ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL b/w SDR - RCVR channel on mainframe and windows qmgr

Post new topic  Reply to topic Goto page 1, 2  Next
 SSL b/w SDR - RCVR channel on mainframe and windows qmgr « View previous topic :: View next topic » 
Author Message
ribs2609
PostPosted: Mon Sep 12, 2016 10:08 pm    Post subject: SSL b/w SDR - RCVR channel on mainframe and windows qmgr Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Hi Team,

Am trying to enable SSL between SDR - RCVR channels on Mainframe and Windows Qmgr and hit an invalid cipher error. All the configuration information is as below.

Not really sure, where am going wrong.

Mainframe QMGR: QIB1, MQ Version: v7.1.0
Windows QMGR: QM3, MQ Version: v7.0.1.3
Sender channel on QIB1: QIB1.TO.QM3
RCVR channel on QM3: QIB1.TO.QM3
Cipher Spec on both SDR and RCVR: TLS_RSA_WITH_AES_128_CBC_SHA
At RCVR end, SSLAUTH set to: OPTIONAL, so only transferring Windows
certificate to mainframe QMGR's key ring.


With the above setup in place, trying to start the sender channel at
mainframe end gives an Invalid cipher specification error.


Note: 1. The channels work without SSL configured.
2. I have a working SSL configuration between SDR - RCVR channels on 2 windows qmgrs using the same cipher.

*********Error details in mainframe syslog while starting sender
channel on mainframe*****
10:15:15.89 STC14983 00000090 +CSQX500I QIB1 CSQXRCTL Channel QIB1.TO.
QM3 started
10:15:15.97 STC14983 00000090 +CSQX635E QIB1 CSQXRCTL Invalid cipher
specification 002F for channel
290

290 00000090 QIB1.TO.QM3

10:15:15.97 STC14983 00000090 +CSQX599E QIB1 CSQXRCTL Channel QIB1.TO.
QM3 ended abnormally
********************************************************************

Steps followed to create Key repository and certificate at Windows side:
------------------------------------------------------------------------
-----
- Create key repository:
Code:
                                               
runmqckm -keydb -create -db "E:\Program Files (x86)\IBM\WebSphere       
MQ\Qmgrs\QM3\ssl\key.kdb" -type cms -pw changeit -stash                 

- Create a selfsigned certificate:
Code:
                               
runmqckm -cert -create -db "E:\Program Files (x86)\IBM\WebSphere       
MQ\Qmgrs\QM3\ssl\key.kdb"  -pw changeit -label ibmwebspheremqqm3 -dn   
"CN=QM3,OU=WINMQ,O=Allianz,L=TVM,C=IN" -size 2048                       

- Extract signer / public part of the certificate:
Code:
                     
runmqckm -cert -extract -db "E:\Program Files (x86)\IBM\WebSphere       
MQ\Qmgrs\QM3\ssl\key.kdb" -pw changeit -label ibmwebspheremqqm3 -target
"E:\Program Files (x86)\IBM\WebSphere MQ\Qmgrs\QM3\ssl\qm3cert.arm"     

- FTP'd (in ASCII mode) qm3cert.arm to a dataset file

- Only transferring windows qmanager certificate to mainframe as
SSLAUTH is set to Optional on RCVR channel at windows end

- Configured QMGR to point at key database E:\Program Files (x86)
\IBM\WebSphere MQ\Qmgrs\QM3\ssl\key
- Refreshed SSL security
- Altered channel to pick cipher spec TLS_RSA_WITH_AES_128_CBC_SHA



Steps followed to create Key Ring at mainframe side:
------------------------------------------------------------------------
-----
1. Create key ring: RACDCERT ID(QIB1CHIN) ADDRING(QIB1RING)
2. Create a CA certificate:
Code:
                                             
RACDCERT CERTAUTH GENCERT -                                           
SUBJECTSDN (CN ('CA01') -                                             
T ('CA Certificate') -                                                 
OU ('MQ QIB1 - MVSINST') -                                             
O ('Allianz') -                                                       
L ('Guildford') -                                                     
SP ('Surrey') -                                                       
C ('UK')) -                                                           
WITHLABEL ('CA01')                                                     
                                                                       
SETROPTS RACLIST(DIGTCERT) REFRESH

3. Create a personal certificate signed with the CA certificate
Code:
         
RACDCERT ID(QIB1CHIN) GENCERT -                                       
SUBJECTSDN (CN ('QIB1') -                                             
T ('Personal Certificate for QIB1') -                                 
OU ('MQ QIB1 - MVSINST') -                                             
O ('Allianz') -                                                       
L ('Guildford') -                                                     
SP ('Surrey') -                                                       
C ('UK')) -                                                           
WITHLABEL ('ibmWebSphereMQQIB1') -                                     
SIGNWITH (CERTAUTH LABEL ('CA01'))                                     
                                                                       
SETROPTS RACLIST(DIGTCERT) REFRESH 

4. Add or connect the certificates to keyring
Code:
                   
RACDCERT ID (QIB1CHIN) -                                               
CONNECT (CERTAUTH LABEL ('CA01') -                                     
   RING (QIB1RING) USAGE (CERTAUTH))                                   
                                                                       
RACDCERT ID (QIB1CHIN) -                                               
CONNECT (ID (QIB1CHIN) LABEL ('ibmWebSphereMQQIB1') -                 
RING (QIB1RING) USAGE(PERSONAL))                                       
                                                                       
SETROPTS RACLIST(DIGTCERT) REFRESH                                     

5. Add windows qmgr cert to RACF
Code:
                                     
        RACDCERT ID(QIB1CHIN) ADD('WEBS.MQ.RACF.CERT.SSLTEST.WIN.       
MON5916') -                                                             
 TRUST WITHLABEL('ibmwebspheremqqm3')                                 
                                                                       
SETROPTS RACLIST(DIGTCERT) REFRESH                                     

6. Connect the windows certificate to key ring
Code:
                                                                       
RACDCERT ID(QIB1CHIN) CONNECT(ID(QIB1CHIN) -                           
LABEL('ibmwebspheremqqm3') RING(QIB1RING) USAGE(PERSONAL))             
                                                                       
SETROPTS RACLIST(DIGTCERT) REFRESH                                     

7. List of key ring: RACDCERT ID(QIB1CHIN) LISTRING(QIB1RING)
Digital ring information for user
QIB1CHIN:

Ring:
>QIB1RING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
CA01 CERTAUTH CERTAUTH NO

ibmWebSphereMQQIB1 ID(QIB1CHIN) PERSONAL NO

ibmwebspheremqQM3 ID(QIB1CHIN) PERSONAL NO
>>>>> Added by mistake , still in there, hope this wont cause an issue

ibmwebspheremqqm3 ID(QIB1CHIN) PERSONAL NO
>>>> Correct Windows qmgr cert

8. Mainframe Queue Manager QIB1 is configured to point at QIB1RING
9. Sender channel on QIB1 is configured to use CIPHERSPEC
TLS_RSA_WITH_AES_128_CBC_SHA


Last edited by ribs2609 on Mon Sep 12, 2016 11:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
smdavies99
PostPosted: Mon Sep 12, 2016 11:00 pm    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

Three points
Quote:

Mainframe QMGR: QIB1, MQ Version: v7.1.0
Windows QMGR: QM3, MQ Version: v7.0.1.3


1) Are there no fixpacked applied to the Mainframe MQ?

2) Does 7.0.1.3 (not the latest FP) support the Cipher spec that you are trying to use

3) You do know that MQ V7 went out of support last year and that V7.1 is not long for the chop.

Please go back an place cODE tags around the lines where you show... commands. It will make your post a lot easier to read.
[ C O D E ]
[/C O D E ]
(remove the spaces.

for example:-

This
runmqckm -keydb -create -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -type cms -pw changeit -stash
would look like this
Code:

runmqckm -keydb -create -db "E:\Program Files (x86)\IBM\WebSphere
MQ\Qmgrs\QM3\ssl\key.kdb" -type cms -pw changeit -stash

_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
ribs2609
PostPosted: Mon Sep 12, 2016 11:22 pm    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Hi Jedi,

Thanks for suggesting the CODE thingy.

1) Are there no fixpacked applied to the Mainframe MQ?
I will have to check with mainframe admin for any fixpack, will get back.
Will that have anything to do with the invalid cipher error?

2) Does 7.0.1.3 (not the latest FP) support the Cipher spec that you are trying to use :
I have a working SSL using the same ciphers between two QMGRs on the windows server, which I think would suggest the version supports TLS_RSA_WITH_AES_128_CBC_SHA

3) You do know that MQ V7 went out of support last year and that V7.1 is not long for the chop.
- Yes, upgrade are being planned

Thanks
Ribu
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Sep 13, 2016 12:40 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Well Ribu I did not see where you specified the key size for the MF certificate.
What is the default key size?
If the key size is under 2048, there is no way a TLS cipher will work.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
ribs2609
PostPosted: Tue Sep 13, 2016 1:18 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Yes, that's a useful info.
Just did a google for the default keysize used by RACDCERT command and its 1024 and hence TLS not working.

But I have tried other ciphers like NULL_MD5, SHA, TRIPLE_DES_SHA_US: Not sure if 1024 works with these!

And the windows cert has a size of 2048, may be the certificate size needs to be same on both sides?
Back to top
View user's profile Send private message
ribs2609
PostPosted: Tue Sep 13, 2016 1:23 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Another thought:

The SDR channel is on mainframe and RCVR at Windows side.
SSLAUTH is set to 'optional' at RCVR end.

And so only the windows QMGR's certificate is copied to mainframe QMGR's keyring.

The certificate of mainframe qmgr doesnt come into play at all, isnt it?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Sep 13, 2016 2:48 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

ribs2609 wrote:
Another thought:

The SDR channel is on mainframe and RCVR at Windows side.
SSLAUTH is set to 'optional' at RCVR end.

And so only the windows QMGR's certificate is copied to mainframe QMGR's keyring.

The certificate of mainframe qmgr doesnt come into play at all, isnt it?

I believe that if one is provided it is checked. If you want only the windows cert to be in play don't create one in RACF, just import the win cert...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
fjb_saper
PostPosted: Tue Sep 13, 2016 2:51 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

ribs2609 wrote:
Yes, that's a useful info.
Just did a google for the default keysize used by RACDCERT command and its 1024 and hence TLS not working.

But I have tried other ciphers like NULL_MD5, SHA, TRIPLE_DES_SHA_US: Not sure if 1024 works with these!

And the windows cert has a size of 2048, may be the certificate size needs to be same on both sides?

Key size don't need to match but they have to fulfill the minimum size for the exchange on both sides.

1024 used to be the minimum... Today I'd go with 4096. This will give you some mileage. 2048 is a minimum for TLS, and probably about to be breached in the next 2 years...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
ribs2609
PostPosted: Tue Sep 13, 2016 3:47 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Thanks again.

>> Will try the test, after deleting the mainframe certificate from KeyRing
>> Yes, we are looking at key size of 4096. But the maximum key size supported by runmqckm shipped with MQ 7.0.1.3 seems to be 2048 as the command gave a keysize error with 4096.
>> We will be upgrading to MQ7.5 soon on windows and the actual implementation would be with 4096
Back to top
View user's profile Send private message
ribs2609
PostPosted: Wed Sep 14, 2016 4:23 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

>> Deleted the mainframe Qmgr's certificate from the key ring
>> Now the keyring only has the windows Qmgrs certificate
>> Still the SDR channel fail with invalid cipher error
>> Think its something to do with the mainframe MQ configuration or key creation
>> I have tried TLS, NULL, TRIPLE all these ciphers but in each case the error is the same and it fail with invalid cipher
>> As mentioned, on mainframe we are at 7.1.0
>> Is there any thing to be taken careoff while creating the keyring?
>> Dont really understand why its complaining of invalid cipher

Please do share if there are any further thoughts...
Back to top
View user's profile Send private message
ribs2609
PostPosted: Wed Sep 14, 2016 5:13 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Output of list keyring from mainframe: It now only has the windows qmgr (QM3) cert which is created with 2048 size.

Am trying to put in all the info, so that any of it rings any bells.


RACDCERT ID(QIB1CHIN) LISTRING(QIB1RING)

Digital ring information for user QIB1CHIN:

Ring:
>QIB1RING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
ibmwebspheremqqm3 ID(QIB1CHIN) PERSONAL NO
Back to top
View user's profile Send private message
ribs2609
PostPosted: Wed Sep 14, 2016 6:01 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

okay...so the latest observation is that, the channel does come up with ciphers that has 56 bit or less encryption.

So it works with, TLS_RSA_WITH_DES_CBC_SHA, NULL_MD5, NULL_SHA, DES_SHA_EXPORT.

In the cipher list after 56 bit encryption the next level of encryption is 128 which is with TLS_RSA_WITH_AES_128_CBC_SHA, RC4_SHA_US etc and it doesnt work with these.

What could be the reason?, Is it the level of MQ that am at on windows, which is MQv7.0?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Sep 14, 2016 6:03 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ribs2609 wrote:
What could be the reason?, Is it the level of MQ that am at on windows, which is MQv7.0?





And an old version of v7.0 at that. You were advised earlier in this thread to apply fixpacks.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ribs2609
PostPosted: Wed Sep 14, 2016 6:10 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Well, windows will be at 7.5 by next week.
One query before that, I have QMGR's with in windows server using TLS 128 bit encryption on SDR- RCVR and SVRCONN channels and working.

From the same windows server, the certificate is exported to mainframe and then it only works with anything below 128 encryption!!
Back to top
View user's profile Send private message
ribs2609
PostPosted: Wed Sep 14, 2016 6:30 am    Post subject: Reply with quote

Novice

Joined: 12 Sep 2016
Posts: 13

Also, is there a restriction to the certificate label name in mainframe?
The usual ones i have come across are in this format ibmWebSphereMQQMGRNAME.

Not sure if it has to be in this format, please if you could advise.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » SSL b/w SDR - RCVR channel on mainframe and windows qmgr
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.