Thanks for visiting the site !!! Visit below intrested Ads to support us if you like the site .Sharing is caring .keep distance and keep safe . Happy Learning ... 😀

Enabling multiple cipher’s on IBM MQ Channel

There was a requirement to disable Week Ciphers or enable Multiple ciphers on the channel and in the QMGR . If the cipher is configured on the channel and if it is considered as a week cipher then we should replace with another cipher but there is not way to disable the week cipher .

Need to enable multiple ciphers on the channel (SDR/SVRCONN/CLUSSDR/…)

From IBM MQ 9.2 LTS onwards it is possible to enable multiple ciphers on the QMGR suing qm.ini SSL stanza (9.1.1 CD also this is available )

SSL:
AllowedCipherSpecs=TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA
  • A client connecting with ANY_TLS12 will likely use the TLS 1.2 CipherSpec TLS_RSA_WITH_AES_128_GCM_SHA256.
  • A client connecting with ANY_TLS12_OR_HIGHER will likely use the TLS 1.3 CipherSpec TLS_AES_128_GCM_SHA256 (assuming the client supports TLS 1.3).
  • A client connecting with the TLS 1.0 CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA will use that CipherSpec.

If a CipherSpec is not enabled through the AllowedCipherSpecs attribute, it will not be configured for use during a TLS Handshake.
In the case that the AllowedCipherSpecs attribute is not specified, a default list of enabled ciphers, indicated by the following table, is used.

CipherSpecs order before IBM MQ 9.2.0

PlatformCipherSpecProtocolEnabled by default
[AIX, Linux, Windows][z/OS]TLS_RSA_WITH_AES_128_CBC_SHATLS 1.0No
[IBM i]AES_SHA_USTLS 1.0No
[AIX, Linux, Windows][z/OS]TLS_RSA_WITH_AES_256_CBC_SHATLS 1.0No
AllRC4_SHA_USSSL v3No
AllTLS_RSA_WITH_RC4_128_SHATLS 1.0No
AllRC4_MD5_USSSL v3No
[IBM i]TLS_RSA_WITH_RC4_128_MD5TLS 1.0No
AllTRIPLE_DES_SHA_USSSL v3No
AllTLS_RSA_WITH_3DES_EDE_CBC_SHATLS 1.0No
[AIX, Linux, Windows]DES_SHA_EXPORT1024SSL v3No
AllRC4_56_SHA_EXPORT1024SSL v3No
AllRC4_MD5_EXPORTSSL v3No
[IBM i]TLS_RSA_EXPORT_WITH_RC4_40_MD5TLS 1.0No
AllRC2_MD5_EXPORTSSL v3No
[IBM i]TLS_RSA_EXPORT_WITH_RC2_40_MD5TLS 1.0No
AllDES_SHA_EXPORTSSL v3No
AllTLS_RSA_WITH_DES_CBC_SHATLS 1.0No
AllNULL_SHASSL v3No
[IBM i]TLS_RSA_WITH_NULL_SHATLS 1.0No
AllNULL_MD5SSL v3No
[IBM i]TLS_RSA_WITH_NULL_MD5TLS 1.0No
[AIX, Linux, Windows]FIPS_WITH_DES_CBC_SHASSL v3No
[AIX, Linux, Windows]FIPS_WITH_3DES_EDE_CBC_SHASSL v3No
AllTLS_RSA_WITH_AES_128_CBC_SHA256TLS 1.2Yes
AllTLS_RSA_WITH_AES_256_CBC_SHA256TLS 1.2Yes
AllTLS_RSA_WITH_NULL_SHA256TLS 1.2No
AllTLS_RSA_WITH_AES_128_GCM_SHA256TLS 1.2Yes
AllTLS_RSA_WITH_AES_256_GCM_SHA384TLS 1.2Yes
[AIX, Linux, Windows]ECDHE_ECDSA_RC4_128_SHA256TLS 1.2No
[AIX, Linux, Windows]ECDHE_ECDSA_3DES_EDE_CBC_SHA256TLS 1.2No
[UNIX, Linux, Windows, IBM i]ECDHE_RSA_RC4_128_SHA256TLS 1.2No
[UNIX, Linux, Windows, IBM i]ECDHE_RSA_3DES_EDE_CBC_SHA256TLS 1.2No
AllECDHE_ECDSA_AES_128_CBC_SHA256TLS 1.2Yes
AllECDHE_ECDSA_AES_256_CBC_SHA384TLS 1.2Yes
AllECDHE_RSA_AES_128_CBC_SHA256TLS 1.2Yes
AllECDHE_RSA_AES_256_CBC_SHA384TLS 1.2Yes
[UNIX, Linux, Windows, IBM i]ECDHE_ECDSA_AES_128_GCM_SHA256TLS 1.2Yes
[UNIX, Linux, Windows, IBM i]ECDHE_ECDSA_AES_256_GCM_SHA384TLS 1.2Yes
AllECDHE_RSA_AES_128_GCM_SHA256TLS 1.2Yes
AllECDHE_RSA_AES_256_GCM_SHA384TLS 1.2Yes
[UNIX, Linux, Windows, IBM i]ECDHE_RSA_NULL_SHA256TLS 1.2No
[AIX, Linux, Windows]ECDHE_ECDSA_NULL_SHA256TLS 1.2No
[AIX, Linux, Windows]TLS_RSA_WITH_NULL_NULLTLS 1.2No
[AIX, Linux, Windows]TLS_RSA_WITH_RC4_128_SHA256TLS 1.2No
[UNIX, Linux, Windows, IBM i]TLS_AES_128_GCM_SHA256TLS 1.3Yes
[UNIX, Linux, Windows, IBM i]TLS_AES_256_GCM_SHA384TLS 1.3Yes
[UNIX, Linux, Windows, IBM i]TLS_CHACHA20_POLY1305_SHA256TLS 1.3Yes
[AIX, Linux, Windows]TLS_AES_128_CCM_SHA256TLS 1.3Yes
[AIX, Linux, Windows]TLS_AES_128_CCM_8_SHA256TLS 1.3Yes

It is possible for you to provide an alternative set of CipherSpecs that are enabled and in your order of preference for use with IBM MQ channels, either using the [AIX, Linux, Windows]AMQ_ALLOWED_CIPHERS environment variable or the AllowedCipherSpecs SSL stanza attribute of the .ini file. You may want to use this setting for either of the following reasons:

  • To restrict IBM MQ listeners from accepting incoming channel start requests, unless they use one of the named CipherSpecs.
  • To change the order of priority of CipherSpecs that are used in a TLS handshake.

If a different order is desired, then a new order of CipherSpecs can be supplied using the AllowedCipherSpecs attribute of the SSL stanza on IBM MQ for Multiplatforms [z/OS], or the TransportSecurity stanza on IBM MQ for z/OS, with the following rules:
Higher protocol versions are always used, regardless of their position in the list.
Any disabled CipherSpecs are re-enabled if supplied in the list.
The TLS server’s list order has a higher priority than the TLS client.
When TLS 1.3 is enabled, certain CipherSpecs are not supported

It is possible for you to provide an alternative set of CipherSpecs that are enabled and in your order of preference for use with IBM MQ channels, either using the [AIX, Linux, Windows]AMQ_ALLOWED_CIPHERS environment variable or the AllowedCipherSpecs SSL stanza attribute of the .ini file. You may want to use this setting for either of the following reasons:
To restrict IBM MQ listeners from accepting incoming channel start requests, unless they use one of the named CipherSpecs.
To change the order of priority of CipherSpecs that are used in a TLS handshake.

In the below example i have 2 QMGRs QM1 and QM2 with TO.MQ2 channel from QM1 to QM2

on QM1 qm.ini we will enable 2 ciphers

SSL:
   AllowTLSV13=TRUE
   MinimumRSAKeySize=1
   AllowedCipherSpecs=ECDHE_RSA_AES_128_GCM_SHA256, ECDHE_ECDSA_AES_256_GCM_SHA384

On QM2 we will enable only one ciphersuite

SSL:
   AllowTLSV13=TRUE
   MinimumRSAKeySize=1
   AllowedCipherSpecs=ECDHE_RSA_AES_128_GCM_SHA256

Now on QM SDR channel We will use one cipher from the allowed qm.ini file . So from SDR it will only negotiate with 1 cipher

mqm@ip-172-31-14-154 QM1]$ echo dis chl\(TO.QM2\) |runmqsc QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2020.
Starting MQSC for queue manager QM1.


     1 : dis chl(TO.QM2)
AMQ8414I: Display Channel details.
   CHANNEL(TO.QM2)                         CHLTYPE(SDR)
   ALTDATE(2021-02-16)                     ALTTIME(13.33.28)
   BATCHHB(0)                              BATCHINT(0)
   BATCHLIM(5000)                          BATCHSZ(50)
   CERTLABL( )                             COMPHDR(NONE)
   COMPMSG(NONE)                        
   CONNAME(ec2-18-218-83-33.us-east-2.compute.amazonaws.com(1415))
   CONVERT(NO)                             DESCR( )
   DISCINT(6000)                           HBINT(300)
   KAINT(AUTO)                             LOCLADDR( )
   LONGRTY(999999999)                      LONGTMR(1200)
   MAXMSGL(4194304)                        MCANAME( )
   MCATYPE(PROCESS)                        MCAUSER( )
   MODENAME( )                             MONCHL(QMGR)
   MSGDATA( )                              MSGEXIT( )
   NPMSPEED(FAST)                          PASSWORD( )
   PROPCTL(COMPAT)                         RCVDATA( )
   RCVEXIT( )                              RESETSEQ(NO)
   SCYDATA( )                              SCYEXIT( )
   SENDDATA( )                             SENDEXIT( )
   SEQWRAP(999999999)                      SHORTRTY(10)
   SHORTTMR(60)                         
   SSLCIPH(ECDHE_RSA_AES_128_GCM_SHA256)
   SSLPEER( )                              STATCHL(QMGR)
   TPNAME( )                               TRPTYPE(TCP)
   USEDLQ(YES)                             USERID( )
   XMITQ(QM1.XMITQ)                     
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@ip-172-31-14-154 QM1]$

On QM2 we will try to use ciphersuite alias ANY_TLS12

mqm@ip-172-31-14-154 QM1]$ echo dis chl\(TO.QM2\) |runmqsc QM2
5724-H72 (C) Copyright IBM Corp. 1994, 2020.
Starting MQSC for queue manager QM2.


     1 : dis chl(TO.QM2)
AMQ8414I: Display Channel details.
   CHANNEL(TO.QM2)                         CHLTYPE(RCVR)
   ALTDATE(2021-02-16)                     ALTTIME(13.36.31)
   BATCHSZ(50)                             CERTLABL( )
   COMPHDR(NONE)                           COMPMSG(NONE)
   DESCR( )                                HBINT(300)
   KAINT(AUTO)                             MAXMSGL(4194304)
   MCAUSER( )                              MONCHL(QMGR)
   MRDATA( )                               MREXIT( )
   MRRTY(10)                               MRTMR(1000)
   MSGDATA( )                              MSGEXIT( )
   NPMSPEED(FAST)                          PUTAUT(DEF)
   RCVDATA( )                              RCVEXIT( )
   RESETSEQ(NO)                            SCYDATA( )
   SCYEXIT( )                              SENDDATA( )
   SENDEXIT( )                             SEQWRAP(999999999)
   SSLCAUTH(REQUIRED)                      SSLCIPH(ANY_TLS12)
   SSLPEER( )                              STATCHL(QMGR)
   TRPTYPE(TCP)                            USEDLQ(YES)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@ip-172-31-14-154 QM1]$ 

Now let us see the channel status for the cipher that used to connect

dis chs(TO.QM2) all
    11 : dis chs(TO.QM2) all
AMQ8417I: Display Channel Status details.
   CHANNEL(TO.QM2)                         CHLTYPE(SDR)
   BATCHES(0)                              BATCHSZ(50)
   BUFSRCVD(1)                             BUFSSENT(1)
   BYTSRCVD(268)                           BYTSSENT(268)
   CHSTADA(2021-02-16)                     CHSTATI(13.38.26)
   COMPHDR(NONE,NONE)                      COMPMSG(NONE,NONE)
   COMPRATE(0,0)                           COMPTIME(0,0)
   CONNAME(172.31.14.154(1415))            CURLUWID(7BC72B6001579C12)
   CURMSGS(0)                              CURRENT
   CURSEQNO(0)                             EXITTIME(0,0)
   HBINT(300)                              INDOUBT(NO)
   JOBNAME(00009D8E00000001)               LOCLADDR(172.31.14.154(38846))
   LONGRTS(999999999)                      LSTLUWID(0000000000000000)
   LSTMSGDA( )                             LSTMSGTI( )
   LSTSEQNO(0)                             MCASTAT(RUNNING)
   MONCHL(OFF)                             MSGS(0)
   NETTIME(0,0)                            NPMSPEED(FAST)
   RQMNAME(QM2)                            SHORTRTS(10)
   SECPROT(TLSV12)                      
   SSLCERTI(CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
   SSLCIPH(ECDHE_RSA_AES_128_GCM_SHA256)   SSLKEYDA( )
   SSLKEYTI( )                          
   SSLPEER(SERIALNUMBER=60:1E:07:3F,CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
   SSLRKEYS(0)                             STATUS(RUNNING)
   STOPREQ(NO)                             SUBSTATE(MQGET)
   XBATCHSZ(0,0)                           XMITQ(QM1.XMITQ)
   XQTIME(0,0)                             RVERSION(09020001)
   RPRODUCT(MQMM)                       

On the below we can see RCVR is negotiated with the same cipher and SSL hand shake is completed .

dis chs(TO.QM2) all
     2 : dis chs(TO.QM2) all
AMQ8417I: Display Channel Status details.
   CHANNEL(TO.QM2)                         CHLTYPE(RCVR)
   BATCHES(0)                              BATCHSZ(50)
   BUFSRCVD(1)                             BUFSSENT(1)
   BYTSRCVD(268)                           BYTSSENT(268)
   CHSTADA(2021-02-16)                     CHSTATI(13.38.26)
   COMPHDR(NONE,NONE)                      COMPMSG(NONE,NONE)
   COMPRATE(0,0)                           COMPTIME(0,0)
   CONNAME(172.31.14.154)                  CURLUWID(0000000000000000)
   CURMSGS(0)                              CURRENT
   CURSEQNO(0)                             EXITTIME(0,0)
   HBINT(300)                              INDOUBT(NO)
   JOBNAME(00009D0D0000000C)               LOCLADDR(::ffff:172.31.14.154(1415))
   LSTLUWID(0000000000000000)              LSTMSGDA( )
   LSTMSGTI( )                             LSTSEQNO(0)
   MCASTAT(RUNNING)                        MCAUSER(mqm)
   MONCHL(OFF)                             MSGS(0)
   NPMSPEED(FAST)                          RQMNAME(QM1)
   SECPROT(TLSV12)                      
   SSLCERTI(CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
   SSLCIPH(ECDHE_RSA_AES_128_GCM_SHA256)   SSLKEYDA( )
   SSLKEYTI( )                          
   SSLPEER(SERIALNUMBER=60:1E:07:3F,CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
   SSLRKEYS(0)                             STATUS(RUNNING)
   STOPREQ(NO)                             SUBSTATE(RECEIVE)
   XBATCHSZ(0,0)                           RVERSION(09020001)
   RPRODUCT(MQMM)                       

With these additional configurations on the Queue Manager and Channel level we can configure multiple ciphers and easy to migrate from one cipher to another cipher .

The same configuration can be used for SVRCONN channel so that client can negotiate with one of the cipher available on both the sides .

Some Notes:

–> The ANY_TLS13_OR_HIGHER alias CipherSpec negotiates the highest level of security that the remote end will allow but will only connect using a TLS 1.3 or higher protocol.
–> To use TLS 1.3, or the ANY CipherSpec, on IBM i the underlying operating system version must support TLS 1.3
The ANY_TLS13 alias CipherSpec represents a subset of acceptable CipherSpecs that use the TLS 1.3 protocol, as listed in this table for each platform.
–> The ANY_TLS12_OR_HIGHER alias CipherSpec negotiates the highest level of security that the remote end will allow but will only connect using a TLS 1.2 or higher protocol.
–> The ANY_TLS12 CipherSpec represents a subset of acceptable CipherSpecs that use the TLS 1.2 protocol, as listed in this table for each platform.
–> The ANY alias CipherSpec negotiates the highest level of security that the remote end will allow.
–> This CipherSpec cannot be used to secure a connection from the IBM MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.

Question)is it possible to configure 2 or more ciphers ( CUSTOM ) on any channel (SVRCONN,SDR,CLSSDR …etc ) with or without AllowedCipherSpecs on qm.ini file ??

I understand from the documentation that using Cipher Suite alias like ANY_TLS12 we can allow multiple that are defined under AllowedCipherSpecs or using AMQ_ALLOWED_CIPHERS environment variable . My requirement is that i need to enable 2 custom ciphers on channel like CIpherA,CIpherB .

Ans)The SSLCIPH attribute of channel specifies an Alias or a single named CipherSpec for a TLS connection, you can not set it like CIpherA,CIpherB .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *