Know your protocol

There are times when it is important to know more about your SSL/TLS secured channel than just that it is running. More recently it has become important to know not just the CipherSpec that it is using but the Protocol as well. By protocol I mean, is it using the old SSL V3.0 protocol, or have you set it up to use the more modern TLS 1.0 or TLS 1.2 protocol?

When can this be important to know? Well, unless you’ve been sleeping in a hut in the outback recently you’ve probably been aware of the POODLE vulnerability and the push to get people off the SSL V3.0 protocol and onto something more modern. Also, in IBM MQ V8 the use of per channel certificate labels requires the use of a TLS CipherSpec (because it relies upon a feature in the TLS protocol that isn’t in the SSL protocol).

So how do you know what the protocol is. Well there are two ways:-

  • If you are pre-801, then you can look up the cipherSpec your channel is using in the table in Knowledge Center, and look for the column entitled “Protocol Used”.
    A few rows pulled from the table in Knowledge Center to demonstrate the columns
    Platform Support CipherSpec Name Protocol Used Data Integrity Encryption Algorithm Encryption Bits FIPS Suite B
    All TRIPLE_DES_SHA_US SSL 3.0 SHA-1 3DES 168 No No
    All TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0 SHA-1 3DES 168 Yes No
    All TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No
  • If you have an 801 Queue Manager (see What is an 801 Queue Manager?) then when your channel is running, there is a new attribute displayed when you use the DISPLAY CHSTATUS command which will show you exactly which protocol is in use.

Security Protocol as part of Channel Status

Here are some examples. I have set up certificates and defined three channels, each with a different CipherSpec. I have deliberately chosen one from each protocol as you can see if you compare these definitions to the table above.

1 : DISPLAY CHANNEL(QM1.TO.QM2.SSL*) SSLCIPH

AMQ8414: Display Channel details.

CHANNEL(QM1.TO.QM2.SSL01) CHLTYPE(SDR)

SSLCIPH(TRIPLE_DES_SHA_US)

AMQ8414: Display Channel details.

CHANNEL(QM1.TO.QM2.SSL02) CHLTYPE(SDR)

SSLCIPH(TLS_RSA_WITH_3DES_EDE_CBC_SHA)

AMQ8414: Display Channel details.

CHANNEL(QM1.TO.QM2.SSL03) CHLTYPE(SDR)

SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)

When I run these channels on a queue manager that has V8.0.0 FixPac 2 installed (and has re-enabled the SSL V3.0 protocol – see later), then the output I can view shows me the Security Protocol being used by each channel as you can see in the example output below.

1 : DISPLAY CHSTATUS(QM1.TO.QM2.SSL*) SECPROT

AMQ8417: Display Channel Status details.

CHANNEL(QM1.TO.QM2.SSL01) CHLTYPE(SDR)

CONNAME(127.0.0.1(1702)) CURRENT RQMNAME(QM2)

SECPROT(SSLV3) STATUS(RUNNING) SUBSTATE(MQGET) XMITQ(QM2.SSL01)

AMQ8417: Display Channel Status details.

CHANNEL(QM1.TO.QM2.SSL02) CHLTYPE(SDR)

CONNAME(127.0.0.1(1702)) CURRENT RQMNAME(QM2)

SECPROT(TLSV1) STATUS(RUNNING) SUBSTATE(MQGET) XMITQ(QM2.SSL02)

AMQ8417: Display Channel Status details.

CHANNEL(QM1.TO.QM2.SSL03) CHLTYPE(SDR)

CONNAME(127.0.0.1(1702)) CURRENT RQMNAME(QM2)

SECPROT(TLSV12) STATUS(RUNNING) SUBSTATE(MQGET) XMITQ(QM2.SSL03)

This information is also available via the PCF interface, so tools like MQ Explorer and our MO71 GUI Administrator can also show you the Security Protocol Used (get MO71 V8.0.3 for this functionality).

Security Protocol MO71

MQGem’s MO71 GUI Administrator showing the Security Protocol in use

Note: At the time of the writing, the MQ Explorer does not have the Security Protocol displayable. This has been reported, and I hope to be able to bring you a screenshot of that at a future time.

SSL Protocol disabled by default

I mentioned earlier that I had to re-enable the SSL protocol in order to run this demonstration. That’s the other thing that has changed in V8.0.0 FixPack 2. The SSL protocol is now disabled by default. Trying to define a channel using one of the SSL V3.0 protocol CipherSpecs will result in an error as follows:-

1 : DEFINE CHANNEL(QM1.TO.QM2.SSL01) CHLTYPE(SDR) TRPTYPE(TCP) SSLCIPH(TRIP

LE_DES_SHA_US) CONNAME(‘localhost(1701)’) XMITQ(QM2.SSL01)

AMQ8242: SSLCIPH definition wrong.

If you still have a requirement (hopefully a short term one) to use an SSL V3.0 CipherSpec it is possible to re-enable the SSL V3.0 protocol by editing the qm.ini file:-

SSL:

AllowSSLV3=Y

or by setting the AMQ_SSL_V3_ENABLE=1 environment variable.

The message is very clear however, make sure that you know what protocol you are using. Regularly review your channel CipherSpecs to see whether they still meet your business needs, and STOP using SSL V3.0 CipherSpecs.

Twitter Get this message out!

IBM resources on the same subject:-


IBM Certified Specialist

Morag Hughson is a Certified IBM MQ Specialist
IBM Certified System Administrator – MQ V8.0
Find her on: LinkedIn: http://uk.linkedin.com/in/moraghughson   Twitter: https://twitter.com/MoragHughson   SlideShare: http://www.slideshare.net/moraghughson

Advertisements

The team at MQGem would love to hear what you think. Leave your comments here.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s