Having got a TLS client to MQ working, I know much more about this topic than before I started. Below is some information I wish I had known before starting my project. The discussion applies mainly to TLS 1.2, as there are significant changes and simplification in TLS 1.3.
- Do you have any standards you need to follow for TLS definitions, for example what levels of certificate are allowed, what cipher specs are allowed, what cipher specs are disallowed.
- Organisation often have multiple queue managers for availability reasons. If a client can talk to a variety of queue managers the definitions need to be consistent. Do you give each queue manager a unique certificate with a similar DN, or does each queue manager use the same certificate? If you give each queue manager their own DN, you may have to do additional work for SSLPEER and CHLAUTH definitions. If you create a new queue manager then existing clients should not have to change their definitions.
- You may have clients with different certificate formats, and DN formats, for example from different enterprises accessing your queue manager. Your server needs to be able to support these. You may have no control of the DN’s of clients outside of your domain.
- You can have the client authenticating with the server, where the server checks details from the DN in the clients certificate.
- You can have the client authenticate the server. The server sends a certificate to the client, for the client to validate.
- You can specify a certificate on the svrconn channel definition at the server, and the DN from this certificate will be used.
- If there is no certificate on the channel definition, the queue manager’s certificate is used to provide the DN.
- You need to ensure that the CA certificates (and any self signed certificates) are stored in the server’s and/or client’s keystore.
Queue manager specific
- Each channel can have a different certificate. You need to decide if you want the certificate type of RSA or EC. Before MQ 9.1.1 it was difficult to change it once it had been established. It does not matter how the certificate is signed (EC or RSA), or what message digest (eg -md SHA256) is used. You can restrict what RSA key sizes you accept for a certificate or CA. See MinimumRSAKeySize. It is easier to change your certifcate if you can use the ANY_TLS... cipher specs lists in MQ 9.1.1 and later.
- The cipher spec used by each channel must support the server’s certificate type. Different channels can have different symmetrical encryption and hash algorithm values in the cipher suite. For example one channel could have TLS_RSA_WITH_AES_256_GCM_SHA384 and another channel have TLS_RSA_WITH_AES_256_CBC_SHA256 both support a certificate type of RSA, but have different symmetrical encryption and hash algorithm values.
- Before MQ 9.1 each you could only specify one cipher spec value for a channel. It had to be the same at each end, and so all clients for a channel had to have the same cipher spec.
- With 9.1.1 the server and the clients can support ANY_TLSxx which is a list of available cipher specs. This means different clients can now have have different cipher specs for the same channel.
Which certificate is used on the server?
A certificate can be used for two purposes
- Specifying what key exchange algorithm to use
- For authentication
Certificates in an MQ server are used in two places
- For inbound channels the CERTLABL(…) certificate is used as part of the handshake to identify how the key exchange will be done. If a channel does not have a CERTLABL then it will use the queue manager defined value. The certificate could be generated with certificate type RSA or Elliptic Curve (ECDSA). See ALTER QMGR here.
- What is sent down to the client for authentication. The certificate is checked and the DN extracted. The certificate type is not used. The documentation says
- Channel attribute CERTLABL:Certificate label for this channel to use. The label identifies which personal certificate in the key repository is sent to the remote peer. If this attribute is blank, the certificate is determined by the queue manager CERTLABL parameter.
- Note that inbound channels only send the configured certificate if the IBM® MQ version of the remote peer fully supports (requests) certificate label configuration, and the channel is using a TLS CipherSpec. See Interoperability of Elliptic Curve and RSA CipherSpecs for further information.
Setting up the handshake.
Both ends of a TLS connection need to agree the technique that will be used to agree secret keys. The value_WITH of the cipher spec names give information about what they support. For example
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 supports ECDSA keys
- TLS_RSA_WITH_AES_256_GCM_SHA384 supports RSA keys.
You generate a certificate with a type of RSA or EC. You can display the certificate type using
runmqakm -cert -details -db zzserver.kdb -type cms -stashed -label RSA_SERVER
This gives information like
- Public Key Type : EC_ecPublicKey Parameters: namedCurve: EC_NamedCurve_secp256r1
- Public Key Type : RSA
The client sends up a list of one or more cipher specs it can support. The server has a list of one or more cipher specs it supports. The common subset is used to check the server’s certificate. If the certificate is not compatible with the subset then the request will fail with AMQ9616E: The CipherSpec … proposed by remote host …. is not enabled.
Once the key exchange parameters are agreed, the other parameters have to match. For example with
The symmetric data encryption techniques GCM/CBC do not match, nor do the hashing algorithms SHA256 and SHA384. This causes message AMQ9631E.
The documentation, for example Migrating existing security configurations to use the ANY_TLS12_OR_HIGHER CipherSpec is a little simplistic where it says change the value of the CipherSpec for the channel definition at each end, and then restart the channels for the change to take effect. It can be challenging updating and restarting 1000 channels cross multiple organisations; it is better to do a rolling upgrade.
Before MQ V9.1.x you had to specify the same cipher spec at both ends of a channel. In MQ 9.1.x you can specify ANY_TLS12 at the server to accept any of the cipher specs in a list.