There was a requirement to disable Week Ciphers or enable Multiple ciphers on the channel and in the QMGR . If the cipher is configured on the channel and if it is considered as a week cipher then we should replace with another cipher but there is not way to disable the week cipher .
Need to enable multiple ciphers on the channel (SDR/SVRCONN/CLUSSDR/…)
From IBM MQ 9.2 LTS onwards it is possible to enable multiple ciphers on the QMGR suing qm.ini SSL stanza (9.1.1 CD also this is available )
SSL:
AllowedCipherSpecs=TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA- A client connecting with ANY_TLS12 will likely use the TLS 1.2 CipherSpec TLS_RSA_WITH_AES_128_GCM_SHA256.
- A client connecting with ANY_TLS12_OR_HIGHER will likely use the TLS 1.3 CipherSpec TLS_AES_128_GCM_SHA256 (assuming the client supports TLS 1.3).
- A client connecting with the TLS 1.0 CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA will use that CipherSpec.
If a CipherSpec is not enabled through the AllowedCipherSpecs attribute, it will not be configured for use during a TLS Handshake.
In the case that the AllowedCipherSpecs attribute is not specified, a default list of enabled ciphers, indicated by the following table, is used.
CipherSpecs order before IBM MQ 9.2.0
| Platform | CipherSpec | Protocol | Enabled by default |
|---|---|---|---|
![[AIX, Linux, Windows]](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/ngalw.gif) ![[z/OS]](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/ngzos.gif) | TLS_RSA_WITH_AES_128_CBC_SHA | TLS 1.0 | No |
![[IBM i]](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/ngibmi.gif) | AES_SHA_US | TLS 1.0 | No |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS 1.0 | No |
| All | RC4_SHA_US | SSL v3 | No |
| All | TLS_RSA_WITH_RC4_128_SHA | TLS 1.0 | No |
| All | RC4_MD5_US | SSL v3 | No |
| TLS_RSA_WITH_RC4_128_MD5 | TLS 1.0 | No |
| All | TRIPLE_DES_SHA_US | SSL v3 | No |
| All | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.0 | No |
| DES_SHA_EXPORT1024 | SSL v3 | No |
| All | RC4_56_SHA_EXPORT1024 | SSL v3 | No |
| All | RC4_MD5_EXPORT | SSL v3 | No |
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 | TLS 1.0 | No |
| All | RC2_MD5_EXPORT | SSL v3 | No |
| TLS_RSA_EXPORT_WITH_RC2_40_MD5 | TLS 1.0 | No |
| All | DES_SHA_EXPORT | SSL v3 | No |
| All | TLS_RSA_WITH_DES_CBC_SHA | TLS 1.0 | No |
| All | NULL_SHA | SSL v3 | No |
| TLS_RSA_WITH_NULL_SHA | TLS 1.0 | No |
| All | NULL_MD5 | SSL v3 | No |
| TLS_RSA_WITH_NULL_MD5 | TLS 1.0 | No |
| FIPS_WITH_DES_CBC_SHA | SSL v3 | No |
| FIPS_WITH_3DES_EDE_CBC_SHA | SSL v3 | No |
| All | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 | Yes |
| All | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS 1.2 | Yes |
| All | TLS_RSA_WITH_NULL_SHA256 | TLS 1.2 | No |
| All | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 | Yes |
| All | TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 | Yes |
| ECDHE_ECDSA_RC4_128_SHA256 | TLS 1.2 | No |
| ECDHE_ECDSA_3DES_EDE_CBC_SHA256 | TLS 1.2 | No |
![[UNIX, Linux, Windows, IBM i]](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/ngmulti.gif) | ECDHE_RSA_RC4_128_SHA256 | TLS 1.2 | No |
| ECDHE_RSA_3DES_EDE_CBC_SHA256 | TLS 1.2 | No |
| All | ECDHE_ECDSA_AES_128_CBC_SHA256 | TLS 1.2 | Yes |
| All | ECDHE_ECDSA_AES_256_CBC_SHA384 | TLS 1.2 | Yes |
| All | ECDHE_RSA_AES_128_CBC_SHA256 | TLS 1.2 | Yes |
| All | ECDHE_RSA_AES_256_CBC_SHA384 | TLS 1.2 | Yes |
| ECDHE_ECDSA_AES_128_GCM_SHA256 | TLS 1.2 | Yes |
| ECDHE_ECDSA_AES_256_GCM_SHA384 | TLS 1.2 | Yes |
| All | ECDHE_RSA_AES_128_GCM_SHA256 | TLS 1.2 | Yes |
| All | ECDHE_RSA_AES_256_GCM_SHA384 | TLS 1.2 | Yes |
| ECDHE_RSA_NULL_SHA256 | TLS 1.2 | No |
| ECDHE_ECDSA_NULL_SHA256 | TLS 1.2 | No |
| TLS_RSA_WITH_NULL_NULL | TLS 1.2 | No |
| TLS_RSA_WITH_RC4_128_SHA256 | TLS 1.2 | No |
| TLS_AES_128_GCM_SHA256 | TLS 1.3 | Yes |
| TLS_AES_256_GCM_SHA384 | TLS 1.3 | Yes |
| TLS_CHACHA20_POLY1305_SHA256 | TLS 1.3 | Yes |
| TLS_AES_128_CCM_SHA256 | TLS 1.3 | Yes |
| TLS_AES_128_CCM_8_SHA256 | TLS 1.3 | Yes |
It is possible for you to provide an alternative set of CipherSpecs that are enabled and in your order of preference for use with IBM MQ channels, either using the AMQ_ALLOWED_CIPHERS environment variable or the AllowedCipherSpecs SSL stanza attribute of the .ini file. You may want to use this setting for either of the following reasons:
- To restrict IBM MQ listeners from accepting incoming channel start requests, unless they use one of the named CipherSpecs.
- To change the order of priority of CipherSpecs that are used in a TLS handshake.
If a different order is desired, then a new order of CipherSpecs can be supplied using the AllowedCipherSpecs attribute of the SSL stanza on IBM MQ for Multiplatforms [z/OS], or the TransportSecurity stanza on IBM MQ for z/OS, with the following rules:
Higher protocol versions are always used, regardless of their position in the list.
Any disabled CipherSpecs are re-enabled if supplied in the list.
The TLS server’s list order has a higher priority than the TLS client.
When TLS 1.3 is enabled, certain CipherSpecs are not supported
It is possible for you to provide an alternative set of CipherSpecs that are enabled and in your order of preference for use with IBM MQ channels, either using the [AIX, Linux, Windows]AMQ_ALLOWED_CIPHERS environment variable or the AllowedCipherSpecs SSL stanza attribute of the .ini file. You may want to use this setting for either of the following reasons:
To restrict IBM MQ listeners from accepting incoming channel start requests, unless they use one of the named CipherSpecs.
To change the order of priority of CipherSpecs that are used in a TLS handshake.
In the below example i have 2 QMGRs QM1 and QM2 with TO.MQ2 channel from QM1 to QM2
on QM1 qm.ini we will enable 2 ciphers
SSL:
AllowTLSV13=TRUE
MinimumRSAKeySize=1
AllowedCipherSpecs=ECDHE_RSA_AES_128_GCM_SHA256, ECDHE_ECDSA_AES_256_GCM_SHA384On QM2 we will enable only one ciphersuite
SSL:
AllowTLSV13=TRUE
MinimumRSAKeySize=1
AllowedCipherSpecs=ECDHE_RSA_AES_128_GCM_SHA256Now on QM SDR channel We will use one cipher from the allowed qm.ini file . So from SDR it will only negotiate with 1 cipher
mqm@ip-172-31-14-154 QM1]$ echo dis chl\(TO.QM2\) |runmqsc QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2020.
Starting MQSC for queue manager QM1.
1 : dis chl(TO.QM2)
AMQ8414I: Display Channel details.
CHANNEL(TO.QM2) CHLTYPE(SDR)
ALTDATE(2021-02-16) ALTTIME(13.33.28)
BATCHHB(0) BATCHINT(0)
BATCHLIM(5000) BATCHSZ(50)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE)
CONNAME(ec2-18-218-83-33.us-east-2.compute.amazonaws.com(1415))
CONVERT(NO) DESCR( )
DISCINT(6000) HBINT(300)
KAINT(AUTO) LOCLADDR( )
LONGRTY(999999999) LONGTMR(1200)
MAXMSGL(4194304) MCANAME( )
MCATYPE(PROCESS) MCAUSER( )
MODENAME( ) MONCHL(QMGR)
MSGDATA( ) MSGEXIT( )
NPMSPEED(FAST) PASSWORD( )
PROPCTL(COMPAT) RCVDATA( )
RCVEXIT( ) RESETSEQ(NO)
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SEQWRAP(999999999) SHORTRTY(10)
SHORTTMR(60)
SSLCIPH(ECDHE_RSA_AES_128_GCM_SHA256)
SSLPEER( ) STATCHL(QMGR)
TPNAME( ) TRPTYPE(TCP)
USEDLQ(YES) USERID( )
XMITQ(QM1.XMITQ)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@ip-172-31-14-154 QM1]$On QM2 we will try to use ciphersuite alias ANY_TLS12
mqm@ip-172-31-14-154 QM1]$ echo dis chl\(TO.QM2\) |runmqsc QM2
5724-H72 (C) Copyright IBM Corp. 1994, 2020.
Starting MQSC for queue manager QM2.
1 : dis chl(TO.QM2)
AMQ8414I: Display Channel details.
CHANNEL(TO.QM2) CHLTYPE(RCVR)
ALTDATE(2021-02-16) ALTTIME(13.36.31)
BATCHSZ(50) CERTLABL( )
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) HBINT(300)
KAINT(AUTO) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
MRDATA( ) MREXIT( )
MRRTY(10) MRTMR(1000)
MSGDATA( ) MSGEXIT( )
NPMSPEED(FAST) PUTAUT(DEF)
RCVDATA( ) RCVEXIT( )
RESETSEQ(NO) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SEQWRAP(999999999)
SSLCAUTH(REQUIRED) SSLCIPH(ANY_TLS12)
SSLPEER( ) STATCHL(QMGR)
TRPTYPE(TCP) USEDLQ(YES)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
[mqm@ip-172-31-14-154 QM1]$
Now let us see the channel status for the cipher that used to connect
dis chs(TO.QM2) all
11 : dis chs(TO.QM2) all
AMQ8417I: Display Channel Status details.
CHANNEL(TO.QM2) CHLTYPE(SDR)
BATCHES(0) BATCHSZ(50)
BUFSRCVD(1) BUFSSENT(1)
BYTSRCVD(268) BYTSSENT(268)
CHSTADA(2021-02-16) CHSTATI(13.38.26)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(172.31.14.154(1415)) CURLUWID(7BC72B6001579C12)
CURMSGS(0) CURRENT
CURSEQNO(0) EXITTIME(0,0)
HBINT(300) INDOUBT(NO)
JOBNAME(00009D8E00000001) LOCLADDR(172.31.14.154(38846))
LONGRTS(999999999) LSTLUWID(0000000000000000)
LSTMSGDA( ) LSTMSGTI( )
LSTSEQNO(0) MCASTAT(RUNNING)
MONCHL(OFF) MSGS(0)
NETTIME(0,0) NPMSPEED(FAST)
RQMNAME(QM2) SHORTRTS(10)
SECPROT(TLSV12)
SSLCERTI(CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
SSLCIPH(ECDHE_RSA_AES_128_GCM_SHA256) SSLKEYDA( )
SSLKEYTI( )
SSLPEER(SERIALNUMBER=60:1E:07:3F,CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
SSLRKEYS(0) STATUS(RUNNING)
STOPREQ(NO) SUBSTATE(MQGET)
XBATCHSZ(0,0) XMITQ(QM1.XMITQ)
XQTIME(0,0) RVERSION(09020001)
RPRODUCT(MQMM) On the below we can see RCVR is negotiated with the same cipher and SSL hand shake is completed .
dis chs(TO.QM2) all
2 : dis chs(TO.QM2) all
AMQ8417I: Display Channel Status details.
CHANNEL(TO.QM2) CHLTYPE(RCVR)
BATCHES(0) BATCHSZ(50)
BUFSRCVD(1) BUFSSENT(1)
BYTSRCVD(268) BYTSSENT(268)
CHSTADA(2021-02-16) CHSTATI(13.38.26)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(172.31.14.154) CURLUWID(0000000000000000)
CURMSGS(0) CURRENT
CURSEQNO(0) EXITTIME(0,0)
HBINT(300) INDOUBT(NO)
JOBNAME(00009D0D0000000C) LOCLADDR(::ffff:172.31.14.154(1415))
LSTLUWID(0000000000000000) LSTMSGDA( )
LSTMSGTI( ) LSTSEQNO(0)
MCASTAT(RUNNING) MCAUSER(mqm)
MONCHL(OFF) MSGS(0)
NPMSPEED(FAST) RQMNAME(QM1)
SECPROT(TLSV12)
SSLCERTI(CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
SSLCIPH(ECDHE_RSA_AES_128_GCM_SHA256) SSLKEYDA( )
SSLKEYTI( )
SSLPEER(SERIALNUMBER=60:1E:07:3F,CN=QM1,OU=MQ Support,O=IBM,ST=Singapore,C=US)
SSLRKEYS(0) STATUS(RUNNING)
STOPREQ(NO) SUBSTATE(RECEIVE)
XBATCHSZ(0,0) RVERSION(09020001)
RPRODUCT(MQMM)
With these additional configurations on the Queue Manager and Channel level we can configure multiple ciphers and easy to migrate from one cipher to another cipher .
The same configuration can be used for SVRCONN channel so that client can negotiate with one of the cipher available on both the sides .
Some Notes:
–> The ANY_TLS13_OR_HIGHER alias CipherSpec negotiates the highest level of security that the remote end will allow but will only connect using a TLS 1.3 or higher protocol.
–> To use TLS 1.3, or the ANY CipherSpec, on IBM i the underlying operating system version must support TLS 1.3
The ANY_TLS13 alias CipherSpec represents a subset of acceptable CipherSpecs that use the TLS 1.3 protocol, as listed in this table for each platform.
–> The ANY_TLS12_OR_HIGHER alias CipherSpec negotiates the highest level of security that the remote end will allow but will only connect using a TLS 1.2 or higher protocol.
–> The ANY_TLS12 CipherSpec represents a subset of acceptable CipherSpecs that use the TLS 1.2 protocol, as listed in this table for each platform.
–> The ANY alias CipherSpec negotiates the highest level of security that the remote end will allow.
–> This CipherSpec cannot be used to secure a connection from the IBM MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.
Question)is it possible to configure 2 or more ciphers ( CUSTOM ) on any channel (SVRCONN,SDR,CLSSDR …etc ) with or without AllowedCipherSpecs on qm.ini file ??
I understand from the documentation that using Cipher Suite alias like ANY_TLS12 we can allow multiple that are defined under AllowedCipherSpecs or using AMQ_ALLOWED_CIPHERS environment variable . My requirement is that i need to enable 2 custom ciphers on channel like CIpherA,CIpherB .
Ans)The SSLCIPH attribute of channel specifies an Alias or a single named CipherSpec for a TLS connection, you can not set it like CIpherA,CIpherB .
Refer how to how to check what cipher and protocol is enabled for the IP and port using other link with the openssl code .