| Author |
Message
|
| shojan |
 Posted: Mon Feb 24, 2014 8:32 am Post subject: QM(SSL)-->MQIPT(SSL)-->QM |
 |
|
Novice
Joined: 20 May 2013
Posts: 10
|
Hello,
I'm Trying to establish SSL connection between 1 Queue Manager and MQIPT. The SSL connection is terminated at MQIPT and then a plain connection is established to another Queue Manager.
QM(SSL)-->MQIPT(SSL)-->QM(No SSL)
While establishing the connection am getting "SSLHandshakeException: com.ibm.js
se2.util.j: Extended key usage does not permit use for TLS client authentication"
Below is the route information configured.
[global]
ClientAccess=false
IdleTimeout=20
Trace=5
[route]
Name=SSL server sample
ListenerPort=44444
Destination=lnxdevvm336
DestinationPort=44444
OutgoingPort=0
SSLServer=true
SSLServerCipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLServerProtocols=SSLv3
#SSLServerSiteLabel=ibmwebspheremqqmb
SSLServerKeyRing=/opt/mqipt21/mqipt/ssl/SSLServerKeyRing.pfx
SSLServerKeyRingPW=/opt/mqipt21/mqipt/ssl/SSLServerKeyRing.pwd
#SSLServerDN_O=*
#SSLServerDN_CN=*
SSLServerAskClientAuth=true
Please guide me if i have done any configurations wrong.. |
|
| Back to top |
|
 |
| shojan |
| Posted: Mon Feb 24, 2014 8:35 am Post subject: |
|
|
Novice
Joined: 20 May 2013
Posts: 10
|
|
| Back to top |
|
|
| McueMart |
| Posted: Mon Feb 24, 2014 8:45 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
|
| Back to top |
|
|
| shojan |
| Posted: Mon Feb 24, 2014 9:18 am Post subject: |
|
|
Novice
Joined: 20 May 2013
Posts: 10
|
Yeah my client certificate is fine.. Coz i tried establishing QMGR to QMGR with SSL enabled using those set of certificates and it worked fine.
Only when i used the certificate in IPT side, i'm getting this prob.
I saw
already |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 24, 2014 2:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you check out the correspondance tables in the infocenter between ciphersuite and cipherspec? Please pay careful attention to the differentiating value of FIPS... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| shojan |
| Posted: Mon Feb 24, 2014 7:23 pm Post subject: |
|
|
Novice
Joined: 20 May 2013
Posts: 10
|
yes, I chose
SSLServerCipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLServerProtocols=SSLv3
which is equivalent to TRIPLE_DES_SHA_US |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 24, 2014 8:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| shojan wrote: |
yes, I chose
SSLServerCipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSLServerProtocols=SSLv3
which is equivalent to TRIPLE_DES_SHA_US |
Which as specified does not support the TLS protocol...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| shojan |
| Posted: Mon Feb 24, 2014 8:44 pm Post subject: |
|
|
Novice
Joined: 20 May 2013
Posts: 10
|
| Yes, On both Queue Manager and MQIPT its configured to use SSL and not TLS. |
|
| Back to top |
|
|
| ChristianH |
| Posted: Fri May 23, 2014 1:17 am Post subject: |
|
|
Novice
Joined: 27 Sep 2007
Posts: 19
Location: London, UK
|
Hi,
We discovered that the new version of IPT is stricter when checking SSL certificates than MQ. Or you could argue MQ is slopier however you want to look at it. We had to add the following extended usage fields to our certificates to work with IPT.
The Certificate needs to be used for both Server & Client authentication.
Try setting the Extended Key Usage Fields as follows:
Criticality=false
ExtKeyUsage [ 1.3.6.1.5.5.7.3.1] for server authentication
ExtKeyUsage [ 1.3.6.1.5.5.7.3.2] for client authentication
This is because IPT uses jsse2 to do the SSL handshaking while MQ uses IBM's GSKit. |
|
| Back to top |
|
|
| longnguk |
| Posted: Sat May 24, 2014 7:25 am Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| ChristianH wrote: |
Hi,
We discovered that the new version of IPT is stricter when checking SSL certificates than MQ. Or you could argue MQ is slopier however you want to look at it. We had to add the following extended usage fields to our certificates to work with IPT.
The Certificate needs to be used for both Server & Client authentication.
Try setting the Extended Key Usage Fields as follows:
Criticality=false
ExtKeyUsage [ 1.3.6.1.5.5.7.3.1] for server authentication
ExtKeyUsage [ 1.3.6.1.5.5.7.3.2] for client authentication
This is because IPT uses jsse2 to do the SSL handshaking while MQ uses IBM's GSKit. |
Put it differently: WMQ provides the option to perform Mutual Authentication but the default is not.
You can enforce Mutual Authentication by turning on SSLCAUTH(REQUIRED). When the option is turned on, the certificates involved must have the Extended Key Usage set to both server and client authentications or WMQ SSL handshake would fail. |
|
| Back to top |
|
|
|
|
