我想了解带有 JDk8 密码套件的 TLSv2 和带有 MQ8 的规范?
我在 unix 上使用“runmqckm”命令在 MQ8 上创建了一个 jks 文件
jks 是否依赖于参数“-sig_alg”上的 Ciphersuites 和 Spec
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083860_.htm
Question on TLSv2 Ciphersuite
SUite<>SPec 组合无法正常工作,如下所示
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
CipherSpec - TLS_RSA_WITH_AES_128_CBC_SHA256
等效密码套件 - SSL_RSA_WITH_AES_128_CBC_SHA256
协议(protocol) - TLSv1.2
FIPS 140-2 兼容 - 是
工作
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"
改变 channel (TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
不工作
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_AES_128_CBC_SHA256";
改变 channel (TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
Only 3 TLS Ciphers i can Test as below , what spec i can use?
甲骨文密码套件
1.TLS_RSA_WITH_NULL_SHA256
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.TLS_RSA_WITH_AES_256_CBC_SHA256
MQ 规范
1.??
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.??
Only 1 cipher i can use part of TLS (JDK8 + MQ8)?
工作
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
不工作
TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
1 : ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
AMQ8242: SSLCIPH definition wrong.
不工作
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
MQJE001: Completion Code '2', Reason '2393'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:249)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:450)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:487)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:97)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:194)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:868)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:816)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:758)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:200)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:682)
at MQProducerTLS.main(MQProducerTLS.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:916)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:235)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2049)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:861)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1277)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)
... 15 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:81)
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2461)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2041)
... 22 more
Update on 20-Feb-2017
当示例代码放置在应用程序中时,出现以下授权错误 新问题链接如下
http://stackoverflow.com/questions/42347461/authorization-errors-with-mq8-jdk8
最佳答案
关于 runmqckm
命令的 -sig_alg
标志,下面的详细信息在您提供的链接中:
The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate or certificate request.
事实上,runmqckm
命令的 -sig_alg
标志与您在 Java 中指定的 CipherSuite 或您在 MQ SVRCONN channel 上指定的 CipherSpec 无关。
在我对您之前的问题“mq-error-on-ssl-enabled 的回答中,我提供了以下信息:
APAR 中的表 IV66840有这个信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the classes for Java and classes for JMS support SHA-2:
Oracle CipherSuite IBM MQ CipherSpec TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
如果您点击我提供的 APAR IV66840 链接,您将找到关于 MQ v8.0 的相同类型的信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v8:
CipherSuite --> CipherSpec ... TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256 ... TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256 ... TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
UPDATE (2017/02/16) to address further questions
问题 1:TLS_RSA_WITH_NULL_SHA256
不工作
回答:TLS_RSA_WITH_NULL_SHA256
被认为是弱密码规范,因为它不提供数据加密,并且在 v8.0 中默认禁用。
如果你真的想使用这个弱密码规范,你可以在启动队列管理器之前设置以下环境变量:
AMQ_SSL_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_NULL_SHA256
或者将以下内容添加到 qm.ini 的 SSL:
节并启动队列管理器:
SSL:
AllowWeakCipherSpec=TLS_RSA_WITH_NULL_SHA256
下面是有关此主题的更多详细信息。
在我对您先前问题“MQ Error on SSL enabled”的回答中,我提供了以下信息:
There is a very good IBM developerWorks blog post "SSL and TLS Cipher Specification Deprecations for the MQ Product" posted May 19 2016 by Miguel A. Rodriguez that goes into detail about which ciphers are deprecated in various Fix Packs.
在该链接中它指出:
V. With the release IBM MQ V8.0.0.3, SSL and weak TLS Cipher Specifications continue to be deprecated (disabled), as in the prior versions mentioned above, but now weak Cipher Specifications require a new value. This change is for both SSL and weak TLS Cipher Specifications.
AMQ_SSL_WEAK_CIPHER_ENABLE=Value or SSL: AllowWeakCipherSpec=Value
The accepted values for the environment variable or queue manager configuration setting is as follows:
- A single SSL or Weak TLS Cipher Specification Name.
- A string of SSL or Weak TLS Cipher Specification names delimited by commas.
- The value of "ALL" to enable all SSL and all weak TLS Cipher Specifications.
. . .
VI. Deprecated (disabled) SSL Cipher Specifications and Weak TLS Cipher Specifications.
NOTE: These are the Cipher Specifications that REQUIRE the environment variables or qm.ini setting discussed previously, in order to use them for encrypted communications.
Below is a list of deprecated (disabled) Cipher Specifications categorized by the protocol, the version, and applicable Operating System. Details concerning deprecated Cipher Specifications can be found in product documentation section "Deprecated CipherSpecs."
SSL V3
All CipherSpecs are disabled by default
TLS 1.0
Cipher Specification Operating System
TLS_RSA_EXPORT_WITH_RC2_40_MD5 IBMi
TLS_RSA_EXPORT_WITH_RC4_40_MD5 IBMi
TLS_RSA_WITH_DES_CBC_SHA All Platforms
TLS_RSA_WITH_NULL_MD5 IBMi
TLS_RSA_WITH_NULL_SHA IBMi
TLS_RSA_WITH_RC4_128_MD5 IBMi
TLS 1.2
Cipher Specification Operating System
ECDHE_ECDSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_ECDSA_RC4_128_SHA256 Linux,Windows,Unix
ECDHE_RSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_RSA_RC4_128_SHA256 Linux,Windows,Unix
TLS_RSA_WITH_NULL_NULL Linux,Windows,Unix
TLS_RSA_WITH_NULL_SHA256 All Platforms
TLS_RSA_WITH_RC4_128_SHA256 Linux,Windows,Unix
问题 2:TLS_RSA_WITH_AES_256_CBC_SHA256
不工作
答案:重复使用对您先前问题“MQ Error on SSL enabled”的相同答案 我提供了以下信息:
After searching on the error you are receiving I found this dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following:
In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.
When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
上面指向 oracle 站点的链接指出:
If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is permissible under local regulations.
我建议您要么使用较低的 CipherSuite
TLS_RSA_WITH_AES_128_CBC_SHA256
,或者按照上面的建议 获取并安装 JCE Unlimited Strength Jurisdiction Policy 文件。
关于ssl - TLS 2 与 JDk 8 Ciphersuites 与 MQ8?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42191793/