0

I'm trying to connect to MQ queue manager which uses 1 way SSL using Java client. Even after following all the steps mentioned in various blogs, I am still getting MQJE001: Completion Code '2', Reason '2400' error.

Please find the java code we are using: enter image description here

JMeter_User
  • 203
  • 3
  • 17

3 Answers3

0

Copying and pasting steps without understanding what they're doing isn't the best way to proceed. The same applies to pasting code as image here.

As per 2400 (0960) (RC2400) error description:

A connection to a queue manager was requested, specifying SSL encryption. However, JSSE reported that it does not support the CipherSuite specified by the application.

Check the CipherSuite specified by the application. Note that the names of JSSE CipherSuites differ from their equivalent CipherSpecs used by the queue manager.

Also, check that JSSE is correctly installed.

So you're trying to use cipher suite which might be supported by MQ but it's not supported by your local Java installation. You could try using Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files or obtaining the JDK from your MQ machine which should have the this ECDHE_RSA_AES_256_CBC_SHA384 cipher suite installed.

More information:

Dmitri T
  • 159,985
  • 5
  • 83
  • 133
0

IBM MQ error 2400 means UNSUPPORTED_CIPHER_SUITE.

Depending on the JDK vendor (IBM/Oracle), you can enable CipherSuite mapping with Java system property com.ibm.mq.cfg.useIBMCipherMappings. Based on your screenshot you want to use ECDHE_RSA_AES_256_CBC_SHA384. If you use the Oracle JDK, you have to do this in Java:

System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false");
...
MQEnvironment.sslCipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";

If you are using MQ 9.2, you can also simply configure cipher suite *TLS12ORHIGHER.

Daniel Steinmann
  • 2,119
  • 2
  • 15
  • 25
  • 1
    Note that to use `*TLS12ORHIGHER` on the Java client side the queue manager SVRCONN channel must be set to `ANY_TLS12_OR_HIGHER`. – JoshMc Oct 27 '21 at 14:46
  • @JoshMc You are right. Just had a debugging session today with an MQ server on zOS, and there the cipher alias for the SDR channel did not work and we had to use a fixed cipher; but for the RCVR channel the cipher alias was fine. – Daniel Steinmann Oct 29 '21 at 12:17
  • It applies to any channel that is being connected to, you can always set them to one of the ANY values (SVRCONN, RCVR, SVR or RQSTR that are receiving the connection) the exception is a CLUSRCVR, it shouldn't be updated until all queue managers in the cluster are at 9.2. – JoshMc Oct 29 '21 at 21:39
0

What you are specifying is the queue manager CipherSpec, below is the table from CipherSuite mapping IBM Docs page showing which CipherSuite to use depending on the Java provider.

CipherSpec Equivalent CipherSuite (IBM JRE) Equivalent CipherSuite (Oracle JRE)
ECDHE_RSA_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

If you are not using IBM JRE then you must specify the java system property:

com.ibm.mq.cfg.useIBMCipherMappings=false
JoshMc
  • 10,239
  • 2
  • 19
  • 38