ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ Queue Manager - Moving from SSL to TLS

Post new topic  Reply to topic
 MQ Queue Manager - Moving from SSL to TLS « View previous topic :: View next topic » 
Author Message
mbwagner
PostPosted: Fri Aug 19, 2016 4:19 am    Post subject: MQ Queue Manager - Moving from SSL to TLS Reply with quote

Novice

Joined: 24 Feb 2016
Posts: 17

Hi All,

I am planning to migrate our MQ cluster queue manager from using SSL to TLS. Me and our client source application newer migrate from SSL to TLS so both are newbie on this topic.
Our present SSL RSA key size is 2048 and SSLCIPH (TRIPLE_DES_SHA_US).
MQ Version is 7.0.1.12

There are multiple source channel connect to the queue manager using SSL certifiate and this need to be migrate to the TLS.
Since there are multiple source channel using the same ssl certificate using unique mq client channel to connect queue manager, I do want to remove the existing SSL mq client channel as this will be higher risk in the case of wrong upgrade or rollback scenario and also this queue manager is member of MQ cluster.
I want to create new mq client channel for source channel and configure the TLS and if TLS handshake working fine between source application and queue maanger then SSL channel will be remove for respective source channel.

I have to choose this channel-by-channel SSL to TLS migration strategy to avoid major impact to all source application during same outage window.

If you can give me any advise about it from your experience or point me to any document about MQ Queue Manager SSL to TLS migration strategy. This will be very grateful.

Thanks,
wagner
Back to top
View user's profile Send private message
smdavies99
PostPosted: Fri Aug 19, 2016 6:38 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

Please do not double post. It won't help you get a response any quicker.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Aug 19, 2016 6:53 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

You may also want to consider getting off an out-of-support version of MQ too...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Aug 19, 2016 2:07 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

The same process as going from no-SSL to SSL should be followed for going from SSL to TLS.

Read more in this article Enabling SSL in an existing WebSphere MQ cluster

P.S. You also mention client channels - these are not cluster channels and don't have the same problems, you can just change those over or make a second channel easily.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
mbwagner
PostPosted: Tue Aug 23, 2016 1:35 am    Post subject: Reply with quote

Novice

Joined: 24 Feb 2016
Posts: 17

Hi Hughson,
Thanks for the response. I will follow the below mentioned article steps to setup TLS.
The present SSLCIPH (TRIPLE_DES_SHA_US) is used.
What SSLCIPH will need to be used in the TLS 1.1 or 1.2?

Thanks, wagner
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Aug 23, 2016 2:13 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Hi Wagner,

Take a look at this page in Knowledge Center: Enabling CipherSpecs

It lists all the CipherSpecs and has a column showing TLS1.0 or TLS1.2 (it used to also show the SSL CipherSpecs but they have been moved to the "Deprecated" page).

So, if you need a TLS1.2 cipherspec, pick one from that table that is shown to use protocol TLS1.2.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
mbwagner
PostPosted: Tue Aug 23, 2016 5:56 am    Post subject: Reply with quote

Novice

Joined: 24 Feb 2016
Posts: 17

Hi Hughson,

Appreciate your quick response. This link is very useful.

SSL Key size - 2048
Encryption bit - SHA2 (256)
SSLCIPH - (TRIPLE_DES_SHA_US)

As per above SSL 3.0 certificate details, below TLS 1.2 Ciphersuite is compatible with us :-
TLS_RSA_WITH_AES_256_CBC_SHA256

One more doubt in SSL TLS implementation -
Our present SSL certificate are configured on Queue Manager Server Connection and Client Connection channel. So there will be changes required in Queue Manager Cluster receiver, cluster sender and cluster auto channel as there is no ssl between cluster queue managers.

SSL is used to connect our gateway queue manager from remote source application so SSL is configure on Server Connection and Client connection channel.

Is this kind of scenario there will be no changes required in cluster receiver, cluster sender and auto definition channel? Is this understanding correct?

Also there will be no fluctuation/changes in cluster object during TLS configuration on server connection channel and client connection channel....

Need your suggestion/inputs on this.........

Thanks,
wagner
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Aug 23, 2016 6:30 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9392
Location: US: west coast, almost. Otherwise, enroute.

mbwagner wrote:
Need your suggestion/inputs on this.........

You should create a test environment to work through this conversion before you attempt it in production.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ Queue Manager - Moving from SSL to TLS
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.