| Author |
Message
|
| riyaz_tak |
 Posted: Thu Oct 31, 2019 1:05 am Post subject: SSL Authentication issue betwen JAVA 6 client and IBM MQ 7.5 |
 |
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
IBM MQ version 7.5.0.9.
JAVA version 1.6
OS Solaris 10 Sparc.
We have client program and we have defined SSL authentication between IBM MQ server and client program.
We tried to use different combination of ssl cipher and ciphersuite between IBM MQ and client program but each time getting SSL exception :
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031290_.htm
AMQ9616: The CipherSpec proposed is not enabled on the server.
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
So would you please help me find out correct set of ssl cipher and cipher suite ? |
|
| Back to top |
|
 |
| HubertKleinmanns |
| Posted: Thu Oct 31, 2019 1:23 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Do you use IBM Java or Oracle (=Sun) Java? The CipherSuite names differ  .
And did you add the Java Cryptography Extension (JCE)
And which CipherSuites/CipherSpecs did you try?
_________________
Regards
Hubert |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Oct 31, 2019 1:37 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
I am using Oracle JRE and I set
-Dcom.ibm.mq.cfg.useIBMCipherMappings="false" while starting java client.
I used TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_DES_CBC_SHA .
But each time same AMQ9616 error. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Thu Oct 31, 2019 4:43 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
What MQ version has the MQ client, what MQ version has the MQ queue manager?
_________________
Regards
Hubert |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 31, 2019 8:47 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
More important what MQ Cipherspec is specified on the channel.
Also what is the label of your certificate. Did you use "ibmwebspheremq" + userid as your label? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Oct 31, 2019 9:27 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| HubertKleinmanns wrote: |
| What MQ version has the MQ client, what MQ version has the MQ queue manager? |
I am using JAVA client not MQ client.MQ Version is 7.5.0.9. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Oct 31, 2019 9:28 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
What is the output from this command on the queue manager?
| Code: |
| DISPLAY QMGR SUITEB |
None of the ciphers you mention are SUITEB compliant and so if your queue manager requires a particular setting of SUITEB that will restrict the ciphers you can use.
If the output says SUITEB(NONE) then it is not this that is your problem. Just ruling it in or out.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Oct 31, 2019 9:29 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| fjb_saper wrote: |
More important what MQ Cipherspec is specified on the channel.
Also what is the label of your certificate. Did you use "ibmwebspheremq" + userid as your label? |
Certificate is absolutely fine. We are regressing MQ to version 7.5.0.9.
Earlier we had 8.5 version and certificate was working fine. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Oct 31, 2019 9:34 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| hughson wrote: |
What is the output from this command on the queue manager?
| Code: |
| DISPLAY QMGR SUITEB |
None of the ciphers you mention are SUITEB compliant and so if your queue manager requires a particular setting of SUITEB that will restrict the ciphers you can use.
If the output says SUITEB(NONE) then it is not this that is your problem. Just ruling it in or out.
Cheers,
Morag |
Hi,
Output is SUITEB(NONE) so does this mean cipher is not an issue ? |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Oct 31, 2019 9:42 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| riyaz_tak wrote: |
| Output is SUITEB(NONE) so does this mean cipher is not an issue ? |
This means the SUITEB setting is not an issue.
Can you show us the ciphers at both ends please and any error messages at the queue manager end too.
Thanks
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Nov 01, 2019 2:18 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| riyaz_tak wrote: |
| ...We are regressing MQ to version 7.5.0.9... |
Any particular reason for this?
| riyaz_tak wrote: |
| ...Earlier we had 8.5 version and certificate was working fine.... |
And was the certificate key store created with a later version of the IBM GSKit bundled with MQ V8.0?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 01, 2019 4:50 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| riyaz_tak wrote: |
| HubertKleinmanns wrote: |
| What MQ version has the MQ client, what MQ version has the MQ queue manager? |
I am using JAVA client not MQ client.MQ Version is 7.5.0.9. |
If your app is making a network connection to the queue manager, you are using MQ Client functionality, at the very least if not anything else at least a IBM provided MQ Client jar file. That has a version independent of the MQ version of the MQ queue manager. They may coincidentally be the same, but they are 2 separate things.
| riyaz_tak wrote: |
| Earlier we had 8.5 version and certificate was working fine. |
No such animal as MQ 8.5.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Sun Nov 03, 2019 10:25 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| hughson wrote: |
| riyaz_tak wrote: |
| Output is SUITEB(NONE) so does this mean cipher is not an issue ? |
This means the SUITEB setting is not an issue.
Can you show us the ciphers at both ends please and any error messages at the queue manager end too.
Thanks
Morag |
we are using combination of RC4_MD5_EXPORT and SSL_RSA_EXPORT_WITH_RC4_40_MD5 .It is working for 7.5.0.4 but not for 7.5.0.9
MQ Logs
----- amqrmrsa.c : 902 --------------------------------------------------------
11/04/19 06:24:44 - Process(12333.67) User(xxxxx) Program(amqrmppa)
Host(xxxxxxx) Installation(Installation1)
VRMF(7.5.0.9) QMgr(xxxxxxx)
AMQ9616: The CipherSpec proposed is not enabled on the server.
EXPLANATION:
The SSL or TLS subsystem at the server end of a channel been configured in such
a way that it has rejected the CipherSpec proposed by an SSL or TLS client.
This rejection occurred during the secure socket handshake (i.e. it happened
before the proposed CipherSpec was compared with the CipherSpec in the server
channel definition).
This error most commonly occurs when the choice of acceptable CipherSpecs has
been limited in one of the following ways:
(a) The server queue manager SSLFipsRequired attribute is set to YES and the
channel is using a CipherSpec which is not FIPS-certified on the server.
(b) The server queue manager EncryptionPolicySuiteB attribute has been set to a
value other than NONE and the channel is using a CipherSpec which does not
meet the server's configured Suite B security level.
(c) The protocol used by the channel has been deprecated. Note that IBM may
need to deprecate a protocol via product maintenance in response to a
security vulnerability, for example SSLv3 has been deprecated. Continued use
of SSLv3 protocol is not recommended but may be enabled by setting
environment variable AMQ_SSL_V3_ENABLE=TRUE.
(d) The requested CipherSpec has been deprecated. Note that IBM may need to
deprecate a CipherSpec via product maintenance in response to a security
vulnerability, for example RC4_MD5_US has been deprecated. Continued use of
deprecated CipherSpecs is not recommended but may be enabled by setting
environment variable AMQ_SSL_WEAK_CIPHER_ENABLE=Y.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
The remote host name is 'localhost (127.0.0.1)'.
ACTION:
Analyse why the proposed CipherSpec was not enabled on the server. Alter the
client CipherSpec, or reconfigure the server to accept the original client
CipherSpec. Restart the channel.
This message might occur after applying WebSphere MQ maintenance because the
FIPS and Suite B standards are updated periodically. When such changes occur,
WebSphere MQ is also updated to implement the latest standard. As a result, you
might see changes in behavior after applying maintenance. For more information
about the versions of FIPS and Suite B standards enforced by WebSphere MQ,
refer to the readme:
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006097
----- amqccisa.c : 7217 -------------------------------------------------------
11/04/19 06:24:44 - Process(12333.67) User(root) Program(amqrmppa)
Host(sylvia) Installation(Installation1)
VRMF(7.5.0.9) QMgr(bt.qm.ccxp0)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
The host name was 'localhost (127.0.0.1)'; in some cases the host name cannot
be determined and so is shown as '????'.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 902 ------------------------------------- |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Sun Nov 03, 2019 10:28 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| exerk wrote: |
| riyaz_tak wrote: |
| ...We are regressing MQ to version 7.5.0.9... |
Any particular reason for this?
| riyaz_tak wrote: |
| ...Earlier we had 8.5 version and certificate was working fine.... |
And was the certificate key store created with a later version of the IBM GSKit bundled with MQ V8.0? |
We have MQ 7.5 on production but on dev box we have 8.0.0.5.
Need to test some feature so regressing to 7.5. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Nov 03, 2019 11:56 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
This is your reason:
| Quote: |
| AMQ9616: The CipherSpec proposed is not enabled on the server. |
Do not use RC4 it has been deprecated.
Use a key of size 2048 minimum and ECDHE_WITH_RSA_GCM_SHA256 (from memory) or something close. May be the elliptic curve ciphers are not yet available at 7.5. In any case use a TLS 1.2 cipher.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
