| Author |
Message
|
| mbwagner |
 Posted: Fri Aug 19, 2016 4:19 am Post subject: MQ Queue Manager - Moving from SSL to TLS |
 |
|
Novice
Joined: 24 Feb 2016
Posts: 17
|
Hi All,
I am planning to migrate our MQ cluster queue manager from using SSL to TLS. Me and our client source application newer migrate from SSL to TLS so both are newbie on this topic.
Our present SSL RSA key size is 2048 and SSLCIPH (TRIPLE_DES_SHA_US).
MQ Version is 7.0.1.12
There are multiple source channel connect to the queue manager using SSL certifiate and this need to be migrate to the TLS.
Since there are multiple source channel using the same ssl certificate using unique mq client channel to connect queue manager, I do want to remove the existing SSL mq client channel as this will be higher risk in the case of wrong upgrade or rollback scenario and also this queue manager is member of MQ cluster.
I want to create new mq client channel for source channel and configure the TLS and if TLS handshake working fine between source application and queue maanger then SSL channel will be remove for respective source channel.
I have to choose this channel-by-channel SSL to TLS migration strategy to avoid major impact to all source application during same outage window.
If you can give me any advise about it from your experience or point me to any document about MQ Queue Manager SSL to TLS migration strategy. This will be very grateful.
Thanks,
wagner |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Fri Aug 19, 2016 6:38 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Please do not double post. It won't help you get a response any quicker.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Aug 19, 2016 6:53 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You may also want to consider getting off an out-of-support version of MQ too...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Aug 19, 2016 2:07 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
The same process as going from no-SSL to SSL should be followed for going from SSL to TLS.
Read more in this article Enabling SSL in an existing WebSphere MQ cluster
P.S. You also mention client channels - these are not cluster channels and don't have the same problems, you can just change those over or make a second channel easily.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mbwagner |
| Posted: Tue Aug 23, 2016 1:35 am Post subject: |
|
|
Novice
Joined: 24 Feb 2016
Posts: 17
|
Hi Hughson,
Thanks for the response. I will follow the below mentioned article steps to setup TLS.
The present SSLCIPH (TRIPLE_DES_SHA_US) is used.
What SSLCIPH will need to be used in the TLS 1.1 or 1.2?
Thanks, wagner |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Aug 23, 2016 2:13 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Hi Wagner,
Take a look at this page in Knowledge Center: Enabling CipherSpecs
It lists all the CipherSpecs and has a column showing TLS1.0 or TLS1.2 (it used to also show the SSL CipherSpecs but they have been moved to the "Deprecated" page).
So, if you need a TLS1.2 cipherspec, pick one from that table that is shown to use protocol TLS1.2.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mbwagner |
| Posted: Tue Aug 23, 2016 5:56 am Post subject: |
|
|
Novice
Joined: 24 Feb 2016
Posts: 17
|
Hi Hughson,
Appreciate your quick response. This link is very useful.
SSL Key size - 2048
Encryption bit - SHA2 (256)
SSLCIPH - (TRIPLE_DES_SHA_US)
As per above SSL 3.0 certificate details, below TLS 1.2 Ciphersuite is compatible with us :-
TLS_RSA_WITH_AES_256_CBC_SHA256
One more doubt in SSL TLS implementation -
Our present SSL certificate are configured on Queue Manager Server Connection and Client Connection channel. So there will be changes required in Queue Manager Cluster receiver, cluster sender and cluster auto channel as there is no ssl between cluster queue managers.
SSL is used to connect our gateway queue manager from remote source application so SSL is configure on Server Connection and Client connection channel.
Is this kind of scenario there will be no changes required in cluster receiver, cluster sender and auto definition channel? Is this understanding correct?
Also there will be no fluctuation/changes in cluster object during TLS configuration on server connection channel and client connection channel....
Need your suggestion/inputs on this.........
Thanks,
wagner |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 23, 2016 6:30 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| mbwagner wrote: |
| Need your suggestion/inputs on this......... |
You should create a test environment to work through this conversion before you attempt it in production.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
