I am having issue connecting to a qmgr. the host rejected connection due to cipherspec error for ssl channel on port 1414. The keystore checked out ok. I was able to use openssh to connect to the host and retrieve its keys.
I have tried to enable and disable sslv3. I provided keystore password with and without "" (double quotes). These are connection properties
qcf=wmq://aftbusu105.it.companyx.com:1414/?qmgr=MQPLTC010,channel=FUSION.SSL,sslCipherSuite=SSL_RSA_WITH_NULL_MD5,transportType=1
reqQ=queue:///FUSIONQL.app.queuename.1_0.Q.PS.REQ
rspQ=queue:///FUSIONQL.app.queuename.1_0.Q.PS.REQ
mep=oneway
connCnt=1
sessCnt=1
numMsgs=1
connInterval=10
msgInterval=10
deliveryMode=1
priority=1
expiration=1
keystore=/path/keystore/m36797q.jks
password=a$tilBe2Flower
alias=m36797q
Do you know what the issue could be?
Can you confirm if you have FIPs enabled on either the server or the client? It's possible you are getting error because the ciphersuite
SSL_RSA_WITH_NULL_MD5 is not supported in FIPS mode. Are you seeing any AMQ errors in your QMGR error logs?
Also, let us know the MQ version you are using.
Related
I have installed IBM MQ server with a developer license (https://developer.ibm.com/articles/mq-downloads/) and followed the tutorial from here: https://developer.ibm.com/tutorials/mq-connect-app-queue-manager-windows/.
So what I have now is:
IBM MQ Manager
One Queue Manager (QM1)
4 Queues (one dead letter queue and 3 dev queues DEV.QUEUE.x) all local
2 Channels (one admin and one 'normal' server connection channel)
I enabled SSL on the QM1 queue manager:
[![SSL Settings for QM1][1]][1]
and I also created a personal certificate:
[![Key management][2]][2]
EDIT: I connected with username/password instead of using an SSL certificate. I have fixed this but now I cannot connect either.
I also set the SSL ChiperSpec for the channel to ANY.
amqsputc dev.queue.1 QM1 now gives me:
MQCONNX ended with reason code 2058
Which (https://www.ibm.com/docs/en/ibm-mq/9.2?topic=arc-2058-080a-rc2058-mqrc-q-mgr-name-error) says that the que manager name is wrong. But as far as I can see QM1 is the corecct name.
EDIT: When connecting with the amqssslc tool with the following syntax I am getting this:
amqssslc -l ibmwebspheremq -k C:\ProgramData\IBM\MQ\qmgrs\QM1\ssl\key -c DEV.APP.SVRCONN -x DEV.APP.SVRCONN -s TLS_RSA_WITH_AES_128_CBC_SHA256 -m QM1
Sample AMQSSSLC start
Connecting to queue manager QM1
Using the server connection channel DEV.APP.SVRCONN
on connection name DEV.APP.SVRCONN.
Using SSL CipherSpec TLS_RSA_WITH_AES_128_CBC_SHA256
Using SSL key repository stem C:\ProgramData\IBM\MQ\qmgrs\QM1\ssl\key
Certificate Label: ibmwebspheremq
No OCSP configuration specified.
MQCONNX ended with reason code 2538
As the error message you have shown us says, your channel definition for DEV.APP.SVRCONN has not put a value in the SSLCIPH attribute.
If this is missing at the queue manager end, use the following MQSC command to rectify:-
ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY)
or alternatively put the same value in the SSLCIPH attribute that you are using for the client application.
If this is missing at the client application end, because you can see that there is a value in the SSLCIPH attribute on the SVRCONN already, change your client application to also use the same cipherspec.
If you are unsure how to, please update your question with the SVRCONN definition and details about your client application for more help.
I'm getting this error when i try to connect to a SSL (protocol v3) LDAP server in Apache Directory Studio.
I'm connecting to a LDAP server on port 636 (ldaps) with SSL encryption.
ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]
I'm using Apache Directory Studio Version: 2.0.0.v20210213-M16 on MacOS 11.2.3 (20D91)
java.version=16
java.vendor=Azul Systems, Inc.
It seems that "some" update maybe disabled TLS1.0 on my mac???
Any clues how to fix this?
So this may be a little late, but you need to follow the instructions here.
An update to the JDK has disabled TLS1 and TLS1.1 support by default. You can change the defaults so they are no longer disabled.
Basically you need to find the jdk.tls.disabledAlgorithms property in ${JAVA_HOME}/conf/security/java.security file and remove the offending algorithm from the list (TLS1).
Once you do this, you should be good to go.
I have been trying to configure a simple pass through proxy using wso2 esb, which points to a REST service in https port.
I had tried doing the same using my development machine (Windows 7) and it is successful.
But when I try repeating the same in production server, in RHEL, I get The system cannot infer the transport information error in system log.
Things Tried
Created passthrough proxy service pointing to https://some.domain.in/something/something.
Tried CURL to https://some.domain.in/something/something and its shows the response properly
Imported certificate from the site to client-truststore.jks. Same was done locally and it worked.
in axis2.xml, edited <parameter name="HostnameVerifier">AllowAll</parameter>under https transporter
Error Message
When clicked in test in configuration console, I got the following message, Invalid address
CURL the proxy service URL, and got Empty response
Checked system logs and saw below logs
Am I missing out something?
I could see in the wso2-error-logs following messages
ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O
error: handshake alert: unrecognized_name
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
Then I realised that I was using java 1.6 locally but 1.7 in production.
And in Java 1.7 there are some changes in SSL handling
The JDK 7 release supports
the Server Name Indication (SNI) extension in the JSSE client. SNI,
described in RFC 4366 enables TLS clients to connect to virtual
servers.
In order to bypass this, I added JAVA_OPTS="-Djsse.enableSNIExtension=false" in wso2server.sh and restarted.
This solved my problem.
Not sure if this is the correct way though
This url helped me finally
I was wondering if I can set an activemq broker with a ssl connection with the sole purpose of encryption (similar to HTTPS considering that the client does not check the certificate).
In that sense, I've tried seting up the broker to use ssl connection, set its keystore and on.
And on the client side, I tried using the sample code from fusesource as basis but without setting the client trust store (I would like the client to accept every certificate).
With that configuration, I could not connect the client and I got the following error message in the broker's log:
2013-05-06 15:25:32,848 | ERROR | Could not accept connection :
javax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled. |
org.apache.activemq.broker.TransportConnector | ActiveMQ Transport
Server: ssl://0.0.0.0:61617?trace=true
Is this error really because the client has not added the broker certificate to its truststore? If so, is there a way so that the client accept the connection even without a truststore?
There was an error in my SSL configuration in the broker which caused that error message. I am not sure exactly what was wrong because I have re-done the whole configuration following this tutorial and got it to run the broker without errors.
In order to get the ssl encryption but no authentication, I basically had to set my ssl connection to <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?trace=true?needClientAuth=false"/>
and to either
add the certificate directly to the JVM as in Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
or create a trust manager that accept all certificates on the client as in Setting trust store programatically in ActiveMQSslConnectionFactory seems to fail
I'm using django-celery do connect to a RabbitMQ broker through SSL (with the BROKER_USE_SSL setting). Is there a way to:
Verify the certificate of the broker when the connection is established.
Configure a client certificate to us to establish the connection.
The RabbitMQ side is working correctly, but I don't know how to configure Celery for this and I haven't found anything in Celery's documentation either. The settings CELERY_SECURITY_KEY, CELERY_SECURITY_CERTIFICATE and CELERY_SECURITY_CERT_STORE look like they could do this, but it seems that they're only used for message signing.
kombu.Connection accepts ssl argument as a dictionary of SSL configuration (ssl=False by default). I suppose it is applicable for BROKER_USE_SSL too.
BROKER_USE_SSL={
'ca_certs': '/etc/pki/tls/certs/something.crt',
'keyfile': '/etc/something/system.key',
'certfile': '/etc/something/system.cert',
'cert_reqs': ssl.CERT_REQUIRED,
}