| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Cipher not working |
« View previous topic :: View next topic » |
| Author |
Message
|
| MKHODER1 |
 Posted: Sat Aug 18, 2018 12:23 pm Post subject: Cipher not working |
 |
|
Apprentice
Joined: 18 Aug 2018
Posts: 31
|
Hello everyone,
I need your help please.
I am working on MQ Advanced version 9.0.0.0.
The cipher ECDHE_ECDSA_AES_256_CBC_SHA384 does not work on my channel, I receive the generic error 2393.
The ECDHE_ECDSA_AES_256_CBC_SHA384 cipher is supported by version 9 of MQ.
If I use the ECDHE_RSA_AES_256_CBC_SHA384 cipher, the channel works fine.
I do not know if it is a problem related to the JRE.
Here are the commands used for creating the channel:
DEFINE CHANNEL (TEST.SVRCONN) CHLTYPE (SVRCONN) SSLCIPH (ECDHE_ECDSA_AES_256_CBC_SHA384)
REFRESH SECURITY TYPE (SSL)
Could you help me solve the problem for the cipher ECDHE_ECDSA_AES_256_CBC_SHA384?
Thank you in advance. |
|
| Back to top |
|
 |
| hughson |
| Posted: Wed Aug 22, 2018 1:59 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
You briefly mention "JRE" in your question which leads me to believe that your are receiving the generic error 2393 (MQRC_SSL_INITIALIZATION_ERROR) from a Java client application.
You don't mention any details of your client side configuration, whether you are using IBM or Oracle Java. I suspect you have a naming error, since in Java the ciphers are spelled differently. Please read the following page in Knowledge Center:-
SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| MKHODER1 |
| Posted: Thu Aug 23, 2018 11:35 pm Post subject: Details |
|
|
Apprentice
Joined: 18 Aug 2018
Posts: 31
|
Hello,
Thank you very much for your answer
Excuse me for the lack of clarity.
Apparently the cipher stops the channel SVRCONN
Here is the configuration of the queue manager and the channels:
Queue manager :
AMQ8408I: Détails sur le gestionnaire de files d'attente (DISPLAY QMGR).
QMNAME(TEST) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ACTVCONO(DISABLED) ACTVTRC(OFF)
ADVCAP(ENABLED) ALTDATE(2018-08-23)
ALTTIME(17.29.40) AMQPCAP(YES)
AUTHOREV(DISABLED) CCSID(850)
CERTLABL(ibmwebspheremqtest) CERTVPOL(ANY)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(DISABLED)
CHLAUTH(ENABLED) CLWLDATA( )
CLWLEXIT( ) CLWLLEN(100)
CLWLMRUC(999999999) CLWLUSEQ(LOCAL)
CMDEV(DISABLED) CMDLEVEL(905)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CONFIGEV(DISABLED)
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
CRDATE(2018-08-23) CRTIME(14.24.41)
CUSTOM( ) DEADQ(SYSTEM.DEAD.LETTER.QUEUE)
DEFCLXQ(SCTQ) DEFXMITQ( )
DESCR( ) DISTL(YES)
IMGINTVL(60) IMGLOGLN(OFF)
IMGRCOVO(YES) IMGRCOVQ(YES)
IMGSCHED(MANUAL) INHIBTEV(DISABLED)
IPADDRV(IPV4) LOCALEV(DISABLED)
LOGGEREV(DISABLED) MARKINT(5000)
MAXHANDS(256) MAXMSGL(4194304)
MAXPROPL(NOLIMIT) MAXPRTY(9)
MAXUMSGS(10000) MONACLS(QMGR)
MONCHL(OFF) MONQ(OFF)
PARENT( ) PERFMEV(DISABLED)
PLATFORM(WINDOWSNT) PSMODE(ENABLED)
PSCLUS(ENABLED) PSNPMSG(DISCARD)
PSNPRES(NORMAL) PSRTYCNT(5)
PSSYNCPT(IFPER) QMID(TEST_1)
REMOTEEV(DISABLED) REPOS( )
REPOSNL( ) REVDNS(ENABLED)
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(QMGR) SPLCAP(ENABLED)
SSLCRLNL( ) SSLCRYP( )
SSLEV(DISABLED) SSLFIPS(NO)
SSLKEYR(C:\Program Files (x86)\IBM\WebSphere MQ\qmgrs\TEST\ssl\key)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SUITEB(NONE)
SYNCPT TREELIFE(1800)
TRIGINT(999999999) VERSION(09000500)
XRCAP(YES)
Channels (CLNTCONN AND SVRCONN)
DIS CHANNEL(TEST.SVRCONN)
1 : DIS CHANNEL(TEST.SVRCONN)
AMQ8414I: Affichage des détails relatifs au canal.
CHANNEL(TEST.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2018-08-23) ALTTIME(16.04.0
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH(ECDHE_ECDSA_AES_256_CBC_SHA384)
SSLPEER(O=Bottomline) TRPTYPE(TCP)
AMQ8414I: Affichage des détails relatifs au canal.
CHANNEL(TEST.SVRCONN) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2018-08-23)
ALTTIME(16.03.59) CERTLABL( )
CLNTWGHT(0) COMPHDR(NONE)
COMPMSG(NONE) CONNAME(@IP_OF_THE_SERVER-MQ(1414))
DEFRECON(NO) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(TEST) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCIPH(ECDHE_ECDSA_AES_256_CBC_SHA384)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( )
On the client side, I use the application amqsputc and I have defined the following environment variables :
SET MQCHLLIB=C:\
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSSLKEYR=C:\key
SET MQCERTLABL=ibmwebspheremqclient
Apart environment variables I have not made any changes.
Details of the error :
                    Â
The proposed CipherSpec is not enabled on the SSL server.
The SSL or TLS subsystem on the SSL server side of a channel has been configured in such a way that it has rejected the CipherSpec offered by an SSL or TLS client.
This rejection occurred during the establishment of the secure connection (that is, before the proposed CipherSpec was compared with that of the server channel definition).
& P This error occurs most often when the choice of acceptable CipherSpecs has been limited in one of the following ways: & B (a)
The SSLFipsRequired attribute of the server queue manager is set to YES and the channel uses a CipherSpec
that is not FIPS certified on the server. & B (b) The EncryptionPolicySuiteB attribute of the server queue manager is not NONE
and the channel uses a CipherSpec that does not meet the server's Suite B security level. & B (c) The protocol used by the channel has been deprecated.
Note that IBM may deprecate a protocol through product maintenance in response to a security vulnerability; for example, SSLv3 has been deprecated.
Using SSLv3 is no longer recommended, but you can enable it by setting the environment variable AMQ_SSL_V3_ENABLE = TRUE. & B (d)
The requested CipherSpec has been deprecated. Note that IBM may deprecate a CipherSpec through product maintenance in response to a security vulnerability;
for example, RC4_MD5_US has been deprecated. The use of deprecated CipherSpecs is not recommended, but you can enable it by setting the environment
variable AMQ_SSL_WEAK_CIPHER_ENABLE = TRUE. Example: AMQ_SSL_WEAK_CIPHER_ENABLE = RC4_MD5_US & P The channel is '????'.
In some cases, his name can not be determined and he is replaced by '????'. The channel has not started.
Determine why the proposed CipherSpec was not active on the server. Modify the client's CipherSpec or reconfigure the server to accept the client's original CipherSpec.
Restart the channel. & P This message may appear after the IBM MQ service is applied because FIPS and Suite B standards are updated regularly.
When such changes occur, IBM MQ is also updated to implement the latest standard. You can then see behavior changes after maintenance is applied.
For more information about the versions of FIPS and Suite B that IBM MQ implements, see the Readme: & P http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006097
The canal '????' towards the host 'XXXX' ended abnormally.
The canl program running under process ID 3584 (2872) for channel '????' has ended abnormally.
In some cases, his name can not be determined and he is represented by '????'.
Examine the previous error messages from the channel program in the error logs to determine the cause of the problem.
Note that this message can be completely excluded or removed by setting the "ExcludeMessage" or "SuppressMessage" attributes under the "QMErrorLog" stanza in the qm.ini file.
Further information can be found in the system administration guide.
Thank you in advance. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Aug 24, 2018 12:13 am Post subject: Re: Details |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I think the problem is that the certificate you are using is not compatible with ECDHE_ECDSA Cipherspecs. Given that it works when you use an ECDHE_RSA it won't also work with an ECDHE_ECDSA one.
Read more in Knowlegde Center about this here:-
Digital certificates and CipherSpec compatibility in IBM MQ
Cheers,
Morag
P.S. What does your question have to do with Java btw?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| MKHODER1 |
| Posted: Fri Aug 24, 2018 2:16 am Post subject: Resolved |
|
|
Apprentice
Joined: 18 Aug 2018
Posts: 31
|
Thank you very much
Exactly, my problem was solved thanks to you
I'm sorry it has no relation to Java (I thought we need to make changes to the JRE level of the server MQ)
Before I used this command to create the certificate:
runmqckm -cert -create -db key.kdb -pw "`cat test.password`" -label ibmwebspheremqtest -dn "CN=test" -size 1024 -x509version 3 -expire 365
Here is the right command to create a certificate compatible with the cipher ECDHE_ECDSA_AES_256_CBC_SHA384
runmqakm -cert -create -db key.kdb -pw "`cat test.password`" -label ibmwebspheremqtest -dn "CN=test" -size 512 -x509version 3 -expire 365 -fips -sig_alg EC_ecdsa_with_SHA384 |
|
| Back to top |
|
|
| hughson |
| Posted: Sat Aug 25, 2018 1:53 pm Post subject: Re: Resolved |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| MKHODER1 wrote: |
| I'm sorry it has no relation to Java (I thought we need to make changes to the JRE level of the server MQ) |
No worries. Glad you're sorted. For future reference, be aware that the queue manager (server) does not have a JRE. It is not written using Java.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
