I want to know TLSv2 with JDk8 Ciphersuites and specs with MQ8?
I created a jks file on MQ8 with 'runmqckm' command on unix
is jks have any dependency on Ciphersuites and Spec on parameter '-sig_alg'
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083860_.htm
Question on TLSv2 Ciphersuite
SUite<>SPec combination is not working as below site
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
CipherSpec - TLS_RSA_WITH_AES_128_CBC_SHA256
Equivalent CipherSuite - SSL_RSA_WITH_AES_128_CBC_SHA256
Protocol - TLSv1.2
FIPS 140-2 compatible - yes
working
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
Not working
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
Only 3 TLS Ciphers i can Test as below , what spec i can use?
Oracle CipherSuite
1.TLS_RSA_WITH_NULL_SHA256
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.TLS_RSA_WITH_AES_256_CBC_SHA256
MQ Spec
1.??
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.??
Only 1 cipher i can use part of TLS (JDK8 + MQ8)?
Working
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
Not Working
TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
1 : ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
AMQ8242: SSLCIPH definition wrong.
Not working
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
MQJE001: Completion Code '2', Reason '2393'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:249)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:450)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:487)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:97)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:194)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:868)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:816)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:758)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:200)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:682)
at MQProducerTLS.main(MQProducerTLS.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:916)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:235)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2049)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:861)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1277)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)
... 15 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:81)
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2461)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2041)
... 22 more
Update on 20-Feb-2017
when sample code , placed in application getting below Authorization errors
New Question link as below
http://stackoverflow.com/questions/42347461/authorization-errors-with-mq8-jdk8
Regarding the -sig_alg flag for the runmqckm command, the details below are in the link you provided:
The hashing algorithm used during the creation of a certificate
request, a self-signed certificate, or the signing of a certificate.
This hashing algorithm is used to create the signature associated with
the newly-created certificate or certificate request.
In shore the -sig_alg flag for the runmqckm command is not related to the CipherSuite your specify in Java or the CipherSpec you specify on the MQ SVRCONN channel.
In my answer to your previous question "mq-error-on-ssl-enabled I provided this information:
The table in the APAR IV66840 has this information:
The following WebSphere MQ CipherSuite to CipherSpec mappings have
been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the
classes for Java and classes for JMS support SHA-2:
Oracle CipherSuite IBM MQ CipherSpec
TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
If you follow the link to APAR IV66840 I provided you will find the same type of information regarding MQ v8.0:
The following WebSphere MQ CipherSuite to CipherSpec mappings
have been enabled by this APAR for WebSphere MQ v8:
CipherSuite --> CipherSpec
...
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
...
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
...
TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
UPDATE (2017/02/16) to address further questions
Question 1: TLS_RSA_WITH_NULL_SHA256 Not Working
Answer: TLS_RSA_WITH_NULL_SHA256is considered a weak Cipher Specification since it does not provide encryption of the data and is disabled by default in v8.0.
If you really want to use this weak Cipher Specification you would either set the following Environment variable before you start the Queue Manager:
AMQ_SSL_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_NULL_SHA256
Or add the following to the SSL: stanza of the qm.ini and start the Queue Manager:
SSL:
AllowWeakCipherSpec=TLS_RSA_WITH_NULL_SHA256
Below is more detail on this subject.
In my Answer to your prior question"MQ Error on SSL enabled" I provided the following information:
There is a very good IBM developerWorks blog post "SSL and TLS Cipher
Specification Deprecations for the MQ
Product"
posted May 19 2016 by Miguel A. Rodriguez that goes into detail about
which ciphers are deprecated in various Fix Packs.
In that link it states:
V. With the release IBM MQ V8.0.0.3, SSL and weak TLS Cipher
Specifications continue to be deprecated (disabled), as in the prior
versions mentioned above, but now weak Cipher Specifications require a
new value. This change is for both SSL and weak TLS Cipher
Specifications.
AMQ_SSL_WEAK_CIPHER_ENABLE=Value
or
SSL:
AllowWeakCipherSpec=Value
The accepted values for the environment variable or queue manager configuration setting is as follows:
- A single SSL or Weak TLS Cipher Specification Name.
- A string of SSL or Weak TLS Cipher Specification names delimited by commas.
- The value of "ALL" to enable all SSL and all weak TLS Cipher Specifications.
. . .
VI. Deprecated (disabled) SSL Cipher Specifications and Weak TLS
Cipher Specifications.
NOTE: These are the Cipher Specifications that REQUIRE the environment
variables or qm.ini setting discussed previously, in order to use them
for encrypted communications.
Below is a list of deprecated (disabled) Cipher Specifications
categorized by the protocol, the version, and applicable Operating
System. Details concerning deprecated Cipher Specifications can be
found in product documentation section "Deprecated CipherSpecs."
SSL V3
All CipherSpecs are disabled by default
TLS 1.0
Cipher Specification Operating System
TLS_RSA_EXPORT_WITH_RC2_40_MD5 IBMi
TLS_RSA_EXPORT_WITH_RC4_40_MD5 IBMi
TLS_RSA_WITH_DES_CBC_SHA All Platforms
TLS_RSA_WITH_NULL_MD5 IBMi
TLS_RSA_WITH_NULL_SHA IBMi
TLS_RSA_WITH_RC4_128_MD5 IBMi
TLS 1.2
Cipher Specification Operating System
ECDHE_ECDSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_ECDSA_RC4_128_SHA256 Linux,Windows,Unix
ECDHE_RSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_RSA_RC4_128_SHA256 Linux,Windows,Unix
TLS_RSA_WITH_NULL_NULL Linux,Windows,Unix
TLS_RSA_WITH_NULL_SHA256 All Platforms
TLS_RSA_WITH_RC4_128_SHA256 Linux,Windows,Unix
Question 2: TLS_RSA_WITH_AES_256_CBC_SHA256 Not Working
Answer: Reusing the same Answer to your prior question"MQ Error on SSL enabled" I provided the following information:
After searching on the error you are receiving I found this dW Answers
post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ
Java/JMS application when trying to use an TLS AES 256
cipher?".
It states that the following:
In this case, the issue is caused by attempting to use AES 256 strong
cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on
Cryptographic Algorithms enabled. This limits the maximum key sizes
and also some algorithms.
When trying to use a AES 256 cipher, such as
ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a
MQ Java/JMS application, you need to ensure your JRE supports this
cipher. In most cases, when the stronger cipher algorithms are needed,
such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction
Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
The link above to the oracle site states:
If stronger algorithms are needed (for example, AES with 256-bit
keys), the JCE Unlimited Strength Jurisdiction Policy Files
must be
obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is
permissible under local regulations.
I would suggest that you either use the lower CipherSuite
TLS_RSA_WITH_AES_128_CBC_SHA256, or follow the advise above to
obtain and install the JCE Unlimited Strength Jurisdiction Policy
Files.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 聊天终结者 的文章《TLSv2 with JDk8 Ciphersuites with MQ8?》','https://www.manongdao.com/article-480823.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}