| Author |
Message
|
| gfrench |
 Posted: Wed Apr 27, 2011 3:32 am Post subject: Broker and SSL over TCP nodes |
 |
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
[edit] split from http://www.mqseries.net/phpBB2/viewtopic.php?p=301962#301962 [/edit]
Not really what I was looking for. I'm not trying to connect the explorer securely, I'm trying to connect using TCPIPClientSend and Receive nodes to a third party server. They have indicated they use AES 256 SHA security.
I've run a service trace and can see the following:-
| Code: |
javax.net.ssl.SSLContext@49df49df'
2011-04-27 12:12:22.827032 7308 >> ClientConnectionManager.createConnection 'Initialised SSLContext'
2011-04-27 12:12:22.827169 7308 >> ClientConnectionManager.createConnection 'Acquired SSLEngine' , '6e436e43[SSLEngine[hostname=null port=-1] SSL_NULL_WITH_NULL_NULL]'
2011-04-27 12:12:22.827228 7308 >> ClientConnectionManager.createConnection 'protocol[0] |SSLv3|'
2011-04-27 12:12:22.827239 7308 >> ClientConnectionManager.createConnection 'protocol[1] |TLSv1|'
2011-04-27 12:12:22.828159 7308 >> ClientConnectionManager.createConnection 'cipherSuite[0] |SSL_RSA_WITH_RC4_128_MD5|'
2011-04-27 12:12:22.828172 7308 >> ClientConnectionManager.createConnection 'cipherSuite[1] |SSL_RSA_WITH_RC4_128_SHA|'
2011-04-27 12:12:22.828184 7308 >> ClientConnectionManager.createConnection 'cipherSuite[2] |SSL_RSA_WITH_AES_128_CBC_SHA|'
2011-04-27 12:12:22.828199 7308 >> ClientConnectionManager.createConnection 'cipherSuite[3] |SSL_DHE_RSA_WITH_AES_128_CBC_SHA|'
2011-04-27 12:12:22.828208 7308 >> ClientConnectionManager.createConnection 'cipherSuite[4] |SSL_DHE_DSS_WITH_AES_128_CBC_SHA|'
2011-04-27 12:12:22.828220 7308 >> ClientConnectionManager.createConnection 'cipherSuite[5] |SSL_RSA_WITH_3DES_EDE_CBC_SHA|'
2011-04-27 12:12:22.828252 7308 >> ClientConnectionManager.createConnection 'cipherSuite[6] |SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA|'
2011-04-27 12:12:22.828266 7308 >> ClientConnectionManager.createConnection 'cipherSuite[7] |SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA|'
2011-04-27 12:12:22.828277 7308 >> ClientConnectionManager.createConnection 'cipherSuite[8] |SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA|'
2011-04-27 12:12:22.828287 7308 >> ClientConnectionManager.createConnection 'cipherSuite[9] |SSL_DHE_DSS_WITH_RC4_128_SHA|'
2011-04-27 12:12:22.828298 7308 >> ClientConnectionManager.createConnection 'cipherSuite[10] |SSL_RSA_WITH_DES_CBC_SHA|'
2011-04-27 12:12:22.828308 7308 >> ClientConnectionManager.createConnection 'cipherSuite[11] |SSL_RSA_FIPS_WITH_DES_CBC_SHA|'
2011-04-27 12:12:22.828340 7308 >> ClientConnectionManager.createConnection 'cipherSuite[12] |SSL_DHE_RSA_WITH_DES_CBC_SHA|'
2011-04-27 12:12:22.828355 7308 >> ClientConnectionManager.createConnection 'cipherSuite[13] |SSL_DHE_DSS_WITH_DES_CBC_SHA|'
2011-04-27 12:12:22.828365 7308 >> ClientConnectionManager.createConnection 'cipherSuite[14] |SSL_RSA_EXPORT_WITH_RC4_40_MD5|'
2011-04-27 12:12:22.828376 7308 >> ClientConnectionManager.createConnection 'cipherSuite[15] |SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|'
2011-04-27 12:12:22.828386 7308 >> ClientConnectionManager.createConnection 'cipherSuite[16] |SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|'
2011-04-27 12:12:22.828397 7308 >> ClientConnectionManager.createConnection 'cipherSuite[17] |SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|'
2011-04-27 12:12:22.828428 7308 >> ClientConnectionManager.createConnection 'cipherSuite[18] |SSL_RSA_WITH_NULL_MD5|'
2011-04-27 12:12:22.828441 7308 >> ClientConnectionManager.createConnection 'cipherSuite[19] |SSL_RSA_WITH_NULL_SHA|'
2011-04-27 12:12:22.828453 7308 >> ClientConnectionManager.createConnection 'cipherSuite[20] |SSL_DH_anon_WITH_AES_128_CBC_SHA|'
2011-04-27 12:12:22.828464 7308 >> ClientConnectionManager.createConnection 'cipherSuite[21] |SSL_DH_anon_WITH_RC4_128_MD5|'
2011-04-27 12:12:22.828475 7308 >> ClientConnectionManager.createConnection 'cipherSuite[22] |SSL_DH_anon_WITH_3DES_EDE_CBC_SHA|'
2011-04-27 12:12:22.828485 7308 >> ClientConnectionManager.createConnection 'cipherSuite[23] |SSL_DH_anon_WITH_DES_CBC_SHA|'
2011-04-27 12:12:22.828517 7308 >> ClientConnectionManager.createConnection 'cipherSuite[24] |SSL_DH_anon_EXPORT_WITH_RC4_40_MD5|'
2011-04-27 12:12:22.828531 7308 >> ClientConnectionManager.createConnection 'cipherSuite[25] |SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA|'
2011-04-27 12:12:22.828542 7308 >> ClientConnectionManager.createConnection 'cipherSuite[26] |SSL_KRB5_WITH_RC4_128_SHA|'
2011-04-27 12:12:22.828554 7308 >> ClientConnectionManager.createConnection 'cipherSuite[27] |SSL_KRB5_WITH_RC4_128_MD5|'
2011-04-27 12:12:22.828565 7308 >> ClientConnectionManager.createConnection 'cipherSuite[28] |SSL_KRB5_WITH_3DES_EDE_CBC_SHA|'
2011-04-27 12:12:22.828575 7308 >> ClientConnectionManager.createConnection 'cipherSuite[29] |SSL_KRB5_WITH_3DES_EDE_CBC_MD5|'
2011-04-27 12:12:22.828607 7308 >> ClientConnectionManager.createConnection 'cipherSuite[30] |SSL_KRB5_WITH_DES_CBC_SHA|'
2011-04-27 12:12:22.828620 7308 >> ClientConnectionManager.createConnection 'cipherSuite[31] |SSL_KRB5_WITH_DES_CBC_MD5|'
2011-04-27 12:12:22.828632 7308 >> ClientConnectionManager.createConnection 'cipherSuite[32] |SSL_KRB5_EXPORT_WITH_RC4_40_SHA|'
2011-04-27 12:12:22.828643 7308 >> ClientConnectionManager.createConnection 'cipherSuite[33] |SSL_KRB5_EXPORT_WITH_RC4_40_MD5|'
2011-04-27 12:12:22.828653 7308 >> ClientConnectionManager.createConnection 'cipherSuite[34] |SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA|'
2011-04-27 12:12:22.828664 7308 >> ClientConnectionManager.createConnection 'cipherSuite[35] |SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5|'
2011-04-27 12:12:22.828727 7308 >> ClientConnectionManager.createConnection 'Enabling |TLS_RSA_WITH_AES_256_CBC_SHA|'
2011-04-27 12:12:22.828739 7308 >> ClientConnectionManager.createConnection 'Enabling |TLS_DH_RSA_WITH_AES_256_CBC_SHA|'
2011-04-27 12:12:22.828750 7308 >> ClientConnectionManager.createConnection 'Enabling |SSL_RSA_WITH_AES_256_CBC_SHA|'
2011-04-27 12:12:22.828760 7308 >> ClientConnectionManager.createConnection 'Enabling |SSL_DH_ANON_WITH_AES_256_CBC_SHA|'
2011-04-27 12:12:22.828769 7308 >> ClientConnectionManager.createConnection 'Enabling |SSL_DHE_RSA_WITH_AES_256_CBC_SHA|'
2011-04-27 12:12:22.828779 7308 >> ClientConnectionManager.createConnection 'Enabling |SSL_DHE_DSS_WITH_AES_256_CBC_SHA|'
2011-04-27 12:12:22.830192 7308 >> ClientConnectionManager.createConnection 'Caught throwable' , 'java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers at com |
It looks like its going through the list of Ciphers it knows about, before trying to enable the ones I've requested it use in the configurable service and then fails saying it can not support the first in the list.
So my question, how come the broker isn't trying any of the AES 256 SHA ones? These all appear to be shorter 128 byte ciphers. How do I get the other ciphers?
Any help great appreciated. |
|
| Back to top |
|
 |
| gfrench |
| Posted: Wed Apr 27, 2011 7:52 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
I'm guessing this is something to do with security providers. I've looked at the java.security file and have
| Code: |
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
|
I can also see the jars in C:\Program Files\IBM\MQSI\7.0\jre16\lib\ext
I can also see in the profile
| Code: |
MQSI_JARPATH=C:\Program Files\IBM\MQSI\7.0\classes;C:\Program Files\IBM\MQSI\7.0\messages;
MQSI_JREPATH=C:\Program Files\IBM\MQSI\7.0\jre16
|
With my basic java understanding this seems to be ok, but I'm still not seeing the extended 256 byte ciphers in my trace. Any thoughts. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 27, 2011 10:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So what are you setting as broker connection parameters and what is available? You do realize of course that ALL client connections of the JVM (e.g.) will have to have FIPS set to true? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gfrench |
| Posted: Thu Apr 28, 2011 12:56 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
We are connecting using TCPIP Client Recieve node, so there are no broker connection paramters. The SSL connection parameters are provided through the configurable service, which includes the host, port and the two SSL paramters SSLProtocol and SSLCiphers.
I've tried with SSLv3 and TLS and if I use a Cipher listed in the trace SSL_RSA_WITH_RC4_128_SHA it finds it and connects. If I use a Cipher not listed it fails as shown at the bottom of the trace.
I do not realise or understand the statement about FIPS and whether it applies to TCPIPClientReceive node. I've googled FIPS and have not a clue! Maybe I am being to honest here 
Thanks for any help |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 28, 2011 1:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The java security provider that is shipped with Broker does not support any random cryptographic algorithm.
Particularly, there are certain cryptographic algorithms that are under import/export restrictions in the U.S., so you should expect to find different supported algorithms if you are not actually in the U.S.
FIPS is a US government encryption standard. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Apr 28, 2011 1:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
FIPS is related to Federal Information Protocol Security or something of the kind. You may want to google SSLFIPS.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gfrench |
| Posted: Thu Apr 28, 2011 1:30 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
The cipher suit I believe I need is TLS_RSA_WITH_AES_256_CBC_SHA.
Does the shipped security provider support this?
I've copied ListAlogithms java class (found on the internet) and ran it against my JRE and I can see the AES cipher and the SHA 256 message digests, so it looks like it is supported, although the message is the trace clearly states its not supported. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 28, 2011 1:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| gfrench |
| Posted: Tue May 03, 2011 8:07 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
Thanks..
I've played around with security providers as suggested in the doc (with and without the commented line):-
| Code: |
#security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPSProvider
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2 |
I've tried a bunch of socket stuff:-
| Code: |
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
#ssl.SocketFactory.provider=com.ibm.fips.jsse.JSSESocketFactory
#ssl.ServerSocketFactory.provider=com.ibm.fips.jsse.JSSEServerSocketFactory |
I've also downloaded the US_export_policy.jar and local_policy.jar, all without success and resulting in java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA
I tried adding :-
| Code: |
| mqsichangeproperties BK7 -e ZZZ -o ComIbmJVMManager -n jvmSystemProperty -v -Dcom.ibm.jsse2.JSSEFIPS=true |
The later extends my error to
| Quote: |
| Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA or ciphersuite is not supported in FIPS mode |
Any further clues or ideas available from anyone that has this working? |
|
| Back to top |
|
|
| gfrench |
| Posted: Wed May 04, 2011 1:22 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
Finally got the broker to use cipher suit SSL_RSA_WITH_AES_256_CBC_SHA. The steps are:-
Amended java.security file to include the following providers
| Quote: |
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO |
Amended java.secruity file to add socket stuff
| Quote: |
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl |
Amended jvm system property
| Quote: |
mqsichangeproperties BK7 -e ZZZ -o ComIbmJVMManager -n jvmSystemProperty -v -Dcom.ibm.jsse2.JSSEFIPS=true |
Downloaded the unlimited strength jurisdiction policy files from https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=jcesdk&lang=en_US and replace the originals
And a configurable service with the SSLProtocol=TLS and the SSLCiphers=SSL_RSA_WITH_AES_256_CBC_SHA
However, I'm still getting javax.net.ssl.SSLException: bad record MAC so not fixed yet, but thought I'd document my findings
PS... Having played around a bit more, the key is the unlimited jurisdiction jar files.. Adding the stuff to the java.security file didn't seem to make much difference, and the FIPS=true parameter just reduces the available algorithms to the high strength (probably compliant ones!). These are probably really important if you need to be FIPS compliant, but are possibly unnecessary for me.... But adding the unlimited strength jar files immediately showed all the extra strength ciphers I was originally looking for, hoping in vain that they would fix my bad record MAC. |
|
| Back to top |
|
|
| gfrench |
| Posted: Tue May 10, 2011 5:05 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
Thought I'd post an update since we are still working on this. Despite all our attempts I still get javax.net.ssl.SSLException: bad record MAC when using the TCP/IP Client Output and Receive nodes using SSL to our third party provider.
I've created a dummy server flow to mimic the remote end and SSL works correctly. But as soon as I reconfigure to the third party I get my 'bad record MAC'
By using a Java Compute node we were perfectly capable of creating an SSL socket and logging in (ie sending data) using a choice of Ciphers. This method avoids using the connection manager and seems to work fine.
My conclusion is that we are hitting a bug in the connection manager. May be a compatibility issue between the IBM ssl and that of the third party. If I was able, I would raise a PMR and see this one through to resolution.
I'm currently looking at alternatives:-
1/ Running without SSL through some sort of proxy.
2/ Using a java compute node to handle the whole thing. |
|
| Back to top |
|
|
|
|
