topic Re: Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues in All Apps and Add-ons

Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

flee — Mon, 28 Sep 2020 20:15:38 GMT

Hello,

We're using JMS Mod Input. We use the .bindings file to connect to MQ queues. Everything works fine without SSL. Now, we'll need to connect to the queues where the channel is secured with SSL CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA. We have the MQ certificate generated from the server where the queues are defined.

How do we configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues?

Thank you.

Re: Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

Damien_Dallimor — Mon, 15 Jun 2015 15:34:54 GMT

The JMS Mod Input ships with an sample/experimental LOCAL handler for MQ that you could try to use , rather than using a JNDI bindings file.

https://github.com/damiendallimore/SplunkModularInputsJavaFramework/blob/master/jms/src/com/splunk/modinput/jms/custom/factory/LocalMQConnectionFactory.java

This local handler allows you to pass in several parameters pertaining to SSL, Ciphers , Certs etc..

If you look in the setParams method in the above code , you can see the parameter names that you can pass in.

Then you might set it up in Splunk Web like :

Re: Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

flee — Mon, 15 Jun 2015 22:42:34 GMT

Is there a way to make it work using the JNDI .bindings file? All of our MQ infrastructures are remote and local installations are prohibitive. Thank you.

Re: Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

Damien_Dallimor — Tue, 16 Jun 2015 00:04:39 GMT

1) You misunderstand what "local" means in this context. It means you are providing the Java Connection Factory object yourself (LocalMQConnectionFactory) vs looking up the Connection Factory remotely via JNDI (from an LDAP server or Bindings file)

2) May or may not be possible with JNDI , but if you still want to use JNDI , you will need to contact your MQ/JMS admin or do some research(read : googling) to figure out what the necessary settings are for SSL via JMS to MQ. The JMS Mod Input has input parameters to accomodate many JMS client connection permutations , usually by utilizing the "Custom JVM System Properties" parameter.

Re: Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

flee — Mon, 22 Jun 2015 06:31:42 GMT

Thanks for clarifications. Both options are working.

Re: Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

splunk_ankman — Tue, 29 Sep 2020 15:23:52 GMT

Try to connect from queue enabled with cipher value :TLS v1.2 cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA256

Cipher suit is enbled at splunk side.

Error at splunk side: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'gbrdsr000002848.intranet.barcapint.com(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'MQ.CLT.SPLK.CHL' to host ''. [3=MQ.CLT.SPLK.CHL]],3=******************(1414),5=RemoteConnection.analyseErrorSegment]

Please help us in resolving the issue.