| Author |
Message
|
| ribs2609 |
 Posted: Mon Sep 12, 2016 10:08 pm Post subject: SSL b/w SDR - RCVR channel on mainframe and windows qmgr |
 |
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Hi Team,
Am trying to enable SSL between SDR - RCVR channels on Mainframe and Windows Qmgr and hit an invalid cipher error. All the configuration information is as below.
Not really sure, where am going wrong.
Mainframe QMGR: QIB1, MQ Version: v7.1.0
Windows QMGR: QM3, MQ Version: v7.0.1.3
Sender channel on QIB1: QIB1.TO.QM3
RCVR channel on QM3: QIB1.TO.QM3
Cipher Spec on both SDR and RCVR: TLS_RSA_WITH_AES_128_CBC_SHA
At RCVR end, SSLAUTH set to: OPTIONAL, so only transferring Windows
certificate to mainframe QMGR's key ring.
With the above setup in place, trying to start the sender channel at
mainframe end gives an Invalid cipher specification error.
Note: 1. The channels work without SSL configured.
2. I have a working SSL configuration between SDR - RCVR channels on 2 windows qmgrs using the same cipher.
*********Error details in mainframe syslog while starting sender
channel on mainframe*****
10:15:15.89 STC14983 00000090 +CSQX500I QIB1 CSQXRCTL Channel QIB1.TO.
QM3 started
10:15:15.97 STC14983 00000090 +CSQX635E QIB1 CSQXRCTL Invalid cipher
specification 002F for channel
290
290 00000090 QIB1.TO.QM3
10:15:15.97 STC14983 00000090 +CSQX599E QIB1 CSQXRCTL Channel QIB1.TO.
QM3 ended abnormally
********************************************************************
Steps followed to create Key repository and certificate at Windows side:
------------------------------------------------------------------------
-----
- Create key repository:
| Code: |
runmqckm -keydb -create -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -type cms -pw changeit -stash
|
- Create a selfsigned certificate:
| Code: |
runmqckm -cert -create -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -pw changeit -label ibmwebspheremqqm3 -dn
"CN=QM3,OU=WINMQ,O=Allianz,L=TVM,C=IN" -size 2048
|
- Extract signer / public part of the certificate:
| Code: |
runmqckm -cert -extract -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -pw changeit -label ibmwebspheremqqm3 -target
"E:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM3\ssl\qm3cert.arm"
|
- FTP'd (in ASCII mode) qm3cert.arm to a dataset file
- Only transferring windows qmanager certificate to mainframe as
SSLAUTH is set to Optional on RCVR channel at windows end
- Configured QMGR to point at key database E:\Program Files (x86)
\IBM\WebSphere MQ\Qmgrs\QM3\ssl\key
- Refreshed SSL security
- Altered channel to pick cipher spec TLS_RSA_WITH_AES_128_CBC_SHA
Steps followed to create Key Ring at mainframe side:
------------------------------------------------------------------------
-----
1. Create key ring: RACDCERT ID(QIB1CHIN) ADDRING(QIB1RING)
2. Create a CA certificate:
| Code: |
RACDCERT CERTAUTH GENCERT -
SUBJECTSDN (CN ('CA01') -
T ('CA Certificate') -
OU ('MQ QIB1 - MVSINST') -
O ('Allianz') -
L ('Guildford') -
SP ('Surrey') -
C ('UK')) -
WITHLABEL ('CA01')
SETROPTS RACLIST(DIGTCERT) REFRESH
|
3. Create a personal certificate signed with the CA certificate
| Code: |
RACDCERT ID(QIB1CHIN) GENCERT -
SUBJECTSDN (CN ('QIB1') -
T ('Personal Certificate for QIB1') -
OU ('MQ QIB1 - MVSINST') -
O ('Allianz') -
L ('Guildford') -
SP ('Surrey') -
C ('UK')) -
WITHLABEL ('ibmWebSphereMQQIB1') -
SIGNWITH (CERTAUTH LABEL ('CA01'))
SETROPTS RACLIST(DIGTCERT) REFRESH
|
4. Add or connect the certificates to keyring
| Code: |
RACDCERT ID (QIB1CHIN) -
CONNECT (CERTAUTH LABEL ('CA01') -
RING (QIB1RING) USAGE (CERTAUTH))
RACDCERT ID (QIB1CHIN) -
CONNECT (ID (QIB1CHIN) LABEL ('ibmWebSphereMQQIB1') -
RING (QIB1RING) USAGE(PERSONAL))
SETROPTS RACLIST(DIGTCERT) REFRESH
|
5. Add windows qmgr cert to RACF
| Code: |
RACDCERT ID(QIB1CHIN) ADD('WEBS.MQ.RACF.CERT.SSLTEST.WIN.
MON5916') -
TRUST WITHLABEL('ibmwebspheremqqm3')
SETROPTS RACLIST(DIGTCERT) REFRESH
|
6. Connect the windows certificate to key ring
| Code: |
RACDCERT ID(QIB1CHIN) CONNECT(ID(QIB1CHIN) -
LABEL('ibmwebspheremqqm3') RING(QIB1RING) USAGE(PERSONAL))
SETROPTS RACLIST(DIGTCERT) REFRESH
|
7. List of key ring: RACDCERT ID(QIB1CHIN) LISTRING(QIB1RING)
Digital ring information for user
QIB1CHIN:
Ring:
>QIB1RING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
CA01 CERTAUTH CERTAUTH NO
ibmWebSphereMQQIB1 ID(QIB1CHIN) PERSONAL NO
ibmwebspheremqQM3 ID(QIB1CHIN) PERSONAL NO
>>>>> Added by mistake , still in there, hope this wont cause an issue
ibmwebspheremqqm3 ID(QIB1CHIN) PERSONAL NO
>>>> Correct Windows qmgr cert
8. Mainframe Queue Manager QIB1 is configured to point at QIB1RING
9. Sender channel on QIB1 is configured to use CIPHERSPEC
TLS_RSA_WITH_AES_128_CBC_SHA
Last edited by ribs2609 on Mon Sep 12, 2016 11:17 pm; edited 1 time in total |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Mon Sep 12, 2016 11:00 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Three points
| Quote: |
Mainframe QMGR: QIB1, MQ Version: v7.1.0
Windows QMGR: QM3, MQ Version: v7.0.1.3
|
1) Are there no fixpacked applied to the Mainframe MQ?
2) Does 7.0.1.3 (not the latest FP) support the Cipher spec that you are trying to use
3) You do know that MQ V7 went out of support last year and that V7.1 is not long for the chop.
Please go back an place cODE tags around the lines where you show... commands. It will make your post a lot easier to read.
[ C O D E ]
[/C O D E ]
(remove the spaces.
for example:-
This
runmqckm -keydb -create -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -type cms -pw changeit -stash
would look like this
| Code: |
runmqckm -keydb -create -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -type cms -pw changeit -stash
|
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Mon Sep 12, 2016 11:22 pm Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Hi Jedi,
Thanks for suggesting the CODE thingy.
1) Are there no fixpacked applied to the Mainframe MQ?
I will have to check with mainframe admin for any fixpack, will get back.
Will that have anything to do with the invalid cipher error?
2) Does 7.0.1.3 (not the latest FP) support the Cipher spec that you are trying to use :
I have a working SSL using the same ciphers between two QMGRs on the windows server, which I think would suggest the version supports TLS_RSA_WITH_AES_128_CBC_SHA
3) You do know that MQ V7 went out of support last year and that V7.1 is not long for the chop.
- Yes, upgrade are being planned
Thanks
Ribu |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 13, 2016 12:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well Ribu I did not see where you specified the key size for the MF certificate.
What is the default key size?
If the key size is under 2048, there is no way a TLS cipher will work.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Tue Sep 13, 2016 1:18 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Yes, that's a useful info.
Just did a google for the default keysize used by RACDCERT command and its 1024 and hence TLS not working.
But I have tried other ciphers like NULL_MD5, SHA, TRIPLE_DES_SHA_US: Not sure if 1024 works with these!
And the windows cert has a size of 2048, may be the certificate size needs to be same on both sides? |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Tue Sep 13, 2016 1:23 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Another thought:
The SDR channel is on mainframe and RCVR at Windows side.
SSLAUTH is set to 'optional' at RCVR end.
And so only the windows QMGR's certificate is copied to mainframe QMGR's keyring.
The certificate of mainframe qmgr doesnt come into play at all, isnt it? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 13, 2016 2:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ribs2609 wrote: |
Another thought:
The SDR channel is on mainframe and RCVR at Windows side.
SSLAUTH is set to 'optional' at RCVR end.
And so only the windows QMGR's certificate is copied to mainframe QMGR's keyring.
The certificate of mainframe qmgr doesnt come into play at all, isnt it? |
I believe that if one is provided it is checked. If you want only the windows cert to be in play don't create one in RACF, just import the win cert...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 13, 2016 2:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ribs2609 wrote: |
Yes, that's a useful info.
Just did a google for the default keysize used by RACDCERT command and its 1024 and hence TLS not working.
But I have tried other ciphers like NULL_MD5, SHA, TRIPLE_DES_SHA_US: Not sure if 1024 works with these!
And the windows cert has a size of 2048, may be the certificate size needs to be same on both sides? |
Key size don't need to match but they have to fulfill the minimum size for the exchange on both sides.
1024 used to be the minimum... Today I'd go with 4096. This will give you some mileage. 2048 is a minimum for TLS, and probably about to be breached in the next 2 years...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Tue Sep 13, 2016 3:47 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Thanks again.
>> Will try the test, after deleting the mainframe certificate from KeyRing
>> Yes, we are looking at key size of 4096. But the maximum key size supported by runmqckm shipped with MQ 7.0.1.3 seems to be 2048 as the command gave a keysize error with 4096.
>> We will be upgrading to MQ7.5 soon on windows and the actual implementation would be with 4096 |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Wed Sep 14, 2016 4:23 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
>> Deleted the mainframe Qmgr's certificate from the key ring
>> Now the keyring only has the windows Qmgrs certificate
>> Still the SDR channel fail with invalid cipher error
>> Think its something to do with the mainframe MQ configuration or key creation
>> I have tried TLS, NULL, TRIPLE all these ciphers but in each case the error is the same and it fail with invalid cipher
>> As mentioned, on mainframe we are at 7.1.0
>> Is there any thing to be taken careoff while creating the keyring?
>> Dont really understand why its complaining of invalid cipher
Please do share if there are any further thoughts... |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Wed Sep 14, 2016 5:13 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Output of list keyring from mainframe: It now only has the windows qmgr (QM3) cert which is created with 2048 size.
Am trying to put in all the info, so that any of it rings any bells.
RACDCERT ID(QIB1CHIN) LISTRING(QIB1RING)
Digital ring information for user QIB1CHIN:
Ring:
>QIB1RING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
ibmwebspheremqqm3 ID(QIB1CHIN) PERSONAL NO |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Wed Sep 14, 2016 6:01 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
okay...so the latest observation is that, the channel does come up with ciphers that has 56 bit or less encryption.
So it works with, TLS_RSA_WITH_DES_CBC_SHA, NULL_MD5, NULL_SHA, DES_SHA_EXPORT.
In the cipher list after 56 bit encryption the next level of encryption is 128 which is with TLS_RSA_WITH_AES_128_CBC_SHA, RC4_SHA_US etc and it doesnt work with these.
What could be the reason?, Is it the level of MQ that am at on windows, which is MQv7.0? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 14, 2016 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ribs2609 wrote: |
| What could be the reason?, Is it the level of MQ that am at on windows, which is MQv7.0? |
And an old version of v7.0 at that. You were advised earlier in this thread to apply fixpacks.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Wed Sep 14, 2016 6:10 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Well, windows will be at 7.5 by next week.
One query before that, I have QMGR's with in windows server using TLS 128 bit encryption on SDR- RCVR and SVRCONN channels and working.
From the same windows server, the certificate is exported to mainframe and then it only works with anything below 128 encryption!! |
|
| Back to top |
|
|
| ribs2609 |
| Posted: Wed Sep 14, 2016 6:30 am Post subject: |
|
|
Novice
Joined: 12 Sep 2016
Posts: 13
|
Also, is there a restriction to the certificate label name in mainframe?
The usual ones i have come across are in this format ibmWebSphereMQQMGRNAME.
Not sure if it has to be in this format, please if you could advise. |
|
| Back to top |
|
|
|
|
