| Author |
Message
|
| drakumad57 |
 Posted: Wed Feb 18, 2009 2:07 am Post subject: MQ SSL Cipher Mismatch Problem |
 |
|
Newbie
Joined: 18 Feb 2009
Posts: 4
|
Hello,
I am trying to secure the connection between our MQ server and our client WAS 6 system. When i test the connection from the Websphere console i get the message:
"WebSphere MQ server darenew connection test failed for WebSphere MQ queue manager darenew.queue.manager. CWSJP0050E: An attempt to connect to WebSphere MQ queue manager or queue sharing group darenew.queue.manager failed. The WebSphere MQ reason code is MQRC_CONNECTION_BROKEN (2009).."
In the qmgr error log files on the MQ server i get the message:
"02/18/09 09:21:07 - Process(26010.62) User(mqm) Program(amqrmppa_nd)
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'SYSTEM.DEF.SVRCONN'.
EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'SYSTEM.DEF.SVRCONN'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'RC4_SHA_US'. The name of the CipherSpec negotiated during the SSL handshake is
'RC4_MD5_EXPORT'. A code is displayed if the name of the negotiated CipherSpec
cannot be determined.
ACTION:
Change the channel definitions for 'SYSTEM.DEF.SVRCONN' so the two ends have
matching CipherSpecs and restart the channel. If the certificate in use by one
end of the channel is a Global Server Certificate, then the negotiated
CipherSpec may not match that specified on either end of the channel. This is
because the SSL protocol allows a Global Server Certificate to automatically
negotiate a higher level of encryption. In these cases specify a CipherSpec
which meets the requirements of the Global Server Certificate."
On the MQ channel I am connecting to the SSLCIPH is defined as "RC4_SHA_US". FIPS is not enabled on the QMGR.
I have tried changing the cipher spec to 'RC4_MD5_EXPORT' but get the same type of error but with the negotiated cipher changing . Does anyone have any advice on setting up SSL connections to MQ?Is there any way of specifying more than one cipher spec for an MQ channel?
Thanks,
Darren |
|
| Back to top |
|
 |
| drakumad57 |
| Posted: Wed Feb 18, 2009 2:10 am Post subject: |
|
|
Newbie
Joined: 18 Feb 2009
Posts: 4
|
| I have done a search of the forum for this problem and have found a post relating to this but it did not provide an answer. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Wed Feb 18, 2009 2:23 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
the cipher specs are different on sender and receiver side.
You have to synchronize the certificate on both ends
So make it same and start the channel.
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 18, 2009 2:34 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Check the cipherspec set at the client end matches that set in the SYSTEM.DEF.SVRCONN. As your logs show this:
| Quote: |
| The CipherSpec required in the local channel definition is 'RC4_SHA_US'. The name of the CipherSpec negotiated during the SSL handshake is 'RC4_MD5_EXPORT' |
EDIT: As an aside, don't use SYSTEM.DEF.SVRCONN - define a specific channel.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| rameshtdp |
| Posted: Wed Jun 02, 2010 12:54 pm Post subject: |
|
|
Novice
Joined: 11 May 2007
Posts: 18
Location: India
|
Each and every cipher spec assigned at channel is having its own cipher suite at application side: Like
CipherSpec Equivalent CipherSuite
NULL_MD5 SSL_RSA_WITH_NULL_MD5
NULL_SHA SSL_RSA_WITH_NULL_SHA
RC4_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC4_40_MD5
RC4_MD5_US SSL_RSA_WITH_RC4_128_MD5
RC4_SHA_US SSL_RSA_WITH_RC4_128_SHA
RC2_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
DES_SHA_EXPORT SSL_RSA_WITH_DES_CBC_SHA
RC4_56_SHA_EXPORT1024 SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
DES_SHA_EXPORT1024 SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
TRIPLE_DES_SHA_US SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA
FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 02, 2010 8:19 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Check out the manuals. There is somewhere a correspondence table between ciphersuite (java) and cipherspec (channel definition). Easiest way would be to use a channel table and have the same cipherspec on the svrconn and clntconn ends of the channel.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 03, 2010 4:52 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
|
|
