

IBM MQ version 7.5.0.9.
JAVA version 1.6
OS Solaris 10 Sparc.

We have client program and we have defined SSL authentication between IBM MQ server and client program.

We tried to use different combination of ssl cipher and ciphersuite between IBM MQ and client program but each time getting SSL exception :

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031290_.htm

AMQ9616: The CipherSpec proposed is not enabled on the server.

handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


So would you please help me find out correct set of ssl cipher and cipher suite ?
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Thu Oct 31, 2019 1:23 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

Do you use IBM Java or Oracle (=Sun) Java? The CipherSuite names differ .

And did you add the Java Cryptography Extension (JCE)

And which CipherSuites/CipherSpecs did you try?
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Thu Oct 31, 2019 1:37 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

I am using Oracle JRE and I set
-Dcom.ibm.mq.cfg.useIBMCipherMappings="false" while starting java client.


I used TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_DES_CBC_SHA .

But each time same AMQ9616 error.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Thu Oct 31, 2019 4:43 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

What MQ version has the MQ client, what MQ version has the MQ queue manager?
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Thu Oct 31, 2019 8:47 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

More important what MQ Cipherspec is specified on the channel.
Also what is the label of your certificate. Did you use "ibmwebspheremq" + userid as your label?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Thu Oct 31, 2019 9:27 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

HubertKleinmanns wrote:
What MQ version has the MQ client, what MQ version has the MQ queue manager?


I am using JAVA client not MQ client.MQ Version is 7.5.0.9.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Oct 31, 2019 9:28 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

What is the output from this command on the queue manager?
Code:
DISPLAY QMGR SUITEB

None of the ciphers you mention are SUITEB compliant and so if your queue manager requires a particular setting of SUITEB that will restrict the ciphers you can use.

If the output says SUITEB(NONE) then it is not this that is your problem. Just ruling it in or out.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Thu Oct 31, 2019 9:29 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

fjb_saper wrote:
More important what MQ Cipherspec is specified on the channel.
Also what is the label of your certificate. Did you use "ibmwebspheremq" + userid as your label?


Certificate is absolutely fine. We are regressing MQ to version 7.5.0.9.
Earlier we had 8.5 version and certificate was working fine.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Thu Oct 31, 2019 9:34 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

hughson wrote:
What is the output from this command on the queue manager?
Code:
DISPLAY QMGR SUITEB

None of the ciphers you mention are SUITEB compliant and so if your queue manager requires a particular setting of SUITEB that will restrict the ciphers you can use.

If the output says SUITEB(NONE) then it is not this that is your problem. Just ruling it in or out.

Cheers,
Morag


Hi,

Output is SUITEB(NONE) so does this mean cipher is not an issue ?
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Oct 31, 2019 9:42 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

riyaz_tak wrote:
Output is SUITEB(NONE) so does this mean cipher is not an issue ?

This means the SUITEB setting is not an issue.

Can you show us the ciphers at both ends please and any error messages at the queue manager end too.

Thanks
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
exerk
PostPosted: Fri Nov 01, 2019 2:18 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

riyaz_tak wrote:
...We are regressing MQ to version 7.5.0.9...

Any particular reason for this?

riyaz_tak wrote:
...Earlier we had 8.5 version and certificate was working fine....

And was the certificate key store created with a later version of the IBM GSKit bundled with MQ V8.0?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Nov 01, 2019 4:50 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

riyaz_tak wrote:
HubertKleinmanns wrote:
What MQ version has the MQ client, what MQ version has the MQ queue manager?


I am using JAVA client not MQ client.MQ Version is 7.5.0.9.


If your app is making a network connection to the queue manager, you are using MQ Client functionality, at the very least if not anything else at least a IBM provided MQ Client jar file. That has a version independent of the MQ version of the MQ queue manager. They may coincidentally be the same, but they are 2 separate things.


riyaz_tak wrote:
Earlier we had 8.5 version and certificate was working fine.

No such animal as MQ 8.5.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Sun Nov 03, 2019 10:25 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

hughson wrote:
riyaz_tak wrote:
Output is SUITEB(NONE) so does this mean cipher is not an issue ?

This means the SUITEB setting is not an issue.

Can you show us the ciphers at both ends please and any error messages at the queue manager end too.

Thanks
Morag


we are using combination of RC4_MD5_EXPORT and SSL_RSA_EXPORT_WITH_RC4_40_MD5 .It is working for 7.5.0.4 but not for 7.5.0.9

MQ Logs

----- amqrmrsa.c : 902 --------------------------------------------------------
11/04/19 06:24:44 - Process(12333.67) User(xxxxx) Program(amqrmppa)
Host(xxxxxxx) Installation(Installation1)
VRMF(7.5.0.9) QMgr(xxxxxxx)

AMQ9616: The CipherSpec proposed is not enabled on the server.

EXPLANATION:
The SSL or TLS subsystem at the server end of a channel been configured in such
a way that it has rejected the CipherSpec proposed by an SSL or TLS client.
This rejection occurred during the secure socket handshake (i.e. it happened
before the proposed CipherSpec was compared with the CipherSpec in the server
channel definition).

This error most commonly occurs when the choice of acceptable CipherSpecs has
been limited in one of the following ways:
(a) The server queue manager SSLFipsRequired attribute is set to YES and the
channel is using a CipherSpec which is not FIPS-certified on the server.
(b) The server queue manager EncryptionPolicySuiteB attribute has been set to a
value other than NONE and the channel is using a CipherSpec which does not
meet the server's configured Suite B security level.
(c) The protocol used by the channel has been deprecated. Note that IBM may
need to deprecate a protocol via product maintenance in response to a
security vulnerability, for example SSLv3 has been deprecated. Continued use
of SSLv3 protocol is not recommended but may be enabled by setting
environment variable AMQ_SSL_V3_ENABLE=TRUE.
(d) The requested CipherSpec has been deprecated. Note that IBM may need to
deprecate a CipherSpec via product maintenance in response to a security
vulnerability, for example RC4_MD5_US has been deprecated. Continued use of
deprecated CipherSpecs is not recommended but may be enabled by setting
environment variable AMQ_SSL_WEAK_CIPHER_ENABLE=Y.

The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.

The remote host name is 'localhost (127.0.0.1)'.
ACTION:
Analyse why the proposed CipherSpec was not enabled on the server. Alter the
client CipherSpec, or reconfigure the server to accept the original client
CipherSpec. Restart the channel.

This message might occur after applying WebSphere MQ maintenance because the
FIPS and Suite B standards are updated periodically. When such changes occur,
WebSphere MQ is also updated to implement the latest standard. As a result, you
might see changes in behavior after applying maintenance. For more information
about the versions of FIPS and Suite B standards enforced by WebSphere MQ,
refer to the readme:

http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006097
----- amqccisa.c : 7217 -------------------------------------------------------
11/04/19 06:24:44 - Process(12333.67) User(root) Program(amqrmppa)
Host(sylvia) Installation(Installation1)
VRMF(7.5.0.9) QMgr(bt.qm.ccxp0)

AMQ9492: The TCP/IP responder program encountered an error.

EXPLANATION:
The responder program was started but detected an error.

The host name was 'localhost (127.0.0.1)'; in some cases the host name cannot
be determined and so is shown as '????'.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 902 -------------------------------------
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Sun Nov 03, 2019 10:28 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

exerk wrote:
riyaz_tak wrote:
...We are regressing MQ to version 7.5.0.9...

Any particular reason for this?

riyaz_tak wrote:
...Earlier we had 8.5 version and certificate was working fine....

And was the certificate key store created with a later version of the IBM GSKit bundled with MQ V8.0?


We have MQ 7.5 on production but on dev box we have 8.0.0.5.
Need to test some feature so regressing to 7.5.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Nov 03, 2019 11:56 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

This is your reason:
Quote:
AMQ9616: The CipherSpec proposed is not enabled on the server.

Do not use RC4 it has been deprecated.
Use a key of size 2048 minimum and ECDHE_WITH_RSA_GCM_SHA256 (from memory) or something close. May be the elliptic curve ciphers are not yet available at 7.5. In any case use a TLS 1.2 cipher.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue betwen JAVA 6 client and IBM MQ 7.5
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.