4

I have a MQ spring jms application that has been working fine using SSL channel. However after a recent java security patch that was applied the application stopped working with below error.

Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
    at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:209) ~[com.ibm.mqjms-7.5.0.0.jar:7.5.0.0 - p000-L120604]
    ... 45 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.Handshaker.activate(Handshaker.java:438) ~[na:1.6.0_34]
        at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1414) ~[na:1.6.0_34]

I notice that the new java security file has this line added that is causing this failure in SSL connection to MQ.

jdk.tls.disabledAlgorithms=SSLv3

I can not get this line removed as this is shared environment, what are my options to make this work. I am using MQQueueConnectionFactory configured and injected into my spring JMS components.

Thank you

Mark1234
  • 589
  • 2
  • 8
  • 24

3 Answers3

3

Can you not use this - java.security.Security.setProperty("jdk.tls.disabledAlgorithms","")

This change was introduced in JDK8.

Saikat
  • 14,222
  • 20
  • 104
  • 125
2

For reactive support purposes where you have to get this working (as soon as possible), comment/disable that policy in that security file. This will allow the Spring application to continue as it is before.

But you need to work towards a permanent fix either by using the TLS version of the same cipher or moving to a new TLS cipher.

Umapathy
  • 772
  • 8
  • 21
  • Ok, thanks. Could you explain what is meant by TLS version of same cipher or moving to new TLS cipher. Does it mean i need a different SSL certificate which is TLS specific. I was reading somewhere this is being cased as the server (MQ Qmgr) only understands SSLv3 which is disabled at client jvm, so does the server has (MQ Qmgr) to be upgraded to talk TLS? How exactly this TLS/ SSLv3 decision take place. – Mark1234 Jul 07 '15 at 11:31
  • You'll have to tell us what version the queue manager is at so we can comment on whether it needs an upgrade to use TLS. However. if it does need an upgrade it is also out of support and could do with said upgrade anyway! – Morag Hughson Jul 07 '15 at 23:18
0

You need to set matching SipherSpecs suited for TLS on both the server connection channel on the queue manager and your client.

This should help with the client side:

http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm

While doing the QM side is easiest by using MQ Explorer, and just looking at the SSL properties of the server connection channel specified in the connection factory.

Attila Repasi
  • 1,803
  • 10
  • 11