|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
 |
|
TLS FIPs with JKS |
« View previous topic :: View next topic » |
Author |
Message
|
wmbwmq |
Posted: Sun Feb 16, 2020 8:31 pm Post subject: TLS FIPs with JKS |
|
|
 Acolyte
Joined: 18 Jul 2011 Posts: 66
|
Howdy,
After a long time I am getting back on the MQ horse; especially TLS. So I'm a little rusty and need your help.
My question is how to setup a JKS (for a JMS app from Websphere Application Server) to be FIPS 140-2 compliant?. The QMGR to which it is going to connect is already 140-2 compliant. I tried runmqckm but doesn't seem to support -fips. Also given there is no stashing available for jks, what is the alternative (other than hard-coding the password from inside of WAS)
Thanks |
|
Back to top |
|
 |
fjb_saper |
Posted: Mon Feb 17, 2020 10:57 am Post subject: Re: TLS FIPs with JKS |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
wmbwmq wrote: |
Howdy,
After a long time I am getting back on the MQ horse; especially TLS. So I'm a little rusty and need your help.
My question is how to setup a JKS (for a JMS app from Websphere Application Server) to be FIPS 140-2 compliant?. The QMGR to which it is going to connect is already 140-2 compliant. I tried runmqckm but doesn't seem to support -fips. Also given there is no stashing available for jks, what is the alternative (other than hard-coding the password from inside of WAS)
Thanks |
Use runmqakm and when done use runmqckm to create the JKS from the CMS store. The password and stores can be passed to the JVM using the -Djavax.net.ssl.keystore.password switches. Don't forget to push the keysize to the max (4096).
Hope it helps  _________________ MQ & Broker admin
Last edited by fjb_saper on Mon Feb 17, 2020 8:57 pm; edited 1 time in total |
|
Back to top |
|
 |
tczielke |
Posted: Mon Feb 17, 2020 3:25 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010 Posts: 941 Location: Illinois, USA
|
You might also want to validate if a JCEKS is needed (instead of a JKS) for FIPS 140-2. _________________ Working with MQ since 2010. |
|
Back to top |
|
 |
fjb_saper |
Posted: Mon Feb 17, 2020 8:58 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
tczielke wrote: |
You might also want to validate if a JCEKS is needed (instead of a JKS) for FIPS 140-2. |
And remember SHA1 is not supported!!!  _________________ MQ & Broker admin |
|
Back to top |
|
 |
wmbwmq |
Posted: Tue Feb 18, 2020 6:46 am Post subject: |
|
|
 Acolyte
Joined: 18 Jul 2011 Posts: 66
|
Thank you guys. I will try both options.
And yes, no longer using SHA1. Given how SSL was torn apart back in 2013, I am just hoping TLS will be the thing. But every time I hear any latest advancement in Quantum computing, I kinda feel TLS days may be numbered. But I hear elliptical algorithms are immune to quantum computing?. Anyway, I realize eventually we will be using secure messaging based completely on Quantum Mechanics. But given the number of cells still left in my brain I just hope I retire by then  |
|
Back to top |
|
 |
|
|
 |
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|