ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Java SSL headache

Post new topic  Reply to topic
 Java SSL headache « View previous topic :: View next topic » 
Author Message
RogerLacroix
PostPosted: Fri Jun 26, 2015 10:52 am    Post subject: Java SSL headache Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

All,

Note: I'm not an SSL guru - I can barely spell it.

With the security issues (i.e. POODLE) and IBM disabling older SSL Cipher/Spec/Suite, it is difficult to get a Java application to work with a non-IBM JRE.
http://www-01.ibm.com/support/docview.wss?uid=swg21688165
http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840

And then add the discrepancy between MQ Knowledge and IV66840, I'm pulling my hair out.

IV66840 says:
Quote:
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled for WebSphere MQ v8:

CipherSuite -->
CipherSpec

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -->
ECDHE_ECDSA_3DES_EDE_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -->
ECDHE_ECDSA_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -->
ECDHE_ECDSA_AES_128_GCM_SHA256

etc...


But the MQ v8.0 Knowledge Center (http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm), it says:
Code:
CipherSpec                        Equivalent CipherSuite
----------                        ----------------------
ECDHE_ECDSA_3DES_EDE_CBC_SHA256   SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
ECDHE_ECDSA_AES_128_CBC_SHA256    SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_128_GCM_SHA256    SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
etc...

In case you missed it (both are referencing MQ V8.0), one says the CipherSuite should begin with TLS_* and the other one says it should begin with SSL_* for the SAME CipherSpec. Which one is correct?

Help.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Fri Jun 26, 2015 11:15 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

It all depends on whether this is an IBM JVM or not.

Rule of thumb:
  • IBM JVM
    • TLS cipher suite might not exist
    • use SSL cipher suite with FIPS=true
    • check out other documentation to confirm

  • NON IBM JVM
    • Use the TLS cipher suite

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
RogerLacroix
PostPosted: Fri Jun 26, 2015 11:28 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

fjb_saper wrote:
It all depends on whether this is an IBM JVM or not.

I did say:
RogerLacroix wrote:
it is difficult to get a Java application to work with a non-IBM JRE.

fjb_saper wrote:
Rule of thumb:
  • IBM JVM
    • TLS cipher suite might not exist
    • use SSL cipher suite with FIPS=true
    • check out other documentation to confirm

  • NON IBM JVM
    • Use the TLS cipher suite

That almost makes sense. So, the MQ Knowledge Center's list of CipherSpec & CipherSuite are ONLY referencing an IBM JRE.

Whereas APAR IV66840 is referencing non-IBM JRE.

OMG. That is stupid but it does appear to make some sense.

Thank (whatever deity you want), that it is Friday and the NHL hockey draft is on in a couple of hours because I need a beer!!!

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Gaya3
PostPosted: Fri Jun 26, 2015 11:32 am    Post subject: Reply with quote

Jedi

Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US

this is a big change, even i am also working on this...

good time
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jun 26, 2015 11:41 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

RogerLacroix wrote:

it is difficult to get a Java application to work with a non-IBM JRE.

More so then you know. Early 7.5 JMS needed APARS to get any SSL to work with a non IBM JVM...
And standard Oracle JVM is not FIPS certified. You could get the nss package but then it's just another point of failure...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
RogerLacroix
PostPosted: Tue Jun 30, 2015 11:02 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

All,

Does anyone know if the CipherSpecs 'FIPS_WITH_3DES_EDE_CBC_SHA' and 'FIPS_WITH_DES_CBC_SHA' are supported for a non-IBM JRE?

The MQ Knowledge Center says:
Code:
JRE       CipherSpec                      CipherSuite
---       ----------                      -----------
IBM       FIPS_WITH_3DES_EDE_CBC_SHA      SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
IBM       FIPS_WITH_DES_CBC_SHA           SSL_RSA_FIPS_WITH_DES_CBC_SHA


But I cannot find any information about non-IBM JREs. I reviewed APAR IV66840 (http://www.ibm.com/support/docview.wss?uid=swg1IV66840) but it does not have anything about those 2 ciphers. Is the following table also true for non-IBM JREs?
Code:
JRE       CipherSpec                      CipherSuite
---       ----------                      -----------
non-IBM   FIPS_WITH_3DES_EDE_CBC_SHA      SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
non-IBM   FIPS_WITH_DES_CBC_SHA           SSL_RSA_FIPS_WITH_DES_CBC_SHA

Any information would be great.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
mqjeff
PostPosted: Tue Jun 30, 2015 11:21 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

fjb_saper wrote:
And standard Oracle JVM is not FIPS certified.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Tue Jun 30, 2015 1:14 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

mqjeff wrote:
fjb_saper wrote:
And standard Oracle JVM is not FIPS certified.

Yes, I realize that fjb_saper is an authority but I was looking for something more official.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Tue Jun 30, 2015 3:17 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

RogerLacroix wrote:
All,

Does anyone know if the CipherSpecs 'FIPS_WITH_3DES_EDE_CBC_SHA' and 'FIPS_WITH_DES_CBC_SHA' are supported for a non-IBM JRE?

The MQ Knowledge Center says:
Code:
JRE       CipherSpec                      CipherSuite
---       ----------                      -----------
IBM       FIPS_WITH_3DES_EDE_CBC_SHA      SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
IBM       FIPS_WITH_DES_CBC_SHA           SSL_RSA_FIPS_WITH_DES_CBC_SHA


AFAIK if you look at the cipersuites there should be a little index ref that says that those ciphersuites are not FIPS compliant and have been kept for backwards compliance. IIRC they are nor FIPS nor TLS...

RogerLacroix wrote:

But I cannot find any information about non-IBM JREs. I reviewed APAR IV66840 (http://www.ibm.com/support/docview.wss?uid=swg1IV66840) but it does not have anything about those 2 ciphers. Is the following table also true for non-IBM JREs?
Code:
JRE       CipherSpec                      CipherSuite
---       ----------                      -----------
non-IBM   FIPS_WITH_3DES_EDE_CBC_SHA      SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
non-IBM   FIPS_WITH_DES_CBC_SHA           SSL_RSA_FIPS_WITH_DES_CBC_SHA

Any information would be great.

Regards,
Roger Lacroix
Capitalware Inc.


Forget anything with the name FIPS in it. It is not FIPS compliant and probably only SSLv3 and not TLS...

In fact if you look at TLS ciphers you'll find the odd one like SSL_RSA_WITH_3DES_CBC_SHA with FIPS set to true and a limit set to the data exchange before needing a new key. Apart from that your best chance is using the AES ciphersuites but they too will need the FIPS flag set... Outside of those you are looking at elliptic curve ciphers. Some of those will probably require a different private key (specially for elliptic curve ciphers). I believe there are only 2 elliptic curve ciphers with the standard RSA key...

Check out developerworks there was an article not so long ago about non IBM JVMs and the corresponding ciphersuites but it required some environment variable to be set...

And remember not to use DE or DHE ciphers... different vulnerability... and half of the elliptic curve ones are part of those...

As to Oracle and FIPS here is part of the official story:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/FIPS.html
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

Quote:
Conclusion
When SunJSSE is configured in FIPS 140 compliant mode together with an appropriate FIPS 140 certified cryptographic provider, for example Network Security Services (NSS) in its FIPS mode, SunJSSE is FIPS 140 compliant.


So first you have to integrate Sun JSSE with a certified FIPS crypto provider... good luck with that being an easy thing... Especially if you're already struggling with simple SSL...
Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
fjb_saper
PostPosted: Wed Jul 01, 2015 4:27 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Your best bet these days is to have your MQ at the level of fixpack specified in http://www.ibm.com/support/docview.wss?uid=swg1IV66840 and use the JVM property and ciphersuite as specified in the note. Comming from Oracle it might be FIPS compliant even though it is not FIPS certified... and remember part of the compliance is to not authorize a non FIPS compliant connection from the same JVM...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
RogerLacroix
PostPosted: Fri Jul 03, 2015 3:26 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

Thanks for the info.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Java SSL headache
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.