Forum Discussion

Shojan_141011's avatar
Shojan_141011
Icon for Nimbostratus rankNimbostratus
Jan 09, 2014

F5 as an SSL Forward proxy for IBM Websphere MQ

Hello ,

 

We designed our Websphere MQ Communication system using F5 as an Forward proxy and also off loading SSL Encryption & authentication to be done from F5 layer between 2 Queue Managers. Unfortunately for messages greater than 32KB we are having problem in decoding SSL encrypted message coming via F5, coz its not in MQ expected format.

 

I have illustrated the detailed description of our design and the scenarios we tried out while implementation.

 

 

•SSL Certificate loaded in Queue Manager A(QMA). And the channel is enabled with Cipher Spec “TRIPLE_DES_SHA_US” •Queue Manager B (QMB) SSL certificate is offloaded in BIG-IP F5. Between QMB and F5 there is no SSL enabled. •F5 takes care of SSL handshake, encryption and decryption of message with QMA SSL enabled channel.

 

Scenario 1:[success – No SSL –Two Way] •Message send successfully between QMB and QMA via F5 without any SSL. •Messages of any size are transferred successfully between QMB and QMA successfully.

 

Scenario 2:[Success – With SSL for message size below 32 KB – Two Way] •SSL enabled in F5 and in QMA channel. •Message of size 32 KB and below are send successfully from QMB via F5(SSL encryption takes place) , messages gets decrypted by QMA SSL and received in queue.

 

Scenario 3:[Failure – With SSL for message size above 32 KB – One Way from QMB to QMA] •When message of size above 32 KB is send via QMB. The message gets encrypted by F5. But when the message is received in QMA, its receiving the message without TSH header.

 

Scenario 4:[Success - With SSL for message size above 32 KB – One Way from QMA to QMB] •When message of size above 32 KB is send from QMA. The message is encrypted from QMA, It gets properly decrypted by F5 and passed on to QMB.

 

So our problem is in scenario 3 for message size above 32 KB coming via F5 with SSL enabled.

 

Please let us know if there is any solution for this problem.

 

  • Below is the tcpdump packet comparison for packet coming from F5 server and IBM MQ IPT(Internet pass Thru) server. Hope this gives some insight on the behavioural change for packets coming out of F5 and MQ IPT

     

     

  • Hi Shojan

     

    What versions of MQ and BIG-IP are you running ? One of my colleagues is building exactly the same solution in a dev lab today so we could work together on this.

     

    Jason

     

  • Great, Let me know if you need any information for setting this up. Below are the component versions

     

    MQ:

     

    Name: WebSphere MQ Version: 7.0.1.9 CMVC level: p701-109-120718 BuildType: IKAP - (Production)

     

    Big-IP F5 version: 11.2.1

     

  • Hello Jason,

     

    Where you or your colleague able to replicate the issue in your dev labs? Eager to know if guys found some solution!.

     

    Thanks, Shojan