| Author |
Message
|
| prashantsarode |
 Posted: Wed Jan 28, 2015 7:31 am Post subject: HTTPRequest node with SSL/TLS Protocol switching |
 |
|
Newbie
Joined: 28 Jan 2015
Posts: 2
|
Hi,
In HTTPRequest Node, SSL tab under properties we can configure protocol as SSL or TLS. However there is no way to switch between these protocols at runtime.
In WAS, we can specify protocol as SSL_TLS where WAS will switch between protocols as required by external web server. Is there any such setting in WMB so that we do not have to worry about what protocol web service provider is using.
We can achieve this functionality using external variables in WMB however I am trying to explore other ways by which we can configure the WMB to do it.
Thanks,
Prashant |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Jan 28, 2015 8:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Very important question: Why are you contemplating on using anything below TLS? Security concerns tell us that anything below TLS is no longer considered secure and may be vulnerable to hacking... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| prashantsarode |
| Posted: Wed Jan 28, 2015 11:28 am Post subject: |
|
|
Newbie
Joined: 28 Jan 2015
Posts: 2
|
Our broker was using SSL protocol to access web services using HTTPRequest node. Recently during network update, SSL protocol has been changed to TLS. Hence we needed to make changes in all HTTPRequest node to use TLS instead of SSL.
We tried changing HTTPSConnector's sslProvider property to TLS (which is default) but the command is not taking effect. Hence we resorted back to changing code and deploying the same to all environments.
Hence I am trying to explore other possibilities that whether we can do some global protocol change in Broker instead of code change. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 28, 2015 9:09 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
For the HTTPRequest node it should be as simple as setting an override property (or node property) and redeploying... Maybe you can even script it with the broker proxy and implement on the fly?
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| firoj.badsa |
| Posted: Wed Feb 25, 2015 1:06 am Post subject: changing from SSL to TLS |
|
|
Centurion
Joined: 16 Feb 2007
Posts: 104
|
| @prashantsarode - did the solution worked for you? or you did any other things to make TLS work. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Feb 25, 2015 6:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| prashantsarode wrote: |
Our broker was using SSL protocol to access web services using HTTPRequest node. Recently during network update, SSL protocol has been changed to TLS. Hence we needed to make changes in all HTTPRequest node to use TLS instead of SSL.
We tried changing HTTPSConnector's sslProvider property to TLS (which is default) but the command is not taking effect. Hence we resorted back to changing code and deploying the same to all environments.
Hence I am trying to explore other possibilities that whether we can do some global protocol change in Broker instead of code change. |
Check it out it's the sslProtocol property and NOT the provider property.
This is for inbound calls default setup.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| MBcurious |
| Posted: Wed Feb 25, 2015 12:06 pm Post subject: |
|
|
Newbie
Joined: 25 Feb 2015
Posts: 2
|
| Hi i have a same kind of requirement,where we need to switch from SSL to TLS(due to SSLv3 vulnerability ) can anyone please elaborate me how it can be done for a httpnode |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Feb 25, 2015 12:32 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| AndrewThomson |
| Posted: Mon Nov 23, 2015 4:15 am Post subject: |
|
|
Newbie
Joined: 23 Nov 2015
Posts: 1
Location: IBM/GBS/Hursley
|
| MBcurious wrote: |
| Hi i have a same kind of requirement,where we need to switch from SSL to TLS(due to SSLv3 vulnerability ) can anyone please elaborate me how it can be done for a httpnode |
Similar requirement here. We need to be able to toggle from SSL to TLS on HTTP requests to allow us to switch from one protocol to the other when the third party webservice provider enables TLS connections and fiddles around with their settings (without being allowed to deploy a TLS-specific version of the bar file).
The solution we use is:
a) On the HTTPRequest node, set the protocol property to SSL. We use this as the default value if the protocol is not later overridden in the code.
b) In our database, we hold a row that defines the protocol to be used.
c) In the flow that contains the HTTP request, retrieve the protocol value from the database.
d) SET OutputLocalEnvironment.Destination.HTTP.SSLProtocol = <the value returned from the DB>;
Update the database to hold 'TLS' or 'SSL' as required.
There is a nice table of other local environment overrides on the Broker documentation for the HTTPRequest node. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Nov 23, 2015 5:39 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
That's a very tidy solution to a problem that should not exist. No http service should be supporting SSL these days, because it is far too big a security hole.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Nov 23, 2015 6:08 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mqjeff wrote: |
| That's a very tidy solution to a problem that should not exist. No http service should be supporting SSL these days, because it is far too big a security hole. |
That's a very tidy solution to a problem that should not exist. No External Facing http service should be supporting SSL these days, because it is far too big a security hole.
What about internal connections on private networks? I know of some that will never be upgraded to TLS simply because one of the bits of kit that uses SSL won't get upgraded. Mind you, this bit of kit is in a Neclear Shelter deep underground in Moscow not too far from the KGB (sorry FSB) HQ and is protected by at least three mil spec firewalls.
but in general, you are right.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Nov 23, 2015 6:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| smdavies99 wrote: |
| No External Facing http service should be supporting SSL these days, because it is far too big a security hole. |
Yes, because employees are never a security risk...
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Nov 23, 2015 6:47 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mqjeff wrote: |
| smdavies99 wrote: |
| No External Facing http service should be supporting SSL these days, because it is far too big a security hole. |
Yes, because employees are never a security risk... |
not that close to the FSB HQ theyt aren't.   
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
