8

I am getting the following exception while trying to make a connection with remote MQ from my Java client on my local machine:

com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')

This is with Java version 1.7, the Oralce JRE, cipher suite 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the following Maven dependencies:

<dependency>
  <groupId>com.ibm.mq</groupId>
  <artifactId>allclient</artifactId>
  <version>9.0.0</version>
</dependency>
<dependency>
  <groupId>com.sun.messaging.mq</groupId>
  <artifactId>fscontext</artifactId>
  <version>4.4.2</version>
</dependency>
DaveyDaveDave
  • 9,821
  • 11
  • 64
  • 77
Waqas Ahmed
  • 4,801
  • 3
  • 36
  • 45

3 Answers3

12

Update

Updating each point provided before with more current information.

  1. IBM MQ 9.2 and higher now support TLS1.3. The TLS1.3 ciphersuites now use the standard names which match in both Oracle Java and IBM Java, the use of -Dcom.ibm.mq.cfg.useIBMCipherMappings=false should no longer be required of you are able to use a TLS1.3 ciphersuite.

  2. The signature algorithm SHA224withRSA is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256. Oracle JRE 1.7.0_171 or later and 1.8.0_162 or later now come with unlimited strength policy files enabled by default and support SHA224withRSA.

  3. The JCE Unlimited Strength Jurisdiction Policy Files required to use a SHA256 Cipher Suite are now included and enabled by default in the above versions or later.

There are three things that impact this:

  1. If you want to use Oracle JRE you need to set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false, this will allow IBM MQ to use the Oracle Cipher Suite names like TLS_RSA_WITH_AES_256_CBC_SHA256

  2. The signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7 and is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256. Based on this you would need to go to Oracle JRE 1.8.

  3. You will need to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files to use a SHA256 Cipher Suite.

The information above is covered in more detail in my answer to another post "MQ Error on SSL enabled".

JoshMc
  • 10,239
  • 2
  • 19
  • 38
  • Josh thanks for your reply . I have already tried -Dcom.ibm.mq.cfg.useIBMCipherMappings=false in VM argument, so that IBM MQ use Oracle Cipher Suite . Plus after moving to JDK 8 with UnlimitedJCEPolicyJDK8 i m still facing the same issue. – Waqas Ahmed May 04 '17 at 05:33
  • Can you look at the manafest in you jar files and confirm the are from mq v9. – JoshMc May 04 '17 at 05:41
  • Implementation-Title: IBM MQ classes for JMS and Java Implementation-Version: 9.0.0.0 - p900-L160512.4 Implementation-Vendor: IBM Corporation Main-Class: com.ibm.msg.client.commonservices.tools.MainController Class-Path: jms.jar fscontext.jar providerutil.jar JSON4J.jar bcpkix-j dk15on-152.jar bcprov-jdk15on-152.jar – Waqas Ahmed May 04 '17 at 05:48
  • @WaqasAhmed I noticed you tagged the question with weblogic, are you using `JMSAdmin` to create a binding file? If so can you check the binding file in a text editor to make sure that it references `TLS_RSA_WITH_AES_256_CBC_SHA256` not `SSL_RSA_WITH_AES_256_CBC_SHA256` as the CipherSuite? I read that JMSAdmin would need to be edited to include the `-Dcom.ibm.mq.cfg.useIBMCipherMappings=false` setting in order for it to not automatically map the CipherSuite name from TLS_ to IBM Java's SSL_. – JoshMc May 04 '17 at 15:18
  • JoshMc right now i have stopped working with MQ and move to Oracle Weblogic JMS. Thanks for your input. I have checked the bindings file and it refer to 'TLS_RSA_WITH_AES_256_CBC_SHA256' – Waqas Ahmed May 24 '17 at 07:10
  • 4
    Just want to mention that setting `-Dcom.ibm.mq.cfg.useIBMCipherMappings=false` helped me to get SSL encrypted connection working with OpenJDK-1.8 and IBM MQ v8. The cipher I use is also `TLS_RSA_WITH_AES_256_CBC_SHA256` and the JSSE provider in OpenJDK is SunJSSE version 1.8. I didn't do anything in relation to JCE Unlimited Strength Jurisdiction Policy Files. Thanks for the help! – dmitryb Jan 30 '18 at 10:44
  • @dmitryb, Can you please share the code sample that is working for you – Prem Apr 30 '20 at 03:24
  • @dmitryb see my update to the answer, it may explain why you were not required to obtain Unlimited Strength Jurisdiction Policy Files. – JoshMc May 29 '21 at 06:45
3

You can also try this additional params:

-Djavax.net.ssl.trustStorePassword=mqpassword -Djavax.net.ssl.keyStorePassword=mqpassword  -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
Snehal Masne
  • 3,403
  • 3
  • 31
  • 51
0

Use this along with the JVM parameter as older version can be an issue :

    <dependency>
        <groupId>com.ibm.mq</groupId>
        <artifactId>com.ibm.mq.allclient</artifactId>
        <version>9.1.0.7</version>
    </dependency>
Smart Coder
  • 1,435
  • 19
  • 19
  • What issues do you know of with 9.0.0 specific to the 2400 error? – JoshMc May 03 '22 at 03:23
  • 7.x MQ version will still have an issue with JVM param. – Smart Coder May 03 '22 at 12:55
  • Per the question they were using 9.0.0 not 7.x so your answer is not relative to this question. Note that 7.0 and later even if out of support do support the JVM parameter if they are at a fixpac that includes APAR IV66840, 7.0.1.13 for example. – JoshMc May 03 '22 at 16:24
  • My answer was meant for the folks who have similar issues but lower MQ version. The symptoms would still be the same. – Smart Coder May 03 '22 at 19:18
  • I think in general anything less than 9.1 is out of support and shouldn't be used anyway. – JoshMc May 03 '22 at 22:26