ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportTLS 1.0 support in ACE 11.0.0.4

Post new topicReply to topic
TLS 1.0 support in ACE 11.0.0.4 View previous topic :: View next topic
Author Message
aurobindadev
PostPosted: Sun Sep 29, 2019 10:17 am Post subject: TLS 1.0 support in ACE 11.0.0.4 Reply with quote

Newbie

Joined: 29 Sep 2019
Posts: 2
Location: London, UK

Hi All,

In one of recent engagements, customer is migrating IIB v9 to ACE v11 fix pack 4(11.0.0.4). ACE 11.0.0.4 default TLS protocol is TLS 1.2 but there are certain REST applications who are yet to migrate from TLS 1.0 to TLS 1.2.

Hence customer is looking for workaround options to enable TLS 1.0 support for an interim period.

When I looked at knowledge center, previous versions of IIB such as v10 and v9 can achieve this using sslProtocol property at node or server level. For example in IIB v10 node level, if I do a mqsireportproperties

Code:
C:\Program Files\IBM\IIB\10.0.0.15>mqsireportproperties TESTNODE_amahapatra -b httplistener -o HTTPSConnector -n sslProtocol

TLS

BIP8071I: Successful command completion.


Now if I try the same in ACE 11.0.0.4
Code:
C:\Program Files\IBM\ACE\11.0.0.4>mqsireportproperties ACENODE01 -b httplistener -o HTTPSConnector -n sslProtocol

BIP8829E: Invalid property name 'sslProtocol' specified.
Property names must be valid XML element or XML attribute names.
Correct and reissue the command.


When I went through knowledge center, I found out this workaround of setting TLS protocol is possible using IBM JSSE as mentioned in following link
Code:
com.ibm.jsse2.overrideDefaultProtocol=<option>
Where <option> sets the default enabled protocol to one of the following values:
SSLv3: sets SSL V3.0 (See Note)
SSL_TLS: sets SSL V3.0 (See Note) and TLS 1.0
SSL_TLSv2: sets SSL V3.0 (See Note), TLS 1.0, TLS 1.1, and TLS 1.2
TLS: sets TLS 1.0
TLSv1: sets TLS 1.0
TLSv11: sets TLS 1.1
TLSv12: sets TLS 1.2
If a value is not set, the system default SSL protocol is used.


Please can someone share their experience on how TLS protocol could be downgraded from TLS 1.2 to TLS 1.0 in ACE 11.0.0.4.

If this question has already been answered, apologies and please guide me in the right direction.

Thanks!
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Sep 29, 2019 11:35 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20109
Location: LI,NY

There is no reason why TLS1.1 and below should be supported at all in ACE11. TLS1.1 is deprecated and the only cryptographic algorithms that should be allowed are those of TLS1.2 and above.

The question you should ask yourself is not how do I downgrade to a lower version of TLS, but how do I upgrade the clients to work with TLS 1.2 and above...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
aurobindadev
PostPosted: Sun Sep 29, 2019 11:42 am Post subject: Reply with quote

Newbie

Joined: 29 Sep 2019
Posts: 2
Location: London, UK

I completely agree and customer is aware of the fact they need to upgrade the clients to TLS 1.2. They are just reviewing all options to take an informed decision.

My question is rather on technical side - whether downgrading TLS version is supported or not. If it is supported in ACE, how to achieve it using OOTB features rathern than setting a system variable using IBM JSSE.

This feature is allowed in IIB v10 using sslProtcol property but I am unable to find that property in ACE v11 or I maybe looking at the wrong place.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportTLS 1.0 support in ACE 11.0.0.4
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.