IBM MQIPT SSL Handshake issue

1
votes

We are connecting java MQ client to customer IBM MQ server, To connect that we have one MQIPT instance at cloud premises , and one MQIPT instance at non cloud premises . Once disabled SSL security on non cloud premises then we are able to connect that. However , once SSL enabled by non cloud premises we are facing SSL handshake issue. Certificates are shared between us.

We don't have access on that non cloud environment.

We are following the below design to connect mq

We are connecting MQIPT by Java client . and below are the trace which we are getting in mqipt trace.

  1. When we are not setting cipher at mq java client then we are getting below error

In that case MQIPT enabled for all cipher.

Issuer: 'CN=********* TEST CA ****,OU=*****,O=******** AG,C=******'
12:45:13.799    27   1414-2s         Processing keyType: RSA
12:45:13.800    27   1414-2s         No RSA certificates in keyring
12:45:13.800    27   1414-2s         Processing keyType: DSA
12:45:13.800    27   1414-2s         No DSA certificates in keyring
12:45:13.800    27   1414-2s         Processing keyType: EC
12:45:13.800    27   1414-2s         No EC certificates in keyring
12:45:13.800    27   1414-2s         WARNING: No suitable certificate to send to the remote server
12:45:13.800    27   1414-2s         --------} IPTX509KeyManager.chooseClientAlias() rc=0
12:45:14.184    27   1414-2s         SSLHandshakeException handshaking:com.ibm.jsse2.k.a(k.java:7)
  1. But when we set CipherSuite in java MQ client then we are getting error logs in mqipt
MQCPI014 Protocol eyecatcher (16030300) not recognized

MQIPT Version --> IBM MQ Internet Pass-Thru V9.2.0.1

MQIPT conf as below

[global]
CommandPort=1884
RemoteShutDown=true
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
HTTP=true
HTTPChunking=false
Trace=5
ConnectionLog=true
MaxLogFileSize=50

[route]
Name=Route_1
Active=true
ListenerPort=1414
Destination=mq-dmz-************
DestinationPort=********
HTTP=true
HTTPS=true
SSLClient=true
SSLClientProtocols=TLSv1.2
SSLClientKeyRing="path of key ring PFX file"
SSLClientKeyRingPW="path of password file"
HTTPServer=<Http Server name>
HTTPServerPort=443
URIName=<URI name>
SSLClientCAKeyRing="same as SSLClientKeyRing"
SSLClientCAKeyRingPW="same as SSLClientKeyRingPW"
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
1
sslssl-certificateibm-mq
MQIPT Version --> IBM MQ Internet Pass-Thru V9.2.0.1 [global] CommandPort=1884 RemoteShutDown=true MinConnectionThreads=5 MaxConnectionThreads=100 IdleTimeout=20 ClientAccess=true QMgrAccess=true HTTP=true HTTPChunking=false Trace=5 ConnectionLog=true MaxLogFileSize=50Nilay Tiwari
@JoshMc : sorry for that , My intention is not to rollback your changes, accidently it done by meNilay Tiwari
Done and removed that tag @JoshMcNilay Tiwari
yes we are using httpNilay Tiwari
we are not using proxy on our side as we are client. but on the server side I don't have any idea .Nilay Tiwari

1 Answers

1
votes

Setup for accepting the connection from the MQ client, decrypting, and then re-encrypting and sending on to the next hop should look something like the following:

[route]
Name=Route_1
Active=true
ListenerPort=1414
Destination=mq-dmz-************
DestinationPort=********
HTTP=true
HTTPS=true
SSLClient=true
SSLClientProtocols=TLSv1.2
SSLClientKeyRing="path of key ring PFX file"
SSLClientKeyRingPW="path of password file"
HTTPServer=<Http Server name>
HTTPServerPort=443
URIName=<URI name>
SSLClientCAKeyRing="same as SSLClientKeyRing"
SSLClientCAKeyRingPW="same as SSLClientKeyRingPW"
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLServer=true
SSLServerProtocols=TLSv1.2
SSLServerKeyRing="path of key ring PFX file"
SSLServerKeyRingPW="path of password file"
SSLServerCAKeyRing="same as SSLServerKeyRing"
SSLServerCAKeyRingPW="same as SSLServerCAKeyRing"
SSLServerCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384

What you are missing is that the route is configured from the standpoint of the TLS session, you are either:

  1. TLS Server (you are receiving the inbound connection and decrypting it)
  2. TLS Client (you are connecting out to another queue manager or MQIPT and encrypting)

To accept a TLS connection from your MQ client application you need to configure the SSLServer* equivalents to the already configured SSLClient* settings.