ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » TLS1.2 connectivity to MQ failing

Post new topic  Reply to topic
 TLS1.2 connectivity to MQ failing « View previous topic :: View next topic » 
Author Message
Mangesh1187
PostPosted: Thu Feb 23, 2017 6:16 am    Post subject: TLS1.2 connectivity to MQ failing Reply with quote

Centurion

Joined: 23 Mar 2013
Posts: 116

Hi All,

Here is an issue I am facing with the TLS connectivity.

MQ server : 8.0.0.4
JMS Client WAS : 8.5

Previously we had SVRCONN defincation with SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) & SSL_RSA_WITH_AES_128_CBC_SHA cipher cuite on WAS.
This connectivity using TLS1.0 was working fine.

Then we changed the settings of SVRCONN to SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA) & SSL_RSA_WITH_AES_256_CBC_SHA ciphercuite on WAS.
Also changed the protocol changes to TLS1.2 in WAS properties.
But connectivity was not working & giving following errors in MQ lgos :

AMQ9616: The CipherSpec proposed is not enabled on the server.

EXPLANATION:
The SSL or TLS subsystem at the server end of a channel been configured in such
a way that it has rejected the CipherSpec proposed by an SSL or TLS client.
This rejection occurred during the secure socket handshake (i.e. it happened
before the proposed CipherSpec was compared with the CipherSpec in the serverchannel definition).

This error most commonly occurs when the choice of acceptable CipherSpecs has
been limited in one of the following ways:
(a) The server queue manager SSLFipsRequired attribute is set to YES and the
channel is using a CipherSpec which is not FIPS-certified on the server.
(b) The server queue manager EncryptionPolicySuiteB attribute has been set to a
value other than NONE and the channel is using a CipherSpec which does not
meet the server's configured Suite B security level.
(c) The protocol used by the channel has been deprecated. Note that IBM may
need to deprecate a protocol via product maintenance in response to a
security vulnerability, for example SSLv3 has been deprecated. Continued use
of SSLv3 protocol is not recommended but may be enabled by setting
environment variable AMQ_SSL_V3_ENABLE=TRUE.

I checked for all this 3 posibilites & below are the configurations on Queue Manager :
(a) SSLFIPS = NO & on client side also its using non-fips configurations.
(b) SUITEB = NONE
(c) As per the link " http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzaw.doc/ja11320_.htm "
TLS_RSA_WITH_AES_256_CBC_SHA is using TLS1.2 protocol. Hence it seems fine.
Also not set any env variable AMQ_SSL_V3_ENABLE.

I am trying to explore more on this, but no luck so far.
Your feedback will be valuable if someone already faced this kind of issue perticular for TLS_RSA_WITH_AES_128_CBC_SHA & TLS1.2.
Back to top
View user's profile Send private message
zpat
PostPosted: Thu Feb 23, 2017 6:22 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

A long shot, but what happens if you add this setting in the mqm profile and restart the QM?

export GSK_STRICTCHECK_CBCPADBYTES=GSK_FALSE
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Feb 23, 2017 6:27 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Moved to more relevant section
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Feb 23, 2017 6:32 am    Post subject: Re: TLS1.2 connectivity to MQ failing Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Mangesh1187 wrote:
Then we changed the settings of SVRCONN to SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA) & SSL_RSA_WITH_AES_256_CBC_SHA ciphercuite on WAS.
Also changed the protocol changes to TLS1.2 in WAS properties.

From the KC:

Quote:
TLS_RSA_WITH_AES_256_CBC_SHA | SSL_RSA_WITH_AES_256_CBC_SHA | TLSv1


Maybe you should try:

Quote:
TLS_RSA_WITH_AES_256_CBC_SHA256 | SSL_RSA_WITH_AES_256_CBC_SHA256 | TLSv1.2

_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » TLS1.2 connectivity to MQ failing
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.