Solved: Re: Configure JMS Mod Input to use the CipherSpec...

flee · ‎06-12-2015

Hello,

We're using JMS Mod Input. We use the .bindings file to connect to MQ queues. Everything works fine without SSL. Now, we'll need to connect to the queues where the channel is secured with SSL CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA. We have the MQ certificate generated from the server where the queues are defined.

How do we configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues?

Thank you.

Damien_Dallimor · ‎06-15-2015

The JMS Mod Input ships with an sample/experimental LOCAL handler for MQ that you could try to use , rather than using a JNDI bindings file.

https://github.com/damiendallimore/SplunkModularInputsJavaFramework/blob/master/jms/src/com/splunk/m...

This local handler allows you to pass in several parameters pertaining to SSL, Ciphers , Certs etc..

If you look in the setParams method in the above code , you can see the parameter names that you can pass in.

Then you might set it up in Splunk Web like :

View solution in original post

Damien_Dallimor · ‎06-15-2015

The JMS Mod Input ships with an sample/experimental LOCAL handler for MQ that you could try to use , rather than using a JNDI bindings file.

https://github.com/damiendallimore/SplunkModularInputsJavaFramework/blob/master/jms/src/com/splunk/m...

This local handler allows you to pass in several parameters pertaining to SSL, Ciphers , Certs etc..

If you look in the setParams method in the above code , you can see the parameter names that you can pass in.

Then you might set it up in Splunk Web like :

flee · ‎06-15-2015

Is there a way to make it work using the JNDI .bindings file? All of our MQ infrastructures are remote and local installations are prohibitive. Thank you.

Damien_Dallimor · ‎06-15-2015

1) You misunderstand what "local" means in this context. It means you are providing the Java Connection Factory object yourself (LocalMQConnectionFactory) vs looking up the Connection Factory remotely via JNDI (from an LDAP server or Bindings file)

2) May or may not be possible with JNDI , but if you still want to use JNDI , you will need to contact your MQ/JMS admin or do some research(read : googling) to figure out what the necessary settings are for SSL via JMS to MQ. The JMS Mod Input has input parameters to accomodate many JMS client connection permutations , usually by utilizing the "Custom JVM System Properties" parameter.

splunk_ankman · ‎08-18-2017

Try to connect from queue enabled with cipher value :TLS v1.2 cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA256

Cipher suit is enbled at splunk side.

Error at splunk side: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'gbrdsr000002848.intranet.barcapint.com(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'MQ.CLT.SPLK.CHL' to host ''. [3=MQ.CLT.SPLK.CHL]],3=******************(1414),5=RemoteConnection.analyseErrorSegment]

Please help us in resolving the issue.

flee · ‎06-21-2015

Thanks for clarifications. Both options are working.

Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation