1

I have a "blackbox" application written in Java that connects to MQ. On unix server there is MQ Client installation version 7.5.0. Java application is using 1.7.0_79. I have to use SSL_RSA_WITH_AES_256_CBC_SHA256 to make the connection.

I cannot upgrade to MQ Client v8. I am not entirely sure if I can connect having MQ Client version 7.5.0 and for instance use SSL_RSA_WITH_AES_256_CBC_SHA256.

Would be that even possible to establish connection having these components ?

drstonecodez
  • 317
  • 1
  • 2
  • 12
  • What specific 4 digit MQ version are the `com.ibm.mq*.jar` files from, 7.5.0.8. Which provider is java from, IBM or Oracle? – JoshMc Sep 17 '19 at 13:28
  • IBM MQ versions - 7.5.0-7.x86_64, and Oracle Java 1.7.0_79 (build 1.7.0_79-b15) – drstonecodez Sep 18 '19 at 07:57
  • This should be possible if you have this java system property set `-Dcom.ibm.mq.cfg.useIBMCipherMappings=false` and use ciphersuite value `TLS_RSA_WITH_AES_256_CBC_SHA256`. Note does not start with `SSL_` for Oracle java. I can write this up as an answer if it works for you. Note you need the strong cryptographic provider enable in java to support ciphersuites with `AES_256` encryption. – JoshMc Sep 18 '19 at 08:20
  • I have added everything as you advised. Now when it comes to "strong cryptographic provider enable in java" - I have also added JCE (https://www.oracle.com/java/technologies/jce-7-download.html) is that what you were refering to ? So if I now run applciation I got an error : Caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2393 (...) java.io.Exception: Invalid keyStore format - which in my case is pkcs12 – drstonecodez Sep 18 '19 at 14:03
  • MQ expects jks format. – JoshMc Sep 18 '19 at 14:29
  • Did changing the keystore to jks work? – JoshMc Sep 19 '19 at 15:56
  • It's close but still getting an error : CC=2;RC=2397;AMQ9771 : SSL handshake failed (..) java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available - this means java itself ? I am quite puzzled as I installed JCE .. – drstonecodez Sep 20 '19 at 07:44
  • It worked. I added BouncyCastle JCE as well. – drstonecodez Sep 20 '19 at 11:49
  • I received a similar error with older Java 7 versions. I think if you moved to a higher java 7 release or java 8 or 9 you would not need bouncy castle JCE. – JoshMc Sep 20 '19 at 16:03
  • The case is, that this "blackbox" application is running on java 7 and there are no chances it will change. Anyway.. Thank you very much for your help. Much appreciated ! – drstonecodez Sep 20 '19 at 16:16
  • Hi Pavel thank you for the feedback, you mention you were at 1.7.0_79, if you moved to 1.7.0_161 it should have the strong cryto provider included and the setting in place to utilize it. This was not the case at _79. I did some tests and it looks like up to _131 it was not supported. – JoshMc Sep 20 '19 at 16:43

1 Answers1

1

IBM added support for non-IBM Java cipher suite names via APAR IV66840, this was included in MQ v7.5.0.5.

What you are asking should be possible if you have the following:

  1. Set this java system property
    -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
    or
    System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false")
  2. Use cipher suite value TLS_RSA_WITH_AES_256_CBC_SHA256.
    Note does not start with SSL_ for Oracle java.
  3. Make sure the strong cryptographic provider is enable in java to support ciphersuites with AES256 encryption. It appears that if you upgrade to a higher level of java 7 (1.7.0_161 for example) this will be included and enabled by default.
  4. Use a JKS keyStore.
JoshMc
  • 10,239
  • 2
  • 19
  • 38