ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSLFIPS questions for MQ Server 7.5.0.3

Post new topic  Reply to topic
 SSLFIPS questions for MQ Server 7.5.0.3 « View previous topic :: View next topic » 
Author Message
LouML
PostPosted: Thu Apr 24, 2014 10:00 am    Post subject: SSLFIPS questions for MQ Server 7.5.0.3 Reply with quote

Partisan

Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
We generally use TLS_RSA_WITH_AES_128_CBC_SHAf with our external channels. However, one company requires FIPS_WITH_3DES_EDE_CBC_SHA. When we try this we get the following error:

Code:
AMQ9719: Invalid CipherSpec for FIPS mode.
 
EXPLANATION:
The user is attempting to start a channel on a queue manager or MQ client which
has been configured to run in FIPS mode. The user has specified a CipherSpec
which is not FIPS-compliant. The channel is 'P.AAAAA_BBBBB.C'; in some cases
its name cannot be determined and so is shown as '????'.
ACTION:
Redefine the channel to run with a FIPS-compliant CipherSpec. Alternatively,
the channel may be defined with the correct CipherSpec and the queue manager or
MQ client should not be running in FIPS mode; if this is the case, ensure that
FIPS mode is not configured. Once the error is corrected, restart the channel.


One of the possible reasons is that the cipher spec is not FIPS compliant. Sinnce FIPS_WITH_3DES_EDE_CBC_SHA has FIPS in it I assumed it was FIPS compliant. Can anyone confirm if this is the case?

The other possibility is that we currently have SSLFIPS(YES) on the queue manager. I will need to change this to SSLFIPS(NO).

Do I need to recycle the queue manager or just REFRESH SECURITY TYPE(SSL) after making the change?

Also, I know the refresh command causes the running channels to stop. Is that ALL running channels, or just channels using SSL?
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Apr 24, 2014 10:53 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
This is the official response:
http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.dev.doc/q031290_.htm
Quote:
The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.


Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » SSLFIPS questions for MQ Server 7.5.0.3
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.