You may also want to look into running ICSF.
Original Message:
Sent: Fri March 25, 2022 09:06 AM
From: Daniel Nordkvist
Subject: Cipher causing mq to check for ICSF
If you look into the AMQERR-log it should point out what is expected.
For me this solved the problem(as I mentioned earlier)
You can change this list so that MQ will prioritize the right one https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q134760_.html
Look at the heading: Providing a custom list of ordered and enabled CipherSpecs on IBM MQ for Multiplatforms
------------------------------
Daniel Nordkvist
Original Message:
Sent: Fri March 25, 2022 08:50 AM
From: Tom Taylor
Subject: Cipher causing mq to check for ICSF
HI All
First ...thank you for all your input. Second.. I'm Mainframe based so windows is not my forte, but i do understand all your input. The app is MANAGED .NET. The code below is taken directly from IBM doc. Level 2 has reviewed and they see no issue with it.. we have tried under java and have no issues. as you can read, the cipher is being set,but then apparently ignored.
connectionProperties.Add(MQC.HOST_NAME_PROPERTY, "ACMEHOST4");
connectionProperties.Add(MQC.PORT_PROPERTY, 1400);
connectionProperties.Add(MQC.CHANNEL_PROPERTY, "MQT1.CLNTCONN.AZMP");
connectionProperties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256");
connectionProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*USER");
connectionProperties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
MQEnvironment.CertificateLabel = "MQT1-AZ.acme.com";
Tom
------------------------------
Tom Taylor
Original Message:
Sent: Fri March 25, 2022 06:37 AM
From: Ram Subba Rao Chalamalasetti
Subject: Cipher causing mq to check for ICSF
The cipher set in the application is only used to determine the TLS version. On Windows .NET uses the list of ciphers specified in the Windows Group policy.
On Linux, .NET uses OpenSSL for TLS communication. Following link has some information on how to set the ciphers on Linux for .NET Core applications
https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux
------------------------------
Ram Subba Rao Chalamalasetti
Original Message:
Sent: Fri March 25, 2022 06:18 AM
From: Daniel Nordkvist
Subject: Cipher causing mq to check for ICSF
On Linux managed .NET there is no way to specify a cipher the one you specify in the connectionfactory is just ignored from what I have seen. Maybe windows handles it different.
------------------------------
Daniel Nordkvist
Original Message:
Sent: Fri March 25, 2022 05:08 AM
From: Morag Hughson
Subject: Cipher causing mq to check for ICSF
It would certainly seem appropriate to only enable the list of cipherspecs on the z/OS queue manager that you are able to support, i.e. not those which require ICSF, but it should be equally possible to configure the .NET client to send up a shorter list (including a list of length 1) in order to be certain of which cipher spec will get chosen for the channel to run. If you're sending up a list of ciphers when using the .NET fully managed client, you would need to use one of the SSLCIPH(ANY*) values so that the channel is happy to run at all.
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Fri March 25, 2022 03:28 AM
From: Daniel Nordkvist
Subject: Cipher causing mq to check for ICSF
I don't think there is a way in a managed .NET client to specify a cipher. NET actually passes a list of ciphers to MQ and the QM picks the cipher based on a pre-defined order. According to https://www.ibm.com/docs/en/ibm-mq/9.2?topic=cipherspecs-cipherspec-order-in-tls-handshake
You can change this list so that MQ will prioritize the right one https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q134760_.html
Look at the heading: Providing a custom list of ordered and enabled CipherSpecs on IBM MQ for Multiplatforms
------------------------------
Daniel Nordkvist
Original Message:
Sent: Thu March 24, 2022 04:47 PM
From: Tom Taylor
Subject: Cipher causing mq to check for ICSF
So..
It has been determined thru SSL traces on the Mainframe , that when cipher negotiations occur, The mainframe will use a cipher that is on the clients cipher list... in this case,,, a cipher that is higher then what both sides have specified is being used.... This cipher requires ICSF on the mainframe,,,which we do not have running and thus we get the error.
They have tried to disable all ciphers on the windows client except for the one we want to use (TLS_RSA_WITH_AES_256_CBC_SHA256) but this seems not to have any effect.
Tom
------------------------------
Tom Taylor
Original Message:
Sent: Thu March 24, 2022 04:36 PM
From: Morag Hughson
Subject: Cipher causing mq to check for ICSF
As it says in the description of error message CSQX629E, "The cipherspecs that use GCM or ephemeral elliptic curve algorithms require ICSF." You say that you are receiving this error when trying to use CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256 which is not one of those CipherSpecs.
This suggests to me that your setup on the .NET side might not be presenting the CipherSpec you think it is and that we should look into that further. Could you tell us more about that setup please?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Wed March 23, 2022 03:48 PM
From: Tom Taylor
Subject: Cipher causing mq to check for ICSF
Hi all
I have a mq client using .NET trying to connect to z/os mq
we believe we have each side configured properly.
when we try to connect using cipher TLS_RSA_WITH_AES_256_CBC_SHA256
we get z/os mq error...
+CSQX629E MQS1 CSQXRESP Channel ???? requires ICSF for SSLCIPH(????)
any help appreciated
Tom
------------------------------
Tom Taylor
------------------------------