| Author |
Message
|
| rickwatsonb |
 Posted: Fri Jul 18, 2014 11:02 am Post subject: AMQ9631 CipherSpec does not match between JMS and Qmgr |
 |
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
Trying to setup SSL for the first time. I followed the mo04 instructions, and the Cipherspec/Ciphersuite charts in the knowledge center for JMS.
So, the combination below should work - but it does not.
QMGR 7.5.0.2 – Linux
MQ Client 7.1.0.2 - Solaris
SSL CipherSpecs: TLS_RSA_WITH_3DES_EDE_CBC_SHA
CipherSuites in JMS: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Get:
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel …
Have not found an answer on the web yet...will keep looking but Iwould appreciate any helpful thoughts.
Thanks |
|
| Back to top |
|
 |
| rickwatsonb |
| Posted: Fri Jul 18, 2014 11:08 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Sorry - I should add some more concrete setup info:
JMS setup excerpt:
((com.ibm.mq.jms.MQQueueConnectionFactory)factory).setSSLCipherSuite("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
SVRCONN Channel info:
SSLCAUTH(OPTIONAL)
SSLCIPH(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
Yes - I am just trying to get one-way SSL working.
thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 18, 2014 2:06 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| rickwatsonb wrote: |
Sorry - I should add some more concrete setup info:
JMS setup excerpt:
((com.ibm.mq.jms.MQQueueConnectionFactory)factory).setSSLCipherSuite("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
SVRCONN Channel info:
SSLCAUTH(OPTIONAL)
SSLCIPH(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
Yes - I am just trying to get one-way SSL working.
thanks |
Well for TLS you will need SSL_RSA + FIPS = true!!
Seems your connection factory is missing the SSLFIPS = true...
If using a non IBM JVM I would try and see if I can use TLS_RSA_WITH_3DES_EDE_CBC_SHA as cipherspec... IBM and non IBM jvms handle SSL a little bit differently, especially the FIPS certification...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Tue Jul 22, 2014 11:45 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Thanks fjb_saper for the reply.
I changed the queue manager to use the TRIPLE_DES_SHA_US cipherSpec and omitted the -fips option in the runmqakm command line - now it works!
I will look at FIPS compliance later if I need it. Right now I am just trying to get MCA Interception working for the first time with a non-IBM JRE JMS Client. But first - need to implement two-way SSL now that one-way is working! Yippee!
Thanks |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Jul 22, 2014 11:55 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| So, for the two way, the Qmgr's key store needs to have the CA that signed your cert so it can trust you. This is why it is nice to have the same CA sign users and Qmgrs. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 22, 2014 2:44 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If using 7.5 JMS and SSL with non IBM JVM open a PMR.
There are some fixes you need. :innocent
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
