ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SHA384 Ciphers doesn't work

Post new topic  Reply to topic Goto page 1, 2  Next
 SHA384 Ciphers doesn't work « View previous topic :: View next topic » 
Author Message
gavze007
PostPosted: Tue Oct 02, 2018 4:48 am    Post subject: SHA384 Ciphers doesn't work Reply with quote

Novice

Joined: 28 Mar 2018
Posts: 19

Hi,

We're running MQ 8.0.0.5 on Windows.
Usually we connect to remote QMGRs using TLS_RSA_WITH_AES_256_CBC_SHA256 ciphers configured on the channels.

One of our clients asked us to move to TLS_RSA_WITH_AES_256_CBC_SHA384 cipher.
After doing the change at both ends, the channel doesn't start and is stuck on retrying state.

What can be the cause?

Thanks
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Oct 02, 2018 5:17 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

What do the error logs say? Look there first because you haven't posted enough information for anyone to give you specific help...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Oct 02, 2018 5:54 am    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

gavze007 wrote:
Hi,

We're running MQ 8.0.0.5 on Windows.
Usually we connect to remote QMGRs using TLS_RSA_WITH_AES_256_CBC_SHA256 ciphers configured on the channels.

One of our clients asked us to move to TLS_RSA_WITH_AES_256_CBC_SHA384 cipher.
After doing the change at both ends, the channel doesn't start and is stuck on retrying state.

What can be the cause?

Thanks


Did you successfully REFRESH SECURITY TYPE(SSL) at both ends of the channel?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Oct 02, 2018 5:59 am    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

bruce2359 wrote:
Did you successfully REFRESH SECURITY TYPE(SSL) at both ends of the channel?

Out of curiosity, why?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Oct 02, 2018 7:45 am    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

exerk wrote:
bruce2359 wrote:
Did you successfully REFRESH SECURITY TYPE(SSL) at both ends of the channel?

Out of curiosity, why?

OP didn’t state what else might have changed - perhaps a new cert.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
gavze007
PostPosted: Tue Oct 02, 2018 10:08 am    Post subject: Reply with quote

Novice

Joined: 28 Mar 2018
Posts: 19

I'll try to retrieve the logs and post them here.
No change was made to the certificates...
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Oct 02, 2018 10:12 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

gavze007 wrote:
No change was made to the certificates...


Despite changing the ciphers?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Tue Oct 02, 2018 1:35 pm    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

gavze007 wrote:
One of our clients asked us to move to TLS_RSA_WITH_AES_256_CBC_SHA384 cipher.



https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

I don't see TLS_RSA_WITH_AES_256_CBC_SHA384 in the table that shows cipher specifications that you can use with your IBM MQ 8.0 queue manager automatically.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 03, 2018 4:46 am    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

PeterPotkay wrote:
gavze007 wrote:
One of our clients asked us to move to TLS_RSA_WITH_AES_256_CBC_SHA384 cipher.



https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

I don't see TLS_RSA_WITH_AES_256_CBC_SHA384 in the table that shows cipher specifications that you can use with your IBM MQ 8.0 queue manager automatically.


I was wondering about that too......
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Oct 03, 2018 2:38 pm    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I assume your question contains a typo. You say you have changed from
TLS_RSA_WITH_AES_256_CBC_SHA256
to
TLS_RSA_WITH_AES_256_CBC_SHA384

but there is no such CipherSpec.

Assuming that your channel alteration worked, I'm assuming it was another cipherspec. Your question suggests that the important change was a move to a SHA384 cipherspec of which there are a few you can use on Windows:-
  • ECDHE_ECDSA_AES_256_CBC_SHA384
  • ECDHE_ECDSA_AES_256_GCM_SHA384
  • ECDHE_RSA_AES_256_CBC_SHA384
  • ECDHE_RSA_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384

The certificate you were previously using with SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) will not work with most of the above listed cipherspecs.

Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"

In short, the first four cipherspecs in my bulleted list above require you to make a different kind of certificate. The last one I think should work with your current certificate.

If this does not solve your issue, I would reiterate what others have said, please provide the errors from the queue manager error log at both ends.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Vitor
PostPosted: Thu Oct 04, 2018 4:53 am    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

hughson wrote:
The certificate you were previously using with SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) will not work with most of the above listed cipherspecs.


I did think you'd need a new certificate.......


me!
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Oct 04, 2018 4:59 am    Post subject: Re: SHA384 Ciphers doesn't work Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Vitor wrote:
hughson wrote:
The certificate you were previously using with SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) will not work with most of the above listed cipherspecs.


I did think you'd need a new certificate.......


me!

The law of averages...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
gavze007
PostPosted: Thu Oct 11, 2018 5:27 am    Post subject: Reply with quote

Novice

Joined: 28 Mar 2018
Posts: 19

Hi again,

Sorry for the delayed answer.
We tried 2 different ciphers:

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side

On the first setup, both ciphers work without a problem.

On the second setup, none of the ciphers works.
The sender channel at the client's side is stuck at "retrying", and this is the only information we have on the client's logs:

Channel 'XXXX' to host 'XXXX(xx)' ended abnormally.
The channel program running under process ID 23145 for channel
'XXXX' ended abnormally. The host name is 'XXXX(xx)'; in
some cases the host name cannot be determined and so is shown as '????'.

On my end there are no entries on the log files.
Does it mean that my client has an unsuitable certificate, or I do?

Thanks again for the help
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Oct 11, 2018 12:03 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

gavze007 wrote:
We tried 2 different ciphers:

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side

On the first setup, both ciphers work without a problem.

On the second setup, none of the ciphers works.

Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"

Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.

You have stated in your most recent post that the only thing seen in the queue manager error log at the client's side is this:-
gavze007 wrote:
Channel 'XXXX' to host 'XXXX(xx)' ended abnormally.
The channel program running under process ID 23145 for channel
'XXXX' ended abnormally. The host name is 'XXXX(xx)'; in
some cases the host name cannot be determined and so is shown as '????'.


This would appear to be message number AMQ9999 (please help us in future by including the message number when you paste in error message details, they are unique and so much easier to look up things with).

The complete text of message AMQ9999 is as follows:-
AMQ9999 wrote:
MESSAGE:
Channel '<insert one>' to host '<insert three>' ended abnormally.

EXPLANATION:
The channel program running under process ID <insert two> for channel '<insert
one>' ended abnormally. The host name is '<insert three>'; in some cases the
host name cannot be determined and so is shown as '????'.

ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.


The important thing to note here is the first sentence in the ACTION section. This tells you that there is always a preceding message to this one that gives more information about WHY the channel ended abnormally. Please could you paste that (including message number) into your next post. This is the one with the pertinent information.

Also could you tell us what kind of certificate you are using (refer to the Knowledge Center page linked above).

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Thu Oct 11, 2018 1:12 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

You wouldn't think this would be the case, but is it possible different CERTLABL (i.e. certificates) were in play with the two tests?
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » SHA384 Ciphers doesn't work
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.