| Author |
Message
|
| ayeh |
 Posted: Thu Aug 14, 2014 10:20 am Post subject: MQExplorer v8 missing cipherspec TRIPLE_DES_SHA_US |
 |
|
Novice
Joined: 21 Oct 2001
Posts: 18
Location: Los Angeles, CA
|
I'm working in a pre-existing environment and just downloaded the latest MS0T supportpac. While setting up an SSL connection in mqexplorer, I see that the SSL options properties (SSL CipherSpec) drop down box does not list TRIPLE_DES_SHA_US as an option. The options begin with either FIPS, ECDHE, NULL, RC4, or TLS. None work resulting in the same error
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel 'SYSTEM.ADMIN.SVRCONN'.
The channels to these queue manager are using the same trust stores from WebSphere appserver and another application, so I really don't want to rework everything SSL just to get mqexplorer to work.
I'm looking for an understanding of why TRIPLE_DES_SHA_US is gone from mqexplorer and what my alternatives might be.
P.S. MQ 7.1 multi-instance qmgrs on Solaris 10
Thanks |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Thu Aug 14, 2014 10:57 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
|
| Back to top |
|
|
| ayeh |
| Posted: Thu Aug 14, 2014 11:26 am Post subject: Post subject: MQExplorer v8 missing cipherspec TRIPLE_DES_SH |
|
|
Novice
Joined: 21 Oct 2001
Posts: 18
Location: Los Angeles, CA
|
Yes, I figured there would be an equivalent but if you look at my notes, there are no SSL* ciphersuite options in MQExplorer v8. What I can see is an equivalent is FIPS_WITH_3DES_EDE_CDC_SHA, but that doesn't work either.
The problem still seems to be MQExplorer v8.
Still studying. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Aug 14, 2014 11:42 am Post subject: Re: MQExplorer v8 missing cipherspec TRIPLE_DES_SHA_US |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ayeh wrote: |
I'm looking for an understanding of why TRIPLE_DES_SHA_US is gone from mqexplorer and what my alternatives might be.
P.S. MQ 7.1 multi-instance qmgrs on Solaris 10
Thanks |
Don't know which MQExplorer you are looking at. On mine (installed with the server) it shows up at the bottom after all the TLS_* cipher specs, (alphabetical order).
You're right it does not show up in the client connection dialog anymore.
Maybe because this particular spec is being made obsolete and no longer considered secure?
Just can't find the reference at the moment... 
_________________
MQ & Broker admin
Last edited by fjb_saper on Thu Aug 14, 2014 11:47 am; edited 1 time in total |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Aug 14, 2014 11:42 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| Looks like TLS_RSA_WITH_3DES_EDE_CBC_SHA is equivalent. It maps to the same thing the last line in the chart maps to. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Aug 14, 2014 11:49 am Post subject: Re: Post subject: MQExplorer v8 missing cipherspec TRIPLE_DE |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| ayeh wrote: |
Yes, I figured there would be an equivalent but if you look at my notes, there are no SSL* ciphersuite options in MQExplorer v8. What I can see is an equivalent is FIPS_WITH_3DES_EDE_CDC_SHA, but that doesn't work either.
The problem still seems to be MQExplorer v8.
Still studying. |
Maps to SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA which is different than what the chart says TRIPLE_DES_SHA_US maps to... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Aug 14, 2014 11:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| JosephGramig wrote: |
| Looks like TLS_RSA_WITH_3DES_EDE_CBC_SHA is equivalent. It maps to the same thing the last line in the chart maps to. |
No it's not . You need SSLFIPS=true for that and if on a non IBM JVM you may have to install NISS software to get there.
Closest non obsolete would be the FIPS_RSA_3DES_EDE_CBC_SHA with ciphersuite SSL_RSA_FIPS_3DES_EDE_CBC_SHA (from memory) which has no yet reached obsolescence...
Here is the reference and the quote
| Quote: |
Changes to CipherSuite/CipherSpec support
The support for SSL/TLS CipherSuites in the WebSphere MQ classes for JMS has changed as follows:
More CipherSuites are now supported.
One CipherSuite (SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5) is no longer supported.
The following three CipherSuites are no longer supported with SSL, and are now only supported with TLS:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA |
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ayeh |
| Posted: Thu Aug 14, 2014 12:28 pm Post subject: |
|
|
Novice
Joined: 21 Oct 2001
Posts: 18
Location: Los Angeles, CA
|
So a little more MQExplorer installation background.
MS0T is currently at v8.0.0. I executed setup.exe "run as administrator," which installed the IBM JRE. Running MQExplorer itself has no affect on this Cipher issue.
I also replace my userid with ******.
java.version == 1.7.0 (Java 1)
java.vm.name == IBM J9 VM
java.vm.vendor == IBM Corporation
java.vm.version == 2.6
java.vm.specification.name == Java Virtual Machine Specification
java.vm.specification.vendor == Sun Microsystems Inc.
java.vm.specification.version == 1.0
java.specification.name == Java Platform API Specification
java.specification.vendor == Sun Microsystems Inc.
java.specification.version == 1.7
java.vendor == IBM Corporation
java.vendor.url == http://www.ibm.com/
java.class.version == 51.0
java.compiler == j9jit26
java.home == C:\Users\*******\AppData\Local\Temp\I1407794979\Windows\resource\jre\jre
java.io.tmpdir == C:\Users\*******\AppData\Local\Temp\
os.name == Windows 7
os.arch == x86
os.version == 6.1
path.separator == ;
file.separator == \
file.encoding == Cp1252
user.name == *******
user.home == C:\Users\*******
user.dir == C:\Users\*******\AppData\Local\Temp\I1407794979\Windows
user.language == en
user.region == null
__________________________________________________________________________
Installed Feature(s) Explorer of IBM WebSphere MQ Explorer V8.0
Install Begin: AUGUST 11, 2014 3:10:22 PM PDT
Install End: AUGUST 11, 2014 3:12:12 PM PDT
Installed by InstallAnywhere 14.0 Enterprise Build 4349
User Interactions
-----------------
#Indicate whether the license agreement been accepted
#----------------------------------------------------
LICENSE_ACCEPTED=TRUE
#Choose Install Folder
#---------------------
USER_INSTALL_DIR=C:\\Program Files\\IBM\\WebSphere MQ Explorer
#Install
#-------
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\_IBM\ WebSphere\ MQ\ Explorer\ V8.0_installation\\Change\ IBM\ WebSphere\ MQ\ Explorer\ V8.0\ Installation.lax=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\_IBM\ WebSphere\ MQ\ Explorer\ V8.0_installation\\resource\\iawin32.dll=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\_IBM\ WebSphere\ MQ\ Explorer\ V8.0_installation\\resource\\remove.exe=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\build_level.txt=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\README.txt=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\MQExplorer.ini=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\ws_brand.ico=Yes
-fileOverwrite_C\:\\Program\ Files\\IBM\\WebSphere\ MQ\ Explorer\\properties\\version\\WebSphere_MQ_Explorer_SupportPac-8.0.0.cmptag=Yes
Summary
-------
Installation: Successful.
1591 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors
Action Notes:
None
Install Log Detail: [snipped]
Last edited by ayeh on Thu Aug 14, 2014 2:25 pm; edited 1 time in total |
|
| Back to top |
|
|
| ayeh |
| Posted: Thu Aug 14, 2014 1:24 pm Post subject: |
|
|
Novice
Joined: 21 Oct 2001
Posts: 18
Location: Los Angeles, CA
|
I learned something by changing the SSLCIPH on the SVRCONN to FIPS_WITH_3DES_EDE_CBC_SHA and matched that in MQExplorer V8. Now I can connect but others cannot. This indicates to me that, at least, part of the SSLCIPH negotiation is based on text-matching between the two ends. They have to be valid, but they also have to match in name.
So why wouldn't MQExplorer V8 support valid SSLCIPH values across all versions of WMQ? OR maybe allow typed values?
Without some support for more ciphers in MQExplorer v8, the only solution to this problem may either be to see if anyone we know still has MQExplorer v7 or modify all qmgrs SSL/CHL configs.
This is why I was wondering about the reason for losing TRIPLE_DES_SHA_US in the first place. Is there any hope for an MQExplorer solution to this issue?
Thoughts? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Aug 14, 2014 3:37 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ayeh wrote: |
I learned something by changing the SSLCIPH on the SVRCONN to FIPS_WITH_3DES_EDE_CBC_SHA and matched that in MQExplorer V8. Now I can connect but others cannot. This indicates to me that, at least, part of the SSLCIPH negotiation is based on text-matching between the two ends. They have to be valid, but they also have to match in name.
So why wouldn't MQExplorer V8 support valid SSLCIPH values across all versions of WMQ? OR maybe allow typed values?
Without some support for more ciphers in MQExplorer v8, the only solution to this problem may either be to see if anyone we know still has MQExplorer v7 or modify all qmgrs SSL/CHL configs.
This is why I was wondering about the reason for losing TRIPLE_DES_SHA_US in the first place. Is there any hope for an MQExplorer solution to this issue?
Thoughts? |
My understanding is that SSL_RSA_WITH_3DES_EDE_CBC_SHA in its non FIPS application (SSL_) is no longer secure and might have been breached or on the verge of being breached... Thus it got retired in the new version of MQ. You may have noticed the SUITE B and Elliptic Curve cryptography that got added. So security is constantly evolving and not static. This means that you'd have to adapt and select a cypherspec / cyphersuite that would still be secure.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ayeh |
| Posted: Thu Aug 14, 2014 4:46 pm Post subject: |
|
|
Novice
Joined: 21 Oct 2001
Posts: 18
Location: Los Angeles, CA
|
| fjb_saper wrote: |
My understanding is that SSL_RSA_WITH_3DES_EDE_CBC_SHA in its non FIPS application (SSL_) is no longer secure and might have been breached or on the verge of being breached... Thus it got retired in the new version of MQ. You may have noticed the SUITE B and Elliptic Curve cryptography that got added. So security is constantly evolving and not static. This means that you'd have to adapt and select a cypherspec / cyphersuite that would still be secure. |
Sigh, now I get it. Thank you and the forum for the help.
Cheers |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Aug 14, 2014 9:58 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
However looking at the MQ v8 knowledge center - TRIPLE_DES_SHA_US is still listed as being available on all platforms.
Have you tried using a CCDT (with Triple DES set in it) with MQ explorer?
If you look at the MQ V8 explorer drop down list of cipherspecs - some of the very old (and insecure) ones are listed - so this lack of TRIPLE_DES_SHA_US is not about retirement of old cipherspecs - this is a defect.
I've just opened a PMR on this.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 15, 2014 4:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
However looking at the MQ v8 knowledge center - TRIPLE_DES_SHA_US is still listed as being available on all platforms.
Have you tried using a CCDT (with Triple DES set in it) with MQ explorer?
If you look at the MQ V8 explorer drop down list of cipherspecs - some of the very old (and insecure) ones are listed - so this lack of TRIPLE_DES_SHA_US is not about retirement of old cipherspecs - this is a defect.
I've just opened a PMR on this. |
| Quote: |
The following three CipherSuites are no longer supported with SSL, and are now only supported with TLS:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA |
TRIPLE_DES_SHA_US as a cipherspec has not been retired. What has been retired is the equivalent ciphersuite. So if you don't use java you are welcome to use TRIPLE_DES_SHA_US. If you use java, tough luck, choose a ciphersuite that has not been retired...
You may not have noticed but keeping the TLS using ciphersuite SSL_RSA_WITH_3DES_EDE_CBC_SHA as fips compliant requires you now to renegotiate the key every 32GB see note #9
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 15, 2014 8:41 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The knowledge center does not mention this "retirement" in relation to MQ explorer (and I can't see it elsewhere either).
Are you saying this is a JSSE change and not a MQ change?
This will be a major migration issue and should be very clearly flagged up by IBM.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 15, 2014 9:41 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
|
|
