ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » TLS FIPs with JKS

Post new topic  Reply to topic
 TLS FIPs with JKS « View previous topic :: View next topic » 
Author Message
wmbwmq
PostPosted: Sun Feb 16, 2020 8:31 pm    Post subject: TLS FIPs with JKS Reply with quote

Acolyte

Joined: 18 Jul 2011
Posts: 66

Howdy,
After a long time I am getting back on the MQ horse; especially TLS. So I'm a little rusty and need your help.
My question is how to setup a JKS (for a JMS app from Websphere Application Server) to be FIPS 140-2 compliant?. The QMGR to which it is going to connect is already 140-2 compliant. I tried runmqckm but doesn't seem to support -fips. Also given there is no stashing available for jks, what is the alternative (other than hard-coding the password from inside of WAS)
Thanks
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Feb 17, 2020 10:57 am    Post subject: Re: TLS FIPs with JKS Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

wmbwmq wrote:
Howdy,
After a long time I am getting back on the MQ horse; especially TLS. So I'm a little rusty and need your help.
My question is how to setup a JKS (for a JMS app from Websphere Application Server) to be FIPS 140-2 compliant?. The QMGR to which it is going to connect is already 140-2 compliant. I tried runmqckm but doesn't seem to support -fips. Also given there is no stashing available for jks, what is the alternative (other than hard-coding the password from inside of WAS)
Thanks

Use runmqakm and when done use runmqckm to create the JKS from the CMS store. The password and stores can be passed to the JVM using the -Djavax.net.ssl.keystore.password switches. Don't forget to push the keysize to the max (4096).
Hope it helps
_________________
MQ & Broker admin


Last edited by fjb_saper on Mon Feb 17, 2020 8:57 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
tczielke
PostPosted: Mon Feb 17, 2020 3:25 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

You might also want to validate if a JCEKS is needed (instead of a JKS) for FIPS 140-2.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Feb 17, 2020 8:58 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

tczielke wrote:
You might also want to validate if a JCEKS is needed (instead of a JKS) for FIPS 140-2.

And remember SHA1 is not supported!!!
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
wmbwmq
PostPosted: Tue Feb 18, 2020 6:46 am    Post subject: Reply with quote

Acolyte

Joined: 18 Jul 2011
Posts: 66

Thank you guys. I will try both options.

And yes, no longer using SHA1. Given how SSL was torn apart back in 2013, I am just hoping TLS will be the thing. But every time I hear any latest advancement in Quantum computing, I kinda feel TLS days may be numbered. But I hear elliptical algorithms are immune to quantum computing?. Anyway, I realize eventually we will be using secure messaging based completely on Quantum Mechanics. But given the number of cells still left in my brain I just hope I retire by then
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » TLS FIPs with JKS
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.