ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Java / JMS » Cipher not working

Post new topic  Reply to topic
 Cipher not working « View previous topic :: View next topic » 
Author Message
MKHODER1
PostPosted: Sat Aug 18, 2018 12:23 pm    Post subject: Cipher not working Reply with quote

Apprentice

Joined: 18 Aug 2018
Posts: 31

Hello everyone,

I need your help please.

I am working on MQ Advanced version 9.0.0.0.

The cipher ECDHE_ECDSA_AES_256_CBC_SHA384 does not work on my channel, I receive the generic error 2393.

The ECDHE_ECDSA_AES_256_CBC_SHA384 cipher is supported by version 9 of MQ.

If I use the ECDHE_RSA_AES_256_CBC_SHA384 cipher, the channel works fine.

I do not know if it is a problem related to the JRE.

Here are the commands used for creating the channel:

DEFINE CHANNEL (TEST.SVRCONN) CHLTYPE (SVRCONN) SSLCIPH (ECDHE_ECDSA_AES_256_CBC_SHA384)

REFRESH SECURITY TYPE (SSL)

Could you help me solve the problem for the cipher ECDHE_ECDSA_AES_256_CBC_SHA384?

Thank you in advance.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Aug 22, 2018 1:59 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

You briefly mention "JRE" in your question which leads me to believe that your are receiving the generic error 2393 (MQRC_SSL_INITIALIZATION_ERROR) from a Java client application.

You don't mention any details of your client side configuration, whether you are using IBM or Oracle Java. I suspect you have a naming error, since in Java the ciphers are spelled differently. Please read the following page in Knowledge Center:-

SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
MKHODER1
PostPosted: Thu Aug 23, 2018 11:35 pm    Post subject: Details Reply with quote

Apprentice

Joined: 18 Aug 2018
Posts: 31

Hello,

Thank you very much for your answer

Excuse me for the lack of clarity.

Apparently the cipher stops the channel SVRCONN

Here is the configuration of the queue manager and the channels:
Queue manager :
AMQ8408I: Détails sur le gestionnaire de files d'attente (DISPLAY QMGR).
QMNAME(TEST) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ACTVCONO(DISABLED) ACTVTRC(OFF)
ADVCAP(ENABLED) ALTDATE(2018-08-23)
ALTTIME(17.29.40) AMQPCAP(YES)
AUTHOREV(DISABLED) CCSID(850)
CERTLABL(ibmwebspheremqtest) CERTVPOL(ANY)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(DISABLED)
CHLAUTH(ENABLED) CLWLDATA( )
CLWLEXIT( ) CLWLLEN(100)
CLWLMRUC(999999999) CLWLUSEQ(LOCAL)
CMDEV(DISABLED) CMDLEVEL(905)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CONFIGEV(DISABLED)
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
CRDATE(2018-08-23) CRTIME(14.24.41)
CUSTOM( ) DEADQ(SYSTEM.DEAD.LETTER.QUEUE)
DEFCLXQ(SCTQ) DEFXMITQ( )
DESCR( ) DISTL(YES)
IMGINTVL(60) IMGLOGLN(OFF)
IMGRCOVO(YES) IMGRCOVQ(YES)
IMGSCHED(MANUAL) INHIBTEV(DISABLED)
IPADDRV(IPV4) LOCALEV(DISABLED)
LOGGEREV(DISABLED) MARKINT(5000)
MAXHANDS(256) MAXMSGL(4194304)
MAXPROPL(NOLIMIT) MAXPRTY(9)
MAXUMSGS(10000) MONACLS(QMGR)
MONCHL(OFF) MONQ(OFF)
PARENT( ) PERFMEV(DISABLED)
PLATFORM(WINDOWSNT) PSMODE(ENABLED)
PSCLUS(ENABLED) PSNPMSG(DISCARD)
PSNPRES(NORMAL) PSRTYCNT(5)
PSSYNCPT(IFPER) QMID(TEST_1)
REMOTEEV(DISABLED) REPOS( )
REPOSNL( ) REVDNS(ENABLED)
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(QMGR) SPLCAP(ENABLED)
SSLCRLNL( ) SSLCRYP( )
SSLEV(DISABLED) SSLFIPS(NO)
SSLKEYR(C:\Program Files (x86)\IBM\WebSphere MQ\qmgrs\TEST\ssl\key)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SUITEB(NONE)
SYNCPT TREELIFE(1800)
TRIGINT(999999999) VERSION(09000500)
XRCAP(YES)
Channels (CLNTCONN AND SVRCONN)
DIS CHANNEL(TEST.SVRCONN)
1 : DIS CHANNEL(TEST.SVRCONN)
AMQ8414I: Affichage des détails relatifs au canal.
CHANNEL(TEST.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2018-08-23) ALTTIME(16.04.0
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH(ECDHE_ECDSA_AES_256_CBC_SHA384)
SSLPEER(O=Bottomline) TRPTYPE(TCP)
AMQ8414I: Affichage des détails relatifs au canal.
CHANNEL(TEST.SVRCONN) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2018-08-23)
ALTTIME(16.03.59) CERTLABL( )
CLNTWGHT(0) COMPHDR(NONE)
COMPMSG(NONE) CONNAME(@IP_OF_THE_SERVER-MQ(1414))
DEFRECON(NO) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(TEST) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCIPH(ECDHE_ECDSA_AES_256_CBC_SHA384)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( )

On the client side, I use the application amqsputc and I have defined the following environment variables :

SET MQCHLLIB=C:\
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSSLKEYR=C:\key
SET MQCERTLABL=ibmwebspheremqclient

Apart environment variables I have not made any changes.

Details of the error :
                     
The proposed CipherSpec is not enabled on the SSL server.

The SSL or TLS subsystem on the SSL server side of a channel has been configured in such a way that it has rejected the CipherSpec offered by an SSL or TLS client.
This rejection occurred during the establishment of the secure connection (that is, before the proposed CipherSpec was compared with that of the server channel definition).
& P This error occurs most often when the choice of acceptable CipherSpecs has been limited in one of the following ways: & B (a)
The SSLFipsRequired attribute of the server queue manager is set to YES and the channel uses a CipherSpec
that is not FIPS certified on the server. & B (b) The EncryptionPolicySuiteB attribute of the server queue manager is not NONE
and the channel uses a CipherSpec that does not meet the server's Suite B security level. & B (c) The protocol used by the channel has been deprecated.
Note that IBM may deprecate a protocol through product maintenance in response to a security vulnerability; for example, SSLv3 has been deprecated.
Using SSLv3 is no longer recommended, but you can enable it by setting the environment variable AMQ_SSL_V3_ENABLE = TRUE. & B (d)
The requested CipherSpec has been deprecated. Note that IBM may deprecate a CipherSpec through product maintenance in response to a security vulnerability;
for example, RC4_MD5_US has been deprecated. The use of deprecated CipherSpecs is not recommended, but you can enable it by setting the environment
variable AMQ_SSL_WEAK_CIPHER_ENABLE = TRUE. Example: AMQ_SSL_WEAK_CIPHER_ENABLE = RC4_MD5_US & P The channel is '????'.
In some cases, his name can not be determined and he is replaced by '????'. The channel has not started.

Determine why the proposed CipherSpec was not active on the server. Modify the client's CipherSpec or reconfigure the server to accept the client's original CipherSpec.
Restart the channel. & P This message may appear after the IBM MQ service is applied because FIPS and Suite B standards are updated regularly.
When such changes occur, IBM MQ is also updated to implement the latest standard. You can then see behavior changes after maintenance is applied.
For more information about the versions of FIPS and Suite B that IBM MQ implements, see the Readme: & P http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006097



The canal '????' towards the host 'XXXX' ended abnormally.

The canl program running under process ID 3584 (2872) for channel '????' has ended abnormally.
In some cases, his name can not be determined and he is represented by '????'.

Examine the previous error messages from the channel program in the error logs to determine the cause of the problem.
Note that this message can be completely excluded or removed by setting the "ExcludeMessage" or "SuppressMessage" attributes under the "QMErrorLog" stanza in the qm.ini file.
Further information can be found in the system administration guide.

Thank you in advance.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Aug 24, 2018 12:13 am    Post subject: Re: Details Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I think the problem is that the certificate you are using is not compatible with ECDHE_ECDSA Cipherspecs. Given that it works when you use an ECDHE_RSA it won't also work with an ECDHE_ECDSA one.

Read more in Knowlegde Center about this here:-

Digital certificates and CipherSpec compatibility in IBM MQ

Cheers,
Morag

P.S. What does your question have to do with Java btw?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
MKHODER1
PostPosted: Fri Aug 24, 2018 2:16 am    Post subject: Resolved Reply with quote

Apprentice

Joined: 18 Aug 2018
Posts: 31

Thank you very much

Exactly, my problem was solved thanks to you

I'm sorry it has no relation to Java (I thought we need to make changes to the JRE level of the server MQ)

Before I used this command to create the certificate:
runmqckm -cert -create -db key.kdb -pw "`cat test.password`" -label ibmwebspheremqtest -dn "CN=test" -size 1024 -x509version 3 -expire 365

Here is the right command to create a certificate compatible with the cipher ECDHE_ECDSA_AES_256_CBC_SHA384
runmqakm -cert -create -db key.kdb -pw "`cat test.password`" -label ibmwebspheremqtest -dn "CN=test" -size 512 -x509version 3 -expire 365 -fips -sig_alg EC_ecdsa_with_SHA384
Back to top
View user's profile Send private message
hughson
PostPosted: Sat Aug 25, 2018 1:53 pm    Post subject: Re: Resolved Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

MKHODER1 wrote:
I'm sorry it has no relation to Java (I thought we need to make changes to the JRE level of the server MQ)

No worries. Glad you're sorted. For future reference, be aware that the queue manager (server) does not have a JRE. It is not written using Java.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Java / JMS » Cipher not working
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.