| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| MQ Connection failed with SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| mqjeff |
 Posted: Thu Mar 15, 2012 5:06 am Post subject: |
 |
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| francoG wrote: |
| At present I do not set SSLPEER; btw the meaning of SSLPEER is not totally clear to me. |
SSLPEER holds a value that is matched against an incoming certificate's DistinguishedName. For example, you could set SSLPEER('OU=mycompanyname') and then every certificate that was presented would have to have the same value, otherwise it will not be allowed to connect. |
|
| Back to top |
|
 |
| francoG |
| Posted: Thu Mar 15, 2012 5:56 am Post subject: |
|
|
Novice
Joined: 18 Aug 2011
Posts: 23
|
ah ok! SSLPEER = DN !
While i'm writing the Client software only, this means I do not need to specify SSLPEER.
tell me if what follow is true:
I am a client: I have a certificate for "X" in my trustStore.
I do no specify any SSLPEER.
when I start SSL connection to the server "X", it will send me a certificate. if the StartConnection terminate without exception I should assume that the SSl handshake has autenticated "X" as it claim to be, because the certificate for X can be found in the trustStore.
right?
now the last (I hope) question:
I am a client and I connect to a server. The SSL Handshake perform its action until the Server ask the client to present its certificate (mutual autentication).
How I can tell the software what certificate present in the key store has to be sent to the server? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 15, 2012 6:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| francoG wrote: |
| ah ok! SSLPEER = DN ! |
No. It's *matched against* the DN.
Again, the point of SSLPEER is to FILTER or DETERMINE what set of certificates is allowed to connect. If the DN does not *match* the SSLPEER value, in whole or in part (the whole part of the SSLPEER value must be included in some part of the DN), then the certificate is not allowed to connect.
| francoG wrote: |
| How I can tell the software what certificate present in the key store has to be sent to the server? |
By labeling the certificate according to the documented rules. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 15, 2012 8:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
Try and use:
certname=ibmwebspheremqclientid
DN:CN=clientid
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| francoG |
| Posted: Fri Mar 16, 2012 2:21 am Post subject: |
|
|
Novice
Joined: 18 Aug 2011
Posts: 23
|
Hello everybody!
thank you all for your e-mail.
now it work everything. 
the last problem was mutual identication :I wans't able to activate the client identification: it was always returning 2009 as errocode.
After checking and copy and instaiing again the certificates, configuration and whatever possible...I was demoralized  because something wrong was there and I wan'st able to find it out.
I try to stop and restart channel... nothing changes...then I try the last: stopping and restarting MQ server.
Miracle! bells start ringing! a sparklink light become from the sky....
SLL connection was working.... 
Thank you . very much |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Mar 17, 2012 10:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
you should not need to restart the qmgr.
| Code: |
| REFRESH SECURITY TYPE(SSL) |
should be all you need.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| francoG |
| Posted: Tue Mar 20, 2012 12:03 pm Post subject: |
|
|
Novice
Joined: 18 Aug 2011
Posts: 23
|
Hi
fjb_saper,
thank you.
| Quote: |
you should not need to restart the qmgr.
Code:
REFRESH SECURITY TYPE(SSL)
|
It sounds strange to me that each changes in a server parameters was requiring the Server Shutdown....
but anyway,
how can I do it in MQ explorer?
Franco |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Mar 20, 2012 12:05 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Right-click on queue manager. Choose Security->Refresh SSL. |
|
| Back to top |
|
|
| francoG |
| Posted: Wed Mar 21, 2012 2:19 pm Post subject: |
|
|
Novice
Joined: 18 Aug 2011
Posts: 23
|
Hello fjb_saper, you wote me
| Quote: |
| Yes typically the "TLS_RSA*" Ciphersuites will require you to set the SSLFIPS flag on the connection factory to true, and also have a keysize of 2048 or bigger (need to specify when you create your cert request). |
How I can create Keysize bigger? my Ikeyman can generate 512 and 1024 keysize only.
It Sounds strange that IBM sell a product that support less than one half of of the functionality that shows!
I tested all ciphersuite and I get this result:
| Code: |
"NULL_MD5", ok "SSL_RSA_WITH_NULL_MD5",
"NULL_SHA", ok "SSL_RSA_WITH_NULL_SHA",
"RC4_MD5_EXPORT", ok "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"RC4_MD5_US", ok "SSL_RSA_WITH_RC4_128_MD5",
"RC4_SHA_US", ok "SSL_RSA_WITH_RC4_128_SHA",
"RC2_MD5_EXPORT", nok (2400) "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", //* not exists *nook
"DES_SHA_EXPORT" ok "SSL_RSA_WITH_DES_CBC_SHA",
"RC4_56_SHA_EXPORT1024", nok(2400) "SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", //* not exists *nook
"DES_SHA_EXPORT1024", nok(2400) "SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", //*not exists *nook
"TRIPLE_DES_SHA_US", nok(2400) "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA ", nook(2400) "SSL_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA", nook(2400) "SSL_RSA_WITH_AES_256_CBC_SHA", //*not exists *nook
"TLS_RSA_WITH_DES_CBC_SHA", nook(2009) "SSL_RSA_WITH_DES_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA", nook(2009) "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
"FIPS_WITH_DES_CBC_SHA", nook(2400) "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
"FIPS_WITH_3DES_EDE_CBC_SHA" nook(2400) "SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA"} //*not exists *nook
|
so, sometimes I get this error :
MQJE 001:codice completamento 2, causa 2400
MQJE 011:il tentativo di connessione socker è stato rifiutato
sometimes I get error this other error:
MQJE 001:codice completamento 2, causa 2009
If I activate FIPS on Server I get error
MQJE 001:codice completamento 2, causa 2397
If I activate FIPS on Client ( or both client and Server) I get error
MQJE 001:codice completamento 2, causa 2393
and this for any ciphersuite.
if I open the SSLContext and I get the ssl socket factor and I ask to it what ciphersuite are supported I see that those who generate response 2400 are mostly not supported.
I try with both Sun JVM and IBM JVM and I only see that some ciphersuites in the two JVM have not the same name.
expecially those that are SSL_* in IBM become TLS in Sun...
While ciphersuites need to be specified by name this is anyway a bad surprise!
the only vantage for IBM JVM is that more ciphersuite than in Sun JVM correspond to those chipersuite reported in IBM documentation.
In my program I built a conversion table from cipherspecs to ciphersuites should I add one more dimension and add Sun'ciphersuites equivalent names?
But in any case, indpendently from the JVM I always get those ciphersuites NOT working.
While I don't know what ciphersuite I will have to use in my production env. I what to be sure I can use ALL of them.
what is not right in my code or what's wrong in my setup or what the hell is still missing overall?
Thanks to any angel who will reply |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 21, 2012 5:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
| Quote: |
How I can create Keysize bigger? my Ikeyman can generate 512 and 1024 keysize only.
It Sounds strange that IBM sell a product that support less than one half of of the functionality that shows! |
You are using an old product that is not up to Java 5 standards and are thus limited in the Ciphersuites available. UPGRADE! you should be using MQ V 7.0.1.x or MQ 7.1.x.
If you are not this may well explain your trouble with the ciphersuites and being unable to request a key of size 2048...
And if you are using your own CA authority, remember that the CA cert must have a key of 2048 to be able to correctly sign requests for keys of 2048...size....
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| francoG |
| Posted: Thu Mar 22, 2012 10:25 am Post subject: |
|
|
Novice
Joined: 18 Aug 2011
Posts: 23
|
thank you fjb_saper,
| Quote: |
| UPGRADE! you should be using MQ V 7.0.1.x or MQ 7.1.x. |
well, an answer is an answer, even it tells me bad knews.
This means that MQ V 6 has never worked with the ciphersuit it claim it can use? 
ok, if this is the truth i can only accept it.
As I wrote I have to connect with a production system that is NOT owned by me. That system connect several other client and I don't know if the system will be upgraded or not. At present I know it is working with MQ V6 and is not up to me to upgrade it.
Can a V 7 Client be connected to a V6 server ?
if yes, and this could solve my problem, I will be happy to upgrade to V7.
if not, I could only hope that I can connect with one of the working ciphersuites.
thank you again.
Franco |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
