| Author |
Message
|
| Waspusher |
 Posted: Tue Jul 26, 2011 3:05 am Post subject: FIPS problems |
 |
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
Hi all.
My code:
| Code: |
MQQueueConnectionFactory factory = new MQQueueConnectionFactory();
factory.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
factory.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, _queueManager);
factory.setStringProperty(WMQConstants.WMQ_HOST_NAME, _queueHost);
factory.setIntProperty(WMQConstants.WMQ_PORT, _queuePort);
factory.setStringProperty(WMQConstants.WMQ_CHANNEL, _queueChannel);
if(_useSSL) {
System.setProperty("javax.net.ssl.trustStore", _truststoragepath);
System.setProperty("javax.net.ssl.trustStorePassword", _truststoragepass);
System.setProperty("javax.net.ssl.keyStore", _keystoragepath);
System.setProperty("javax.net.ssl.keyStorePassword", _keystoragepass);
factory.setSSLFipsRequired(_fipsrequired);
factory.setSSLCipherSuite(_ciphersuite);
}
if (!StringUtil.isEmpty(_queueUserName) && !StringUtil.isEmpty(_queueUserPwd)) {
_conn = factory.createQueueConnection(_queueUserName, _queueUserPwd);
} else {
_conn = factory.createQueueConnection();
}
_conn.start();
_session = _conn.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
Queue queueIn = _session.createQueue(_queueName);
_producer = _session.createProducer(queueIn); |
When _fipsrequired = false, and _ciphersuite has value from the table
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.csqzaw.doc/ja34740_.htm
where "Connection possible if FIPS is not required?" = YES
(SSL_RSA_WITH_RC4_128_SHA for example)
all ok.
But when _fipsrequired = true, and _ciphersuite = SSL_RSA_WITH_AES_128_CBC_SHA
FAIL 
Error: MQRC_SSL_INITIALIZATION_ERROR
In what may be a problem if I configure the server and client, respectively?
I mean set FIPS REQ = YES, CipherSpec = TSL_RSA_WITH_AES_128_CBC_SHA on server |
|
| Back to top |
|
 |
| Waspusher |
| Posted: Tue Jul 26, 2011 7:04 am Post subject: |
|
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 26, 2011 7:55 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Can you show us the channel setup on the queue manager for a successfull call and the channel setup for a failed call.
Did you check whether your certs support the ciphersuites you want to use? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jul 26, 2011 8:02 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Are you using a FIPS certified JSSE provider? |
|
| Back to top |
|
|
| Waspusher |
| Posted: Wed Jul 27, 2011 12:29 am Post subject: |
|
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
| fjb_saper wrote: |
Can you show us the channel setup on the queue manager for a successfull call and the channel setup for a failed call.
Did you check whether your certs support the ciphersuites you want to use? |
1. Successfull call
MQ
SSL FIPs Required = NO
alter channel(CHAN_SSL)
CHLTYPE(SVRCONN)
SSLCIPH(RC4_SHA_US)
SSLCAUTH(REQUIRED)
JMS CLNT
factory.setSSLFIPSRequired(false)
factory.setSSLCipherSuite("SSL_RSA_WITH_RC4_128_SHA")
+ other
2. FAIL
MQ
SSL FIPs Required = YES
alter channel(CHAN_SSL)
CHLTYPE(SVRCONN)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA)
SSLCAUTH(REQUIRED)
JMS CLNT
factory.setSSLFIPSRequired(true)
factory.setSSLCipherSuite("SSL_RSA_WITH_AES_128_CBC_SHA")
+ other
I don`t know if my certs support FIPS-ciphersuites... I guess not.
| mqjeff wrote: |
| Are you using a FIPS certified JSSE provider? |
Not sure... But after this http://publib.boulder.ibm.com/infocenter/realtime/v1r0/index.jsp?topic=%2Fcom.ibm.rt.doc.10%2Fsecurity%2Fjsse2%2Fibmjsse2_differences_ibmjsse.html
The IBM JSSE Provider can be enabled to run in FIPS mode. The Sun JSSE cannot.
I`m using Sun JDK 1.6.0_13
I think i found the problem - Sun provider can`t run in FIPS mode.
How can I fix this? (Except using IBM JDK) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 27, 2011 1:59 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need to go back and look at the CIPHER SUITE and corresponding CIPHER SPEC tables.
Look specifically at TLS_RSA_3DES_EDE_CBC_SHA or something like that.
There are ciphersuites and specs available that are not related to AES....
Or make sure that you do have a provider that supports AES and than you have to test your cipher suites against the cipher specs....
You may be able to use a FIPS ciphersuite without setting the FIPS variable (IBMJSSE dependent) all dependent on your SSL provider's implementation ...
However you may want to verify with the certified FIPS implementations as to make sure you get it right...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 27, 2011 4:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
This was my point, really. The Sun provider doesn't do FIPS.
What is your objection to using the IBM JVM that comes with MQ, that is FIPS compliant if enabled?
Remember that you're dealing with a US Government Federal Standard, so it's not necessarily a good idea to try and "fake" it using a non-compliant JSSE and non-AES cipherspecs. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 27, 2011 1:11 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
| Remember that you're dealing with a US Government Federal Standard, so it's not necessarily a good idea to try and "fake" it using a non-compliant JSSE and non-AES cipherspecs. |
AH but that is the point. The OP did not specify if the client was US Government or its affiliates or suppliers...
US Gov will mandate AES (and IBM JSSE2)AFAIK.
But if you want just FIPS strength you could use the RSA stuff as described in the cipherspec / ciphersuite table.
Note I said could and not should... any liability your own...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Waspusher |
| Posted: Thu Jul 28, 2011 6:05 am Post subject: |
|
|
Newbie
Joined: 02 Dec 2010
Posts: 5
|
I abandon the idea of using FIPS  |
|
| Back to top |
|
|
|
|
