0

trying to set up Queue Connection factory on WAS 7 and 8.5.5 with SSL

MQ channel cipherspec is tls_rsa_with_aes_128_cbc_sha256.

but whenever I try specifying the respective suit on WAS as ssl_rsa_with_aes_128_cbc_sha256 , I get a MQSC_UNSUPPORTED_CIPHER_SUITE.

cipher tls_rsa_with_aes_128_cbc_sha works just fine .( not SHA256 )

I have tried enabling TLSv1.2 on WAS.

tried insataling unristricted jars as well.

what am I missing ?? looking forward to hear .. -AJ

Abhinav Srivastava
  • 1
  • 1
  • Hello and welcome to Stack Overflow, please take a time to go through the [welcome tour](https://stackoverflow.com/tour) to know your way around here (and also to earn your first badge), read how to create a [mcve] example and also check [ask] so you increase your chances to get feedback and useful answers. – garfbradaz Jul 18 '17 at 09:58

1 Answers1

1

WebSphere Application Server (WSAS) V7.0 ships the WebSphere MQ V7.0.1 JCA Resource Adapter (WMQ RA).

The V7.0.1 MQ RA does not support the TLS CipherSuite:

SSL_RSA_WITH_AES_128_CBC_SHA256

This is why your application is getting an exception with the MQ reason code, MQRC_UNSUPPORTED_CIPHER_SUITE, when using WSAS V7.0.

WSAS V8.5.5 on the other hand ships the WMQ V7.1 RA and support for the above CipherSuite was added in the V7.1.0.3 Fix Pack release. WSAS V8.5.5.2 ships the MQ V7.1.0.4 RA so this version of later should have the capability to use the SSL_RSA_WITH_AES_128_CBC_SHA256 Java CipherSuite.

a_cornish_pasty
  • 816
  • 4
  • 10
  • v7.1 actually does support TLS_RSA_WITH_AES_128_CBC_SHA256. This is noted in APAR IV66840. I noticed that the spec was missing on the 7.5 KC page and have asked IBM to update it and this can be seen here, IBM MQ v7.5 KC "[SSL CipherSpecs and CipherSuites in WebSphere MQ classes for Java](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031290_.htm)". I have now asked them to also update the 7.1 page. You can do the same via the Feedback link on the lower right. – JoshMc Jul 18 '17 at 16:49
  • You're correct JoshMc. I stand corrected. Support was added into the MQ Java client for the CipherSuite SSL_RSA_WITH_AES_128_CBC_SHA256 in 7.1.0.3. WSAS 8.5.5.2 or later should be fine in that case. I'll modify my answer. Thanks – a_cornish_pasty Jul 18 '17 at 17:23
  • Where did you find the the info that it was added in 7.1.0.3? Was there an APAR that referenced this information? My reference was indirect since the APAR was talking about the addition of Oracle support for that Cipherspec but I didn't know that it was not around in the original GA release. Looking for other good sources of information. – JoshMc Jul 18 '17 at 17:40
  • Thanks for the prplies and comment. – Abhinav Srivastava Jul 20 '17 at 02:45
  • i am trying to set it up on WAS8.5.5.9 MQ RA is 7.1 JRE is 1.7 SR4 FP1 Do i need to updgrade JRE to FP2 as i am still getting the same issue. also i see this on IBMs site. For full support, including FIPS-compatibility, a user application needs to run on a suitable IBM JRE - Java 6 SR13 FP2 or Java 7 SR4 FP2, and later JRE's will contain appropriate support. – Abhinav Srivastava Jul 20 '17 at 02:47
  • For full support, including FIPS-compatibility, a user application needs to run on a suitable IBM JRE - Java 6 SR13 FP2 or Java 7 SR4 FP2, and later JRE's will contain appropriate support. – Abhinav Srivastava Jul 20 '17 at 02:47