Technical support knowledge for Application Integration Middleware including WebSphere, CICS, BPM, MQ, Broker, IIB, ODM, DataPower, Mobile, Appliances, and more! Following the IBM Social Computing Guidelines - Steve Webb, Joseph Lam
In late 2014, we published Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) . As detailed in the bulletin, the IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to... [More]
The WebSphere Application Server does not contain code that provides for a secure database connection method other than basic userid/password authentication, which is implemented through an authentication alias. However, this does not mean you cannot configure another authentication method. Most of the WebSphere Application Server datasource configuration, with the exception of pool configuration parameters, are properties that are simply passed to a JDBC driver package.
For example, if I create a new datasource... [More]
From MQ 22.214.171.124 onwards, the dreaded AMQ9633 "bad certificate" error message was enhanced with some additional information to help you understand which certificate was rejected and why. This is the most common error seen for SSL/TLS handshake errors and so I'd like to explain how to use the new information to understand the cause of the error.
Example AMQ9633 error
Below is an example of the new style of message with the new section highlighted in bold text, taken from a queue manager error log:
If there is no cell default certificate SSL setting, then JSSE will pick one.
To set a default do the following:
In your Deployment Manager environment, logon to the Admin console.
Go to Security --> SSL certificates and key management --> manage endpoint security configurations.
Under inbound, select the entry that contains your cell name followed by "(CellDefaultSSLSettings,)".
Next click on update certificate alias list under SSL configuration.
As an IBMer supporting WebSphere MQ I have always been intrigued by the place known as the Hursley Lab, located in the UK. Finally, on my 15 year anniversary as an IBM employee I set off on a trip to visit the place where MQ is developed. I felt somewhat like Charlie going to visit the Chocolate Factory.
I was thrilled to be chosen to participate in an IBM Redbooks residency for publishing a book which will provide information about the MQ version 8 enhancements. MQ V8 was made available in June 2014 and contains... [More]
It is often asked how one can reference two different personal certificates within the same message flow. You may have a requirement where a message flow is hosting a webservice using a SOAPInput/HTTPInput node where the clients send requests to the message flow webservice using https (mutual auth), but this same message flow also communicates with another third party service provider using https (mutual auth). Let us take a look at a couple of commonly used scenarios.
A client sends a request... [More]
Have a few minutes? Come check out the IBM SupportTV channel on YouTube, where you can find short, bite-sized videos that are focused on teaching you a specific task for a bunch of your favorite IBM WebSphere & CICS software products!
New videos are being published every week, so make sure you subscribe to the channel and share it with your friends and colleagues!
Here are some of the newest and the most popular IBM SupportTV episodes:
It has been a while since I wrote about what is hot in the WebSphere MQ (WMQ) support world and there have been quite a few new and helpful documents or articles that have been written or updated since the last time I wrote about what was hot. In case you did not read the previous blogs that I wrote on this topic here are links to the first 2 blog articles because the items in those articles are still relevant today. Many of those items are timeless. They cover topics that someone, somewhere in the world is going to be dealing with... [More]
When we start talking about SSL problems on WebSphere MQ (WMQ), it can be an intimidating topic. Many people do not understand SSL configuration and when they have problems related to SSL they just do not know where to start. Even for the short list of people who do understand SSL configuration in WMQ, troubleshooting a problem can sometimes be a difficult task. In WMQ V7.x, many of the SSL related problems we see are dealing with Java™ or JMS configurations. With this in mind, we have created a technote which we think will help with the... [More]
I wrote a blog article a while ago entitled " What's the talk about in WebSphere Message Broker? " Several months have passed and now people are discussing some different topics in WebSphere Message Broker (WMB) support. So I thought it was time to give you an update on what the hot topics are in the WMB support world. Hopefully these insights into some of the more frequently discussed topics by the WMB support teams will help you avoid having to deal with some of the same problems they see most often. Here, in no specific order, are... [More]
Do you need to have a WebSphere MQ queue manager that is RFC 5280 compliant? The RFC 5280 standard defines the current certificate validation policy for use with SSL and TLS. It specifies the rules which all SSL/TLS applications should ideally follow to reliably determine certificate trustworthiness. The WebSphere MQ Information Center has more information about RFC 5280 and certificate validation policies, see: Certificate validation and trust policy design on UNIX, Linux and Windows systems Users who require RFC 5280 certificate validation... [More]
The task of securing web services can be quite daunting. So many options for SSL configuration on client and server sometimes cause confusion. The WebSphere Message Broker (WMB) Information Center describes these options in detail on the following links: Configuring SOAPInput and SOAPReply nodes to use SSL (HTTPS) Configuring SOAPRequest and SOAPAsyncRequest nodes to use SSL (HTTPS) Here's a quick cheat sheet that may be help you setup SSL for the SOAP nodes. It is important to understand some facts about SSL in Message Broker before getting... [More]
IBM HTTP Server is a full-featured web server included with WebSphere Application Server. It is based on Apache HTTP Server (httpd.apache.org). Web server plug-ins enable the web server to communicate requests for dynamic content, such as servlets, to the application server. A web server plug-in is associated with each web server definition. The configuration file (plugin-cfg.xml) that is generated for each plug-in is based on the applications that are routed through the associated web server.A web server plug-in is used to forward HTTP... [More]
When you are sending messages between queue managers or between clients and queue managers, most of the time there is a need to provide Secure Sockets Layer (SSL) / Transport Layer Security (TLS) in your environment. This type of security has keys that encrypt and decrypt the messages to ensure its integrity as it moves within the network. Thus the message is unable to be tampered with which could cause unwanted harm. There are different ways to secure WebSphere MQ, such as using security exits or user security. However, when you use... [More]
I am Kawsar Kamal from the WebSphere for z/OS defect support team. I came across an interesting scenario recently that makes a good candidate for my first entry into the WebSphere blog. Background: Personal certificates are signed by a Certificate Authority (CA). Both the CA and the personal certificates have a time range between which they are valid. In addition, the certificate start time (and date) must be later than or equal to its signer CA start time, and the certificate end (expiry) time must be earlier than or equal to CA end time. If... [More]