ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportUse of RFHUTILC (IH03) with TLS 1.2 cipher on channel

Post new topicReply to topic Goto page 1, 2  Next
Use of RFHUTILC (IH03) with TLS 1.2 cipher on channel View previous topic :: View next topic
Author Message
zpat
PostPosted: Mon Aug 06, 2018 12:18 pm Post subject: Use of RFHUTILC (IH03) with TLS 1.2 cipher on channel Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5658
Location: UK

Question on support pac IH03 RFHUTILC version 7.5, when connecting via MQ client 7.1.0.7 to a remote QM (in this case z/OS MQ 7.1) over a SVRCONN channel.

Is it possible to use this TLS 1.2 cipher on the server connection channel with this program?

TLS_RSA_WITH_AES_256_CBC_SHA256 ?

This value doesnt appear in the cipher list when I press set conn id.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Aug 06, 2018 10:58 pm Post subject: Re: Use of RFHUTILC (IH03) with TLS 1.2 cipher on channel Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19826
Location: LI,NY

zpat wrote:
Question on support pac IH03 RFHUTILC version 7.5, when connecting via MQ client 7.1.0.7 to a remote QM (in this case z/OS MQ 7.1) over a SVRCONN channel.

Is it possible to use this TLS 1.2 cipher on the server connection channel with this program?

TLS_RSA_WITH_AES_256_CBC_SHA256 ?

This value doesnt appear in the cipher list when I press set conn id.

A lot has changed in SSL since version 7.5... get the latest version of RFHUtilc and try again...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Mon Aug 06, 2018 11:45 pm Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5658
Location: UK

What is the latest IH03 and where is it found now?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Aug 07, 2018 1:02 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5961

zpat wrote:
What is the latest IH03 and where is it found now?

It shows as WITHDRAWN with only a link to the pdf guide, for me at least. What about using a CCDT?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
markt
PostPosted: Tue Aug 07, 2018 3:46 am Post subject: Reply with quote

Chevalier

Joined: 14 May 2002
Posts: 405

1. Older programs often provided two versions - one linked with libmqic, one with libmqm. The libmqm-bound programs can these days usually be forced to use client connectivity by setting MQ_CONNECT_TYPE=CLIENT in the environment.

2. rfhutilc does a bunch of CCDT or other client definition parsing that is not done by the libmqm rfhutil. Using rfhutilc's GUI connection panels you can't set cipherspecs that it doesn't know about. But using environment variables you may be able to use rfhutil instead of rfhutilc and trick it into using the CCDT directly.

3. There's apparently a bug at the moment in the process that takes supportpac pages from the authoring system out to the public site ... it's losing the anchor text for the download, though you can still see the link if you look at the page's source (ctrl-U in firefox). That is being investigated by the owners of that tool.

4. V7.5.0 is the last version of rfhutil that got released through the SupportPac process. Although there have been newer levels knocking around, they were never submitted for formal release.

5. Because we have no way to update the SupportPac further (the author was not in MQ development), it's been put on the withdrawn list. No plans to block it from download entirely for the moment, but it makes it clearer that it does what it does, and don't expect any more.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Tue Aug 07, 2018 10:52 am Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3082
Location: London, ON Canada

Hi zpat,

Why don't you have a look at MQ Visual Edit? It can handle TLS 1.2.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Wed Aug 08, 2018 11:41 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5658
Location: UK

Thanks for info.

Presumably the source code for IH03 belongs to IBM and they could maintain it or open-source it if they chose.

It's a shame that support pacs have been allowed to wither - they have been some of the best aspects of using MQ.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
zpat
PostPosted: Thu Aug 09, 2018 8:08 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5658
Location: UK

Works fine with a CCDT and setting MQSSKEYR environment variable.

Only downside is that we have far, far too many QMs for easy CCDT creation....
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
dallen
PostPosted: Tue Sep 18, 2018 3:44 pm Post subject: Reply with quote

Newbie

Joined: 18 Sep 2018
Posts: 2

We struggled with letting go of RFHUtil because it was so useful to admins and developers but we are starting the process of deprecating TLS 1.0 (TLS_RSA_WITH_AES_128_CBC_SHA) in favor of TLS 1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256) and RFHUtil did not support TLS 1.2. I came across this message and saw that others have the same issue. As I was watching college football (Go Vols!) this week I thought to myself I wonder if hex editing the RFHUtilC.exe would work, thinking back to my shareware cracking days using SoftICE debugger, lol. So I loaded up the HEX editor plugin in Notepad++, I am sure any HEX editor will work, and started searching for the cipher names. I found them and the TLS_RSA_WITH_AES_128_CBC_SHA cipher actually had several null chars at the end of it and I replaced 3 of them with "256" and turned "TLS_RSA_WITH_AES_128_CBC_SHA" into "TLS_RSA_WITH_AES_128_CBC_SHA256" and holy hell IT WORKED! I am now able to connect to my MQ 8 channels with TLS 1.2 from RFHUtil. You should be able to change the same text to ""TLS_RSA_WITH_AES_256_CBC_SHA256" as well and it work just fine. This would not have worked if those null chars were not there and it increased the size of the exe because it would have thrown all of the offsets and addressing out of whack. The bad part is that pulldown menu that displays the ciphers was designed to short so you cant see the full text but if you highlight, copy it and paste it into and editor you can see the full string. You also are not able to edit the text in the pulldown, which would have been an easier solution for future ciphers. Give this a shot and let me know if it works for you.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Wed Sep 19, 2018 3:16 pm Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3082
Location: London, ON Canada

Bad idea to promote hacking of a non open source/public domain software tool. You do understand that IBM owns the rights to RFHUTIL.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
dallen
PostPosted: Wed Sep 19, 2018 3:23 pm Post subject: Reply with quote

Newbie

Joined: 18 Sep 2018
Posts: 2

As long as I don't publicly redistribute my modified copy or profit off it then I am not violating any laws and if IBM even cared about the product they would update it and continue to support it. If he doesn't want to try it that's his choice but it worked for me.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Wed Sep 19, 2018 4:11 pm Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3082
Location: London, ON Canada

dallen wrote:
As long as I don't publicly redistribute my modified copy or profit off it then I am not violating any laws and if IBM even cared about the product they would update it and continue to support it. If he doesn't want to try it that's his choice but it worked for me.

That falls under the 'Fake News' category. Any modification of the software, even for personal use is illegal.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
abhi_thri
PostPosted: Thu Sep 20, 2018 12:21 am Post subject: Reply with quote

Master

Joined: 17 Jul 2017
Posts: 236
Location: UK

Hi All...just to add to the discussion. The client where I work did get the IBM contact to send us a new version of IH03 when we faced the same issue of TLSv1.2 ciphers, I believe they simply added the new set of ciphers shipped with the new MQ version to it.

Version we currently use is - V8.0.0 Build 224

We did request IBM to release this version publicly before it got formally withdrawn. I guess if you ask the authors nicely you may still be able to get hold of v8 version.
Back to top
View user's profile Send private message
mk621
PostPosted: Sat Oct 27, 2018 4:20 am Post subject: Reply with quote

Novice

Joined: 15 Oct 2012
Posts: 15

abhi_thri wrote:
Hi All...just to add to the discussion. The client where I work did get the IBM contact to send us a new version of IH03 when we faced the same issue of TLSv1.2 ciphers, I believe they simply added the new set of ciphers shipped with the new MQ version to it.

Version we currently use is - V8.0.0 Build 224

We did request IBM to release this version publicly before it got formally withdrawn. I guess if you ask the authors nicely you may still be able to get hold of v8 version.



Hi Abhi, can you pls send me that new version of rfhutil on this email rohsh5000@gmail.com

and can you also tell me who to contact IBM for official version

Thanks for your help.
appreciate.
Back to top
View user's profile Send private message
zpat
PostPosted: Sat Oct 27, 2018 7:56 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5658
Location: UK

Just to be clear, using a CCDT you do not need an updated version to use TLS 1.2 (or any cipher).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexGeneral IBM MQ SupportUse of RFHUTILC (IH03) with TLS 1.2 cipher on channel
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.