| Author |
Message
|
| Inisah |
 Posted: Thu Jan 29, 2015 2:49 am Post subject: TLS padding vulnerability via a POODLE for MQ |
 |
|
Apprentice
Joined: 21 Mar 2014
Posts: 44
|
Hi All,
I am looking for a clarification to do the mitigation for TLS padding vulnerability via a POODLE for MQ. In the IBM documentation, it is mentioned that we need to set the environment variable GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE. But there was no specific instruction on how it needs to be done. Can someone help me with it?
Also is it mandatory to enable GSKIT8 by setting AltGSKit=YES in the SSL stanza even if we are in the latest versions of MQ to ensure that we are not vulnerable to POODLE attack?
MQ Version : 7.5.0.3 on AIX |
|
| Back to top |
|
 |
| hughson |
| Posted: Thu Jan 29, 2015 7:08 am Post subject: Re: TLS padding vulnerability via a POODLE for MQ |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Inisah wrote: |
| In the IBM documentation, it is mentioned that we need to set the environment variable GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE. But there was no specific instruction on how it needs to be done. |
The technote has the following information about the environment variable:-
| Quote: |
The environment variable GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE must be set at a system wide level to ensure that channels using the TLS protocol adhere to strict compliance of the TLS RFC.
A restart of queue managers, listeners and applications is required to ensure the environment variable changes are effective. |
Which bit were you having trouble with?
| Inisah wrote: |
Also is it mandatory to enable GSKIT8 by setting AltGSKit=YES in the SSL stanza even if we are in the latest versions of MQ to ensure that we are not vulnerable to POODLE attack?
MQ Version : 7.5.0.3 on AIX |
The technote has the following information about using GSKit 8:-
| Quote: |
IBM WebSphere MQ Version 7.0.1 and earlier
Users should move to a Fix Pack level of 7.0.1.10 or later and ensure that GSKit 8 is enabled using the following instructions. |
This instruction only applies to V7.0.1, you are on V7.5.0 which uses GSKit V8 already and has no other GSkit to use.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Inisah |
| Posted: Mon Feb 02, 2015 3:14 am Post subject: |
|
|
Apprentice
Joined: 21 Mar 2014
Posts: 44
|
Thank you for your response.
| Quote: |
| Which bit were you having trouble with? |
Might be I should have been more specific in my question.
How do we set this GSK_STRICTCHECK_CBCPADBYTES variable. I checked for this environment variable in the Knowledge Center. as well as Google I couldn't find any detail
do we need to just run the command 'export GSK_STRICTCHECK_CBCPADBYTES= TRUE' |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Feb 02, 2015 3:49 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I'm not an AIX expert but I wouldn't have thought a simple export command would set the environment variable as system-wide. Don't you have to put it in /etc/environment?
Perhaps some AIX experts will be able to comment.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Feb 02, 2015 3:53 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Put in the mqm userid's .profile command script, along with any others you want. For example
| Code: |
export MQS_REPORT_NOAUTH=TRUE
export AMQ_DUMP_NO_PROPERTIES=TRUE
export AMQ_XA_ZOMBIE_EXPIRY=3600
export EXTSHM=ON
export GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
|
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vagos1 |
| Posted: Thu Apr 30, 2015 2:09 am Post subject: |
|
|
Newbie
Joined: 30 Apr 2015
Posts: 9
|
I have the same issue. so to clarify something for my case  .
When we have MQ versions 7.0.1.x and 6.0.2.x we need the GSKit8 on the server in order to proceed with the Poodle attack fix?
then I will go through and export the env variables in .profile and also add the Allgskit=YES in qm.ini ok? |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Apr 30, 2015 7:18 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
The technote has the following information about using GSKit 8:-
| Quote: |
IBM WebSphere MQ Version 7.0.1 and earlier
Users should move to a Fix Pack level of 7.0.1.10 or later and ensure that GSKit 8 is enabled using the following instructions. |
I don't believe you can use GSKit 8 with MQ V6. Also MQ V6 is no longer in service, so you are not getting any new fixes with that version, suggest you move to a version that is in support.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Vagos1 |
| Posted: Thu May 14, 2015 12:18 am Post subject: ALLgskit |
|
|
Newbie
Joined: 30 Apr 2015
Posts: 9
|
thanks.
And what about the value: Allgskit=YES in the qm.ini file? do you think that is needed? |
|
| Back to top |
|
|
| hughson |
| Posted: Thu May 14, 2015 12:24 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Altgskit is the way you configure the queue manager to use GSKit 8, so yes it is required at V7.0.1. Please read the Technote again to be sure you understand what to do.
Please note the keyword is Alt (short for alternate) and not All as you have written.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 14, 2015 12:37 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Is it the case that
GSK_STRICTCHECK_CBCPADBYTES= TRUE
has to be set on both the QM host and the MQ client host to take effect?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vagos1 |
| Posted: Thu May 14, 2015 1:23 am Post subject: AltGskit |
|
|
Newbie
Joined: 30 Apr 2015
Posts: 9
|
OK, I will proceed on v7.0 with latest fixpack and Gskit 8
1. add export GSK_STRICTCHECK_CBCPADBYTES= TRUE to mqm's .profile
2. add in the qm.ini the lines
SSL:
AltGSKit=Yes
3. change cipherspecs on the channels
4. refresh security type(SSL)
I think this is what is needed. any comment? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 14, 2015 2:41 am Post subject: Re: AltGskit |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vagos1 wrote: |
OK, I will proceed on v7.0 with latest fixpack and Gskit 8
1. add export GSK_STRICTCHECK_CBCPADBYTES= TRUE to mqm's .profile
2. add in the qm.ini the lines
SSL:
AltGSKit=Yes
3. change cipherspecs on the channels
4. refresh security type(SSL)
I think this is what is needed. any comment? |
Why bother with 7.0 at all?? You will be out of support end of September.
Upgrade to 7.5 or better 8.0.0.2 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vagos1 |
| Posted: Thu May 14, 2015 11:48 pm Post subject: certificate check |
|
|
Newbie
Joined: 30 Apr 2015
Posts: 9
|
when I use GSKit 8 and
GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
is there any reason I cant see the certificate in Internet Explorer? Because usually I was checking also my certificate from IE |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 15, 2015 4:18 am Post subject: Re: certificate check |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vagos1 wrote: |
when I use GSKit 8 and
GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
is there any reason I cant see the certificate in Internet Explorer? Because usually I was checking also my certificate from IE |
Does Internet Explorer allow you to work with the MQ transport protocol? Establish an MQ client connection?
I know it works with HTTP and FTP and probably a few other things. I'm not sure it lets you work with MQ directly. |
|
| Back to top |
|
|
|
|
