| Author |
Message
|
| friedl.otto |
 Posted: Tue Feb 17, 2009 3:05 am Post subject: MQ Explorer + TLS_RSA_WITH_AES_256_CBC_SHA = Strange |
 |
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
After configuring the MQ Explorer property "SSL FIPS Required" to "Yes" I
have configured a client channel to successfully use:
| Code: |
| SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) |
However ... when I change the settings on both the queuemanager and
MQ Explorer to:
| Code: |
| SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA) |
I then get this (from MQ Explorer):
| Code: |
| 2393 0x00000959 MQRC_SSL_INITIALIZATION_ERROR |
I have done a quick google survey of the landscape ... and didn't find any
prohibition against using the latter.
*Runs for cover before divine thunder starts raining on the foolish*
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing!  -- Vitor |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Feb 17, 2009 3:13 am Post subject: Re: MQ Explorer + TLS_RSA_WITH_AES_256_CBC_SHA = Strange |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| friedl.otto wrote: |
I have done a quick google survey of the landscape ... and didn't find any
prohibition against using the latter. |
Apart from here of course, where it lists the platform it's not available on.
Assuming (realistically) that you're using platforms at both ends which support 256 bit keys, do both ends have 256 key certificates?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Tue Feb 17, 2009 3:25 am Post subject: Re: MQ Explorer + TLS_RSA_WITH_AES_256_CBC_SHA = Strange |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
| Vitor wrote: |
| Apart from here of course, where it lists the platform it's not available on. |
Since I'm on MQ 7.0.0.1 I used this source which states:
| Code: |
CipherSpec name Protocol Hsh. Alg. Enc. Alg. Enc. Bits. FIPS on Windows® and UNIX® platforms 1
----------------------------------------------------------------------------------------------------------------------
TLS_RSA_WITH_AES_256_CBC_SHA TLS SHA-1 AES 256 Yes
|
In this case the queue manager is running on SLES 10 x86 64-bit and the
MQ Explorer is running on Windows XP SP3.
| Vitor wrote: |
| Assuming (realistically) that you're using platforms at both ends which support 256 bit keys, do both ends have 256 key certificates? |
Uhm, I should think so, since SDR/RCVR channels work beautifully with
the same settings.
*Ducks after back-chatting the crackling ball of blue energy*
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Feb 17, 2009 3:30 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Try it with a regular java client instead of MQ Explorer. Double check all the keyring settings and that you have the necessary JKS files.
If that works and MQ Explorer still doesn't, then open a PMR. Also remember that you are making a client connection, and so you need a cert with a client name, rather than a qmgr name. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 17, 2009 3:32 am Post subject: Re: MQ Explorer + TLS_RSA_WITH_AES_256_CBC_SHA = Strange |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| friedl.otto wrote: |
| Since I'm on MQ 7.0.0.1 I used this source which states: |
And if you'd mentioned you were using v7 (and the platforms involved) I'd have done the same.
| friedl.otto wrote: |
Uhm, I should think so, since SDR/RCVR channels work beautifully with
the same settings. |
Not the keys then... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Tue Feb 17, 2009 3:35 am Post subject: |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
| mqjeff wrote: |
| If that works and MQ Explorer still doesn't, then open a PMR. Also remember that you are making a client connection, and so you need a cert with a client name, rather than a qmgr name. |
As I think I have mentioned earlier ... MQ Explorer connects fine with
the 128-bit item and SSLPEER set on both ends. I will however cobble
together a Java app to test this. 
Thanks!
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing! -- Vitor |
|
| Back to top |
|
|
| rabjen |
| Posted: Fri May 22, 2009 4:41 am Post subject: |
|
|
Newbie
Joined: 22 May 2009
Posts: 1
|
I had the same problem, I added the Unlimited jurisdiction policy files
see www .ibm. com /developerworks /java/jdk/security/142/
And it worked.
Rab. |
|
| Back to top |
|
|
|
|
