| Author |
Message
|
| fjb_saper |
 Posted: Tue Jan 05, 2016 8:56 pm Post subject: |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Depending on the version of Java you are using this might be the problem right there... SSL is no longer supported as a secure protocol the minimum these days being TLS and a key of minimum 2048 in size...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
 |
| crusader |
| Posted: Tue Jan 05, 2016 10:17 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
which java version shall i use? is it a must i must use kdb instead of jks since i'm using websphere mq?
i tried creating self-signed using both key database management UI from IBM and java keytool but it doesn't solve this problem 
if i'm using one way ssl, do i need to specify keystore on client site? what i think is don't need but i'm afraid i might be wrong the whole concept of ssl connection |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 06, 2016 5:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crusader wrote: |
which java version shall i use? is it a must i must use kdb instead of jks since i'm using websphere mq?
i tried creating self-signed using both key database management UI from IBM and java keytool but it doesn't solve this problem
if i'm using one way ssl, do i need to specify keystore on client site? what i think is don't need but i'm afraid i might be wrong the whole concept of ssl connection |
For the server (MQ) you need a kdb store. For the client you will need a JKS type store. If all you do is one way SSL the client will need the server's cert chain in it's truststore. However due to some default, it may be advisable to also have your own cert for the client. I assume your next step will be 2 way SSL...
Unlike HTTP the cipher-spec/ cipher suite is not negotiated to the highest capable, but is fixed through the channel's cipher spec. So read up in the infocenter which cipher suite (+ ssl fips) matches which cipher spec...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crusader |
| Posted: Wed Jan 06, 2016 8:04 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
However due to some default, it may be advisable to also have your own cert for the client<<<< does it mean i need to have my keystore in which my own cert is? and another truststore in which server cert is?
I have tried that way also and still encounter "protocol disable or cipher spec inappropriate" error.
I want to try testing using amqsputc with SSL but where i can set cipher spec for it?
I set MQSERVER, MQSSLKEYR in system environment variables but i don't know where to set cipher spec? because i want to fall back to basic trying testing using mq client & mq server.
i can send message using amqsputc without ssl. now i want to send msg again using amqsputc with SSL |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 06, 2016 8:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crusader wrote: |
However due to some default, it may be advisable to also have your own cert for the client<<<< does it mean i need to have my keystore in which my own cert is? and another truststore in which server cert is?
I have tried that way also and still encounter "protocol disable or cipher spec inappropriate" error.
I want to try testing using amqsputc with SSL but where i can set cipher spec for it?
I set MQSERVER, MQSSLKEYR in system environment variables but i don't know where to set cipher spec? because i want to fall back to basic trying testing using mq client & mq server.
i can send message using amqsputc without ssl. now i want to send msg again using amqsputc with SSL |
The cipherspec is set on the SVRCONN channel.
And as it said the cipherspec you chose may no longer be suitable.... as it is not TLS...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crusader |
| Posted: Wed Jan 06, 2016 11:00 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
yes i set "RC4_MD5_US" to Channel on MQ Server side. meaning i dun need to define cipher suite if i try sending message using amqsputc from mq client machine?
AFAIK i need to set two environment variables on client machine, MQSERVER and MQSSLKEYR.
if cipher spec i choose is no longer suitable, which cipher spec shall i use? is there a way to know which cipher spec is should use depending on my client jar file version and server version?
I am now using mq server 7.0.1.6 and mq client jar file version is 7.5.0.2.
thank u |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 07, 2016 1:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| crusader wrote: |
| ...AFAIK i need to set two environment variables on client machine, MQSERVER and MQSSLKEYR... |
From the documentation: "...You cannot use MQSERVER to define an SSL channel or a channel with channel exits..."
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| crusader |
| Posted: Thu Jan 07, 2016 1:18 am Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
| if i want to connect using jms client, shall i use MQQueueConnectionFactory or MQConnectionFactory to use cipherspec? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jan 07, 2016 5:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
| crusader |
| Posted: Wed Jan 13, 2016 6:17 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
Thank you.
I put below line in my jvm option and it works, miracel happened 
-Dcom.ibm.jsse2.disableSSLv3=false
Thank you guys |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 13, 2016 9:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crusader wrote: |
Thank you.
I put below line in my jvm option and it works, miracel happened
-Dcom.ibm.jsse2.disableSSLv3=false
Thank you guys |
Sure but SSL V3 is no longer considered secure. Use TLS.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 14, 2016 6:04 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| Sure but SSL V3 is no longer considered secure. Use TLS. |
Proven insecure. Do not use SSL v3.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
|
|
