All Apps and Add-ons

Configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues

Path Finder

Hello,

We're using JMS Mod Input. We use the .bindings file to connect to MQ queues. Everything works fine without SSL. Now, we'll need to connect to the queues where the channel is secured with SSL CipherSpec TLSRSAWITHAES256CBCSHA. We have the MQ certificate generated from the server where the queues are defined.

How do we configure JMS Mod Input to use the CipherSpec and the certificate to connect to secured queues?

Thank you.

0 Karma
1 Solution

Ultra Champion

The JMS Mod Input ships with an sample/experimental LOCAL handler for MQ that you could try to use , rather than using a JNDI bindings file.

https://github.com/damiendallimore/SplunkModularInputsJavaFramework/blob/master/jms/src/com/splunk/m...

This local handler allows you to pass in several parameters pertaining to SSL, Ciphers , Certs etc..

If you look in the setParams method in the above code , you can see the parameter names that you can pass in.

Then you might set it up in Splunk Web like :

alt text

View solution in original post

0 Karma

Ultra Champion

The JMS Mod Input ships with an sample/experimental LOCAL handler for MQ that you could try to use , rather than using a JNDI bindings file.

https://github.com/damiendallimore/SplunkModularInputsJavaFramework/blob/master/jms/src/com/splunk/m...

This local handler allows you to pass in several parameters pertaining to SSL, Ciphers , Certs etc..

If you look in the setParams method in the above code , you can see the parameter names that you can pass in.

Then you might set it up in Splunk Web like :

alt text

View solution in original post

0 Karma

Path Finder

Is there a way to make it work using the JNDI .bindings file? All of our MQ infrastructures are remote and local installations are prohibitive. Thank you.

0 Karma

Ultra Champion

1) You misunderstand what "local" means in this context. It means you are providing the Java Connection Factory object yourself (LocalMQConnectionFactory) vs looking up the Connection Factory remotely via JNDI (from an LDAP server or Bindings file)

2) May or may not be possible with JNDI , but if you still want to use JNDI , you will need to contact your MQ/JMS admin or do some research(read : googling) to figure out what the necessary settings are for SSL via JMS to MQ. The JMS Mod Input has input parameters to accomodate many JMS client connection permutations , usually by utilizing the "Custom JVM System Properties" parameter.

Explorer

Try to connect from queue enabled with cipher value :TLS v1.2 cipher suites: TLSRSAWITHAES128CBCSHA256

Cipher suit is enbled at splunk side.

Error at splunk side: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'gbrdsr000002848.intranet.barcapint.com(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'MQ.CLT.SPLK.CHL' to host ''. [3=MQ.CLT.SPLK.CHL]],3=******************(1414),5=RemoteConnection.analyseErrorSegment]

Please help us in resolving the issue.

0 Karma

Path Finder

Thanks for clarifications. Both options are working.

0 Karma