The IBM MQ Appliance is a hardware offering that provides a dedicated and optimised platform for hosting IBM MQ queue managers. It includes integrated support for high availability (HA), disaster recovery (DR) and IBM MQ Advanced capabilities, such as Advanced Message Security (AMS). You can read more about the appliance at https://www.ibm.com/products/mq/appliance.
From version 9.3.4, the MQ Appliance supports the “rsa-sha2-256” and “rsa-sha2-512” SHA2 signatures for SSH certificates.
SHA2 signatures for SSH certificates
In 9.3.3, we added the ability for users to login to the MQ appliance with an SSH CA-signed certificate. The CA key, user certificate, and the CA signed SSH certificate had to be generated with a SHA1 signature like so:
ssh-keygen -t ssh-rsa -b 4096 -f mqa-ssh-user-ca -C mqa-ssh-user-ca
ssh-keygen -t ssh-rsa -b 4096 -f admin-key -C admin
ssh-keygen -t ssh-rsa -s mqa-ssh-user-ca -I admin -n admin admin-key.pub
OpenSSH version 8 uses SHA2 signatures by default, which use a stronger hashing algorithm than that used for SHA1 signatures. From 9.3.4, the MQ Appliance supports SHA2 signatures as well.
This means that either a “rsa-sha2-256” or a “rsa-sha2-512” signature can be used when generating the CA key, the user certificate, and the CA signed SSH certificate. The following commands can be used with a OpenSSH v8 client or later.
ssh-keygen -t rsa-sha2-512 -b 4096 -f mqa-ssh-user-ca -C mqa-ssh-user-ca
ssh-keygen -t rsa-sha2-512 -b 4096 -f admin-key -C admin
ssh-keygen -t rsa-sha2-512 -s mqa-ssh-user-ca -I admin -n admin admin-key.pub
You can use the following command to verify the signature algorithm used for your CA signed user certificate
ssh-keygen -L -f admin-key-cert.pub
For example, seeing "using rsa-sha2-512" will signal the use of a SHA2 signature
SHA1 signatures are still supported on the MQ Appliance for 9.3.4
Related to this, newer versions of OpenSSH disable the use of the SHA1 algorithm by default. For example, users of MacOS Ventura, which uses OpenSSH version 9, might see the following error if they try to connect to an MQ Appliance running firmware 9.3.3 or earlier.
‘Unable to negotiate with 1.2.3.4 port 22: no matching host key type found. Their offer: ssh-rsa’
Upgrading the appliance to 9.3.4 would resolve this issue, but if you are not ready to do this, then another solution is to update your SSH client configuration to enable the SHA1 algorithm, which can be done by using the following definition.
HostKeyAlgorithms +ssh-rsa
Additional information
What’s new and changed for the MQ Appliance in 9.3.4
https://www.ibm.com/docs/en/mq-appliance/9.3?topic=overview-whats-new-changed-in-release-934
What’s new and changed for MQ in 9.3.4
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=934-whats-new-in-mq
SSH authentication for CLI sessions
https://www.ibm.com/docs/en/mq-appliance/9.3?topic=management-ssh-authentication-cli-sessions