I have Weblogic server 10.3.3 and one of our clients wants to use SHA2 type certificate. We enabled JSSE=true in 10.3.3 and noticed slow performance while talking to this SHA2 using client.
Now we plan to upgrade Weblogic server to support communication with clients using SHA2 type certificates.
1) What lowest(10.3.6 ? )version of Weblogic server should we upgrade to?
2) Where can I find a mapped table of supported cipher suites and Weblogic server versions?
Regards,
DivyaTV
1) 10.3.3 is the lowest version that supports the option to enable SHA2.
2) Since JSSE is the only SSL implementation that is supported, you can use these links to find the supported cipher suites:
JDK 6: http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
JDK 7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
Related
My employer has an application running on WAS server 8.5.5. It uses MQ client adapter to connect to a MQ setup on version 7. Now my employer is upgrading to version 9 on the MQ but want to retain the WAS server at 8.5.5. Is this possible? In one of the IBM articles I saw the following:
The IBM MQ Version 9.0 resource adapter cannot be deployed into earlier versions of WebSphere Application Server, as these versions are not Java™ EE 7 certified.
If your question is specifically on traditional WAS (rather than Liberty profile), then the answer is yes.
tWAS bundles a level of MQ resource adapter, and this bundled RA inherits the support lifecycle of the application server. [This support does not apply to other versions of the MQ resource adapter that have been manually applied to the tWAS installation, and so using the bundled RA is generally recommended.]
Any supported MQ client can communicate with any supported MQ queue manager, as either side will negotiate the version of MQ communication flows in use down to the mutually appropriate level. This means that the MQ 7.1 resource adapter can communicate with a version 9.0 queue manager, although of course any connections that this client makes will not be eligible to use functionality added to the product after 7.1.
While working on certifying TLSv1.2, and based on the below conditions:
The project is deployed on WebSphere 8.5.5.11 application server where only TLSv1.2 is enabled.
SQL server JDBC driver version 6.0 connecting to SQL Server database.
Java 8.
We are facing an issue with the SQL server JDBC driver and WebSphere, the driver could not establish a secure connection to SQL Server, the error message is : "Only TLS1.2 protocol can be enabled in SP800_131 strict mode".
Is the TLSv1.2 supported on the SQL server JDBC driver with WebSphere application server.
Pleas consider that the same project is working properly with TLSv1.2 on Tomcat application server.
part of the error :
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Only TLS1.2 protocol can be enabled in SP800_131 strict mode". ClientConnectionId:960c823d-4db9-4ac2-b2c4-2802a7b432d2
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2400)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1762)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1977)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1628)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1459)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:773)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1168)
at java.sql.DriverManager.getConnection(DriverManager.java:675)
at java.sql.DriverManager.getConnection(DriverManager.java:258)
Caused by: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode
at com.ibm.jsse2.Q.a(Q.java:179)
at com.ibm.jsse2.Q.b(Q.java:163)
at com.ibm.jsse2.Q.<init>(Q.java:87)
at com.ibm.jsse2.as.a(as.java:947)
at com.ibm.jsse2.as.<init>(as.java:833)
at com.ibm.jsse2.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:8)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1675)
We have an application using Mule standalone 3.5 (I know...) and need to force it to use TLS 1.1 or 1.2 for HTTPS.
We have upgraded to the latest Java 8 (8u112).
We have modified the mule's tls-default.conf to include the following:
enabledProtocols=SSLv2Hello,
TLSv1.1
TLSv1.2
Our HTTPS GET request results in the exception:
No appropriate protocol (protocol is disabled or cipher suites are
inappropriate) (javax.net.ssl.SSLHandshakeException)
Is there anyway to get Mule 3.5's https connector to use TLS 1.1 or 1.2 for HTTPS?
Our application also uses a Salesforce connector <sfdc:...> which works correctly using TLS 1.2 after our Java upgrade and configuration changes.
Note that Mule 3.5 still has a separate connector for HTTPS (not the combined connector for HTTP/HTTPS that was introduced in 3.6).
We are looking to avoid upgrading to a newer version of Mule since we intended to replace our use of Mule in the near future anyway, and our investigations into upgrading do not indicate that it will be easy.
UPDATE:
In addition to using the fix in Ryan Carter's answer, I also had to fix the mistake in the tls-default.conf by escaping the newlines:
enabledProtocols=SSLv2Hello, \
TLSv1.1 \
TLSv1.2
Yes the Salesforce connector automatically uses JDK's default TLS version.
But for the https connector you need to add a property to your https connector:
<https:connector name="https">
<spring:property name="sslType" value="TLSv1.2"/>
</https:connector>
Our product will support IBM MQ7 and MQ8 based on client requirement. Now, we like to know latest client jar version that we may use for our application?
We would like to use JMS 1.1 specification. I have found following link for MQ 7.5 JAR-
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q120070_.htm
Is it sufficient if we use above mentioned client jar to connect MQ 7 and MQ 8 server?
Application will use JRE 1.7 and WAS liberty 8.5.5.9.
If you are using WebSphere Liberty as your application server, then you will need to the MQ JCA Resource Adapter (MQ-RA) to make use of MQ JMS messaging. Liberty (unlike traditional WebSphere Application Server) does not ship a copy of the MQ-RA, but you can download and install one pretty easily and then link to it from within the Liberty server's server.xml configuration file. Here's a link to explain how to do this:
http://www-01.ibm.com/support/docview.wss?uid=swg21633761
Now, Liberty can use a copy of the WebSphere MQ V7.5.0.5 (or later) Resource Adapter, which only supports the JMS 1.1 API, and the Liberty feature you will want to enable with that version is "wmqJmsClient-1.1".
However, I would suggest you consider the latest version of the IBM MQ-RA (at the time of writing this is V9.0.0.0). The MQ V8.0.0.3 and V9 RAs support both the JMS 1.1 "classic" API as well as the newer 2.0 "simplified" API. Therefore you can use the newer MQ-RA levels but your JMS 1.1 application will still work perfectly fine. If using a V8 or V9 IBM MQ-RA, then the Liberty feature to enable to is "wmqJmsClient-2.0".
The V7.5, V8 and V9 MQ Resource Adapters can connect to any MQ queue manager version; the major or maintenance versions between the JMS client and the MQ server do not need to match.
For reference, here are a couple of links I recommend reading over as well:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q031610_.htm
http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_dep_msg_wmq.html
http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/rwlp_restrict.html
I hope this helps!
My task to monitor the IBM Websphere through pmi client.Pmi client is an agent provided by the IBM to get MBeans and is running under IBM Java. I tried it to run under Sun java. But, it fails to create the Pmiclient. Did Anyone come across this issue?
The IBM JRE has slightly customized classes. This is unfortunately not uncommon with PMI (and also JMX by the way) when working with different WebSphere Application Server versions.
There are hacks around involving copying the relevant IBM implementations and running them with the Sun/Oracle JRE but I don't think that is valid according to the licensing terms. What you really should do is to use the IBM provided JRE.
If you want a riskless shortcut you will build an applicaton (perhaps EJB or servlets) that runs on the WebSphere Application Server and exposes the results from PMI via custom interface. For instance web service.