| Author |
Message
|
| gfrench |
 Posted: Tue Apr 26, 2011 7:07 am Post subject: Broker 7.0.0.2 SSL Ciphers |
 |
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
Is there a simple way of listing the SSL Cipher names supported by broker without writing java code? I would like to use AES 256 SHA so have tried all sorts of combinations with underscores, with dashes, prefix TLS_ with prefix SSL_
There is a list of supported suites in the MQ infocenter but not in Broker infocenter. Neither:-
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
work. Any clues?
Thanks
Graham
P.S. This is on the TCP/IP Client node, using a configurable service. The manual states:-
| Quote: |
A semicolon-delimited list of cipher suites that can be used for the SSL handshake. The default value "" means that all available cipher suites can be used |
[/quote] |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Apr 26, 2011 12:26 pm Post subject: Re: Broker 7.0.0.2 SSL Ciphers |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gfrench wrote: |
Is there a simple way of listing the SSL Cipher names supported by broker without writing java code? I would like to use AES 256 SHA so have tried all sorts of combinations with underscores, with dashes, prefix TLS_ with prefix SSL_
There is a list of supported suites in the MQ infocenter but not in Broker infocenter. Neither:-
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
work. Any clues?
Thanks
Graham
P.S. This is on the TCP/IP Client node, using a configurable service. The manual states:-
| Quote: |
A semicolon-delimited list of cipher suites that can be used for the SSL handshake. The default value "" means that all available cipher suites can be used |
|
I see what you are trying to do. The MB Explorer as I tried it (V7.0.0.2), does not yet support SSL FIPS. I have a PMR open for that.
Try Cypherspec FIPS_WITH_3DES_EBE_CBC_SHA and corresponding cyphersuite SSL_RSA_FIPS_WITH_3DES_EBE_CBC_SHA.
Note: you will have to add the cyphersuite to the list by going through the dialogue on the preferences in the MB Explorer. Once added to the custom SSL Ciphersuites you'll be able to choose it in the drop down.
Note as well that this cipherspec / ciphersuite despite its name is qualified as non fips in the matching table.
I was not able to make any of the FIPS ciphersuites work with MB Explorer... and your cipherspec/ciphersuite is FIPS
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Apr 26, 2011 1:34 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| Quote: |
| I was not able to make any of the FIPS ciphersuites work with MB Explorer... and your cipherspec/ciphersuite is FIPS |
Are you saying that the only way to configure this is via MBExplorer?
I'm working with Graham (the OP) on this.
Is there any way to get a FIPS cipher configured?
Could you set a config with something that is valid an then 'hack' it to use the real suite?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 26, 2011 8:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| smdavies99 wrote: |
| Quote: |
| I was not able to make any of the FIPS ciphersuites work with MB Explorer... and your cipherspec/ciphersuite is FIPS |
Are you saying that the only way to configure this is via MBExplorer?
I'm working with Graham (the OP) on this.
Is there any way to get a FIPS cipher configured?
Could you set a config with something that is valid an then 'hack' it to use the real suite? |
No you can probably work around it using java and the CMP-API. I have not tried this avenue yet, as I wanted to minimize the use of custom code.
So far I have found out that the MB Explorer did not allow me to connect to any broker with FIPS set to true, although it works like a charm in the MQ Explorer connecting to a qmgr (using different channels with different mcauser). (PMR open)
An other gotcha has been the use of mqsideploy (at least in windows going against a broker on AIX) as it did not ask for the key/trust store password and did not allow me any way to pass the information, after using the *.broker file created with the MB Explorer. (PMR open).
I suspect that the preference setting FIPS=true is not supported by the MB Explorer part and the SSL wizard dialogue has no place for a FIPS = true checkbox... (I did not expect any would be needed after setting the preference). As you use the successful setup of the broker in the MB Explorer to create the *.broker file you would need inside IBM information on what to put into the *.broker file to "hack" the solution... (as you know I am not working for big blue...)
I believe the Toolkit is even more rudimentary then the MB Explorer when setting the SSL preferences. By the way it is the only tool that allowed me a successful connection using connect to remote broker using *.broker file...
Have fun and let me know if you progress
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 26, 2011 8:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Apr 29, 2011 11:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
UPDATE from one of my pmrs:
mqsideploy: when using SSL make sure you set the IBM_JAVA_OPTIONS environment variable first.
ex set or export IBM_JAVA_OPTIONS=-Djavax.net.ssl.trustStorePassword="password" -Djavax.net.ssl.keyStorePassword="password" ...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gfrench |
| Posted: Tue May 03, 2011 11:16 pm Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
| I'm assuming that is when doing an mqsideploy over a secure SSL connection and nothing to do with deploying code that will run securely (ie with soap, http or tcpip nodes over ssl) |
|
| Back to top |
|
|
|
|
