TLSv2 with JDk8 Ciphersuites with MQ8?

Question

I want to know TLSv2 with JDk8 Ciphersuites and specs with MQ8?
I created a jks file on MQ8 with 'runmqckm' command on unix
is jks have any dependency on Ciphersuites and Spec on parameter '-sig_alg'

https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083860_.htm

Question on TLSv2 Ciphersuite

SUite<>SPec combination is not working as below site
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
CipherSpec - TLS_RSA_WITH_AES_128_CBC_SHA256
Equivalent CipherSuite - SSL_RSA_WITH_AES_128_CBC_SHA256
Protocol - TLSv1.2
FIPS 140-2 compatible - yes

working
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)

Not working
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)

Only 3 TLS Ciphers i can Test as below , what spec i can use?

Oracle CipherSuite
1.TLS_RSA_WITH_NULL_SHA256
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.TLS_RSA_WITH_AES_256_CBC_SHA256

MQ Spec
1.??
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.??

Only 1 cipher  i can use part of TLS (JDK8 + MQ8)?

Working
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256

Not Working

TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256

ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
     1 : ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
AMQ8242: SSLCIPH definition wrong.

Not working

TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256

MQJE001: Completion Code '2', Reason '2393'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
        at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:249)
        at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:450)
        at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:487)
        at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:97)
        at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:194)
        at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:868)
        at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:816)
        at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:758)
        at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:200)
        at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:682)
        at MQProducerTLS.main(MQProducerTLS.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
        at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
        at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
        at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:916)
        at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:235)
        ... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2049)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:861)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1277)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)
        ... 15 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers
        at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:81)
        at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2461)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2041)
        ... 22 more

Update on 20-Feb-2017

when sample code , placed in application getting below Authorization errors New Question link as below

http://stackoverflow.com/questions/42347461/authorization-errors-with-mq8-jdk8

Answer 1

Regarding the -sig_alg flag for the runmqckm command, the details below are in the link you provided:

The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate or certificate request.

In shore the -sig_alg flag for the runmqckm command is not related to the CipherSuite your specify in Java or the CipherSpec you specify on the MQ SVRCONN channel.

In my answer to your previous question "mq-error-on-ssl-enabled I provided this information:

The table in the APAR IV66840 has this information:

The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the classes for Java and classes for JMS support SHA-2:￴

Oracle CipherSuite              IBM MQ CipherSpec
TLS_RSA_WITH_NULL_SHA256        TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256

If you follow the link to APAR IV66840 I provided you will find the same type of information regarding MQ v8.0:

The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v8:

CipherSuite                     --> CipherSpec
...
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
...
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
...
TLS_RSA_WITH_NULL_SHA256        --> TLS_RSA_WITH_NULL_SHA256

---

UPDATE (2017/02/16) to address further questions

Question 1: TLS_RSA_WITH_NULL_SHA256 Not Working

Answer: TLS_RSA_WITH_NULL_SHA256is considered a weak Cipher Specification since it does not provide encryption of the data and is disabled by default in v8.0.

If you really want to use this weak Cipher Specification you would either set the following Environment variable before you start the Queue Manager:

AMQ_SSL_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_NULL_SHA256

Or add the following to the SSL: stanza of the qm.ini and start the Queue Manager:

SSL:
   AllowWeakCipherSpec=TLS_RSA_WITH_NULL_SHA256

Below is more detail on this subject.

In my Answer to your prior question"MQ Error on SSL enabled" I provided the following information:

There is a very good IBM developerWorks blog post "SSL and TLS Cipher Specification Deprecations for the MQ Product" posted May 19 2016 by Miguel A. Rodriguez that goes into detail about which ciphers are deprecated in various Fix Packs.

In that link it states:

V. With the release IBM MQ V8.0.0.3, SSL and weak TLS Cipher Specifications continue to be deprecated (disabled), as in the prior versions mentioned above, but now weak Cipher Specifications require a new value. This change is for both SSL and weak TLS Cipher Specifications.

AMQ_SSL_WEAK_CIPHER_ENABLE=Value
or
SSL:
AllowWeakCipherSpec=Value

The accepted values for the environment variable or queue manager configuration setting is as follows:

• A single SSL or Weak TLS Cipher Specification Name.
• A string of SSL or Weak TLS Cipher Specification names delimited by commas.
• The value of "ALL" to enable all SSL and all weak TLS Cipher Specifications.

. . .

VI. Deprecated (disabled) SSL Cipher Specifications and Weak TLS Cipher Specifications.

NOTE: These are the Cipher Specifications that REQUIRE the environment variables or qm.ini setting discussed previously, in order to use them for encrypted communications.

Below is a list of deprecated (disabled) Cipher Specifications categorized by the protocol, the version, and applicable Operating System. Details concerning deprecated Cipher Specifications can be found in product documentation section "Deprecated CipherSpecs."

SSL V3
All CipherSpecs are disabled by default

TLS 1.0
Cipher Specification Operating System
TLS_RSA_EXPORT_WITH_RC2_40_MD5 IBMi
TLS_RSA_EXPORT_WITH_RC4_40_MD5 IBMi
TLS_RSA_WITH_DES_CBC_SHA All Platforms
TLS_RSA_WITH_NULL_MD5 IBMi
TLS_RSA_WITH_NULL_SHA IBMi
TLS_RSA_WITH_RC4_128_MD5 IBMi

TLS 1.2
Cipher Specification Operating System
ECDHE_ECDSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_ECDSA_RC4_128_SHA256 Linux,Windows,Unix
ECDHE_RSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_RSA_RC4_128_SHA256 Linux,Windows,Unix
TLS_RSA_WITH_NULL_NULL Linux,Windows,Unix
TLS_RSA_WITH_NULL_SHA256 All Platforms
TLS_RSA_WITH_RC4_128_SHA256 Linux,Windows,Unix

---

Question 2: TLS_RSA_WITH_AES_256_CBC_SHA256 Not Working

Answer: Reusing the same Answer to your prior question"MQ Error on SSL enabled" I provided the following information:

After searching on the error you are receiving I found this dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following:

In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms.

Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.

When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.

This is noted in the JDK/JRE documentation: For Oracle 1.7:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

The link above to the oracle site states:

If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.

It is the user's responsibility to verify that this action is permissible under local regulations.

I would suggest that you either use the lower CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256, or follow the advise above to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files.