| Author |
Message
|
| shagg67rs |
 Posted: Fri Mar 09, 2012 10:22 am Post subject: SSL problem with latest version of Java |
 |
|
Newbie
Joined: 09 Mar 2012
Posts: 6
|
We have a MQ 6.0.2.6 queue manager running GSKit 7.0.4.20 (although I've
also tested with 7.0.4.36 in the lab and had the same problem). We also
have a Java client application that we've been using for years that has
the option of enabling SSL. Currently it uses either the
TRIPLE_DES_SHA_US or DES_SHA_EXPORT Cipherspecs.
However, in regards to the client PC, ever since Oracle/SUN released Java
6 Update 29, the SSL stopped working. I've also tested Update 30, 31 and
the early access release of 32. None of them work either. All of the
versions of Java 6 up to and including Update 27 worked fine.
I went through the list of CipherSuite/CipherSpec equivalents from the MQ
Java manual. Of the 16 or so listed, the only ones that were able to
bring up a working SSL connection were:
NULL_MD5
NULL_SHA
RC4_MD5_EXPORT
RC4_MD5_US
RC4_SHA_US
All of the other CipherSpecs (including TRIPLE_DES_SHA_US and
DES_SHA_EXPORT) fail with either one or the other of the following
messages in the queue manager log file:
03/09/12 17:01:55 - Process(14082.518) User(mqm) Program(amqrmppa)
AMQ9207: The data received from host 'xxxx (xxx.xxx.xx.xxx)' is not
valid.
EXPLANATION:
Incorrect data format received from host 'xxxx (xxx.xxx.xx.xxx)' over
TCP/IP. It may be that an unknown host is attempting to send data. An FFST
file
has been generated containing the invalid data received.
ACTION:
Tell the systems administrator.
----- amqccita.c : 3467
-------------------------------------------------------
03/09/12 17:11:18 - Process(14082.520) User(mqm) Program(amqrmppa)
AMQ9208: Error on receive from host xxxx (xxx.xxx.xx.xxx).
EXPLANATION:
An error occurred receiving data from xxxx (xxx.xxx.xx.xxx) over
TCP/IP. This may be due to a communications failure.
ACTION:
The return code from the TCP/IP (read) call was 131 (X'83'). Record these
values and tell the systems administrator.
----- amqccita.c : 3306
-------------------------------------------------------
03/09/12 17:11:18 - Process(7088.1240) User(mqm) Program(amqrmppa)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 459
--------------------------------------------------------
If I uninstall Java on the client and put it back to an older version
(Java 6 Update 27 or earlier) then everything starts working fine again.
I know Oracle/SUN were specifically addressing some SSL vulnerabilities in
Java 6 Update 29. It almost seems like when the client is using the
latest release of Java, that the MQ server is getting corrupted/invalid
data after it decrypts the SSL packet.
Is this something that anybody else has run into? Any suggestions would
be very welcome. Right now we're telling people that are using our client
that they should not upgrade Java beyond Update 27, but we're already
starting to get complaints about not being able to run the latest versions
because of the security vulnerabilities that it addresses.
If it helps at all, here is the basics from the Java client that has to do
with setting up the SSL environment:
| Code: |
SSLContext ctx;
KeyManagerFactory kmf;
TrustManagerFactory tmf;
File keystoreFile;
KeyStore ks;
char[] passphrase = "xxxxxxx".toCharArray();
ctx = SSLContext.getInstance("TLS");
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
ks = KeyStore.getInstance("JKS");
kmf.init(ks, passphrase);
tmf.init(ks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
factory = ctx.getSocketFactory();
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
MQEnvironment.sslSocketFactory = factory; |
Thanks,
John. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Mar 09, 2012 10:30 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Maybe you'd have better luck with MQ v7.0.1.x?
Or at least with 6.0.2.x > 6.0.2.6. |
|
| Back to top |
|
|
| shagg67rs |
| Posted: Fri Mar 09, 2012 12:06 pm Post subject: |
|
|
Newbie
Joined: 09 Mar 2012
Posts: 6
|
| We can test with newer versions of MQ, but upgrading the production environment is not a simple process. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Mar 09, 2012 12:15 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| shagg67rs wrote: |
| We can test with newer versions of MQ, but upgrading the production environment is not a simple process. |
Well, you're using a client, so presumably upgrading the client is a little easier than upgrading the server.
But, I see in second read that you did already test the v7 client.
You're pretty close to PMR territory, but you might want to review the InfoCenter stuff on using SSL with Java again, particularly http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.csqzaw.doc%2Fja11360_.htm |
|
| Back to top |
|
|
| shagg67rs |
| Posted: Fri Mar 09, 2012 12:20 pm Post subject: |
|
|
Newbie
Joined: 09 Mar 2012
Posts: 6
|
Thanks for your help so far.
I'm currently upgrading a queue manager in our lab to 6.0.2.11 and will test against that.
The Java client is also using the MQ6 java classes. The only v7 thing we are using is the GSKit (7.0.4.20 in production and 7.0.4.36 in the lab).
If upgrading the queue manager to 6.0.2.11 results in the same problem, I'll probably try running the client with the MQ7 java classes and see if that makes any difference. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Mar 09, 2012 12:37 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You do have a full and complete MQ client install, right?
Not just some set of MQ client jar files? |
|
| Back to top |
|
|
| shagg67rs |
| Posted: Fri Mar 09, 2012 12:44 pm Post subject: |
|
|
Newbie
Joined: 09 Mar 2012
Posts: 6
|
| The application only includes com.ibm.mq.jar and connector.jar. It's always worked in the past that way. Is that a problem? |
|
| Back to top |
|
|
| shagg67rs |
| Posted: Fri Mar 09, 2012 12:50 pm Post subject: |
|
|
Newbie
Joined: 09 Mar 2012
Posts: 6
|
| I also see that there's been a new update to GSKit 7.0.4.37 that I believe is fairly recent. I'm going to try to find a list of changes for it. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 09, 2012 12:50 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| shagg67rs wrote: |
| The application only includes com.ibm.mq.jar and connector.jar. It's always worked in the past that way. Is that a problem? |
It certainly can be. The recommendation is to do a full install, if only to make maintenance easier.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| shagg67rs |
| Posted: Fri Mar 09, 2012 1:12 pm Post subject: |
|
|
Newbie
Joined: 09 Mar 2012
Posts: 6
|
Upgrading MQ to 6.0.2.11 in the lab seems to have solved it. I can connect from the client now using Java 6 Update 31 with TRIPLE_DES_SHA_US, which was failing under MQ 6.0.2.6
I didn't change anything else yet, so this is still using GSKit 7.0.4.36 and just having the two jar files in the application. |
|
| Back to top |
|
|
|
|
