0

I'm trying to connect over TLS to IBM MQ with JMS. I'm setting TLS_RSA_WITH_AES_256_CBC_SHA256 as SSL cipher spec on the channel in the IBM MQ console.

On the connection factory I do this:

cf.setSSLCipherSuite("TLS_RSA_WITH_AES_256_CBC_SHA256")

And I get:

Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')`

I've walked through the steps here: https://developer.ibm.com/answers/questions/472052/how-do-i-configure-ssl-tls-between-java-client-and/

I'm unsure if this error means the handshake is failing (due to cert/keystore misconfiguration) or something else.

Sean LeBlanc
  • 185
  • 2
  • 12
  • If you are using a non-IBM jre you need this setting `System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false");` – JoshMc Aug 27 '19 at 01:21
  • Possible duplicate of [Problem Connecting a Java Client (JMS) to a IBM MQ](https://stackoverflow.com/questions/52775733/problem-connecting-a-java-client-jms-to-a-ibm-mq) – JoshMc Aug 27 '19 at 01:23
  • I should have mentioned that I am setting that - but via application.properties file. I will try the programmatic version, just to be sure. Also, I will go over the other posting to see what I find. – Sean LeBlanc Sep 03 '19 at 22:52
  • What version of mq jar files are these? The version is 4 digits. Ex. 8.0.0.12 or 9.0.0.7. – JoshMc Sep 03 '19 at 23:04
  • Our version is 9.1.0.0 – Sean LeBlanc Sep 03 '19 at 23:07
  • Can you double check the manifest.mf of `com.ibm.mq*.jar` matches what you expect? – JoshMc Sep 03 '19 at 23:10
  • FYI - getting back to this after being pulled onto other things - I did the programmatic setting above, and apparently what I was doing prior was not getting picked up, as I now get a new error: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR') - so I will work through that. – Sean LeBlanc Sep 09 '19 at 19:17
  • 1
    `System.setProperty('javax.net.debug', 'ssl');` usually helps in understanding the cause of those errors. – JoshMc Sep 09 '19 at 20:41
  • Sean did you get this working? – JoshMc Sep 24 '19 at 15:19
  • Yeah, I hope to get back to this. Odd you asked today as I started up with this again this morning...looking at doing this: https://developer.ibm.com/answers/questions/472052/how-do-i-configure-ssl-tls-between-java-client-and/ and also using this to troubleshoot: https://www.ibm.com/support/pages/troubleshooting-javajms-ssl-configurations#2 – Sean LeBlanc Sep 24 '19 at 17:32
  • Okay, I did get this working, now the rather strange question I have is how to make this optional, on the client side. I put a switch into the application to make TLS something that one can turn on/off, for development uses. I did this on the channel: alter channel(DEV.APP.SVRCONN) chltype(svrconn) sslcauth(optional) sslciph(TLS_RSA_WITH_AES_256_CBC_SHA256) so one would think it would be optional, however not setting the cipher suite on client side makes it fail with AMQ9641: Remote CipherSpec error for channel. – Sean LeBlanc Sep 25 '19 at 00:59
  • Add that to your question and I'll include in my answer. That is `SSLCAUTH` which is short for SSL Client Auth. This is whether the client must have a private key or not, it is optional. If the client has one it must be trusted. If `SSLPEER` is filled in this makes it act as if it was `REQUIRED`. You can not have a single `SVRCONN` that works with both TLS and without. If you do not want TLS you must blank `SSLCIPH`. – JoshMc Sep 25 '19 at 01:10

1 Answers1

1

I think you might need to use SSL_RSA_WITH_AES_256_CBC_SHA256 instead of TLS_RSA_WITH_AES_256_CBC_SHA256.

The Knowledge Center documents the differences between IBM and Oracle JREs.

Adam Rice
  • 880
  • 8
  • 20