MQQueueManager. raises MQJE001: Completion Code '2', Reason '2400' for specified MQEnvironment.sslCipherSuite

Question

When creating MQQueueManager object with following sslCipherSuite:

MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA";
MQEnvironment.hostname = host;
MQEnvironment.channel  = channel;
MQEnvironment.port = port;
iMQQueueManager = new MQQueueManager(queueMgr);

it manager init raises:

MQJE001: Completion Code '2', Reason '2400'

which should means " JSSE reported that it does not support the CipherSuite specified by the application" (http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q044280_.htm)

I've configured my Queue Manager -> Channels (Properties) -> SSL -> CipherSpec to: TLS_RSA_WITH_AES_128_CBC_SHA (TLS 1.0, Secure Hash Algorithm, 128-bit AES encryption).

used platform is:

JAVA 7 (1.7.0_75-b13) 
MQ 7.1 client libs (7.1.0.6-k710-006-141112)
MQ 8.0 server (8.0.0.5)

here is the stack detail:

Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.
    at com.ibm.mq.MQManagedConnectionJ11.constructMQCD(MQManagedConnectionJ11.java:1434)
    at com.ibm.mq.MQManagedConnectionJ11.constructCNO(MQManagedConnectionJ11.java:1537)
    at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:233)
    at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:588)
    at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:630)
    at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:107)
    at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:205)
    at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:911)
    at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:799)
    at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:750)
    at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:157)
    at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:681)

I guess the issue is on MQ configuration side, due the fact that my jre

SSLContext.getInstance("TLS")
.init(null, trustAllCerts, new SecureRandom())
.getSupportedSSLParameters()
.getCipherSuites()

returns "TLS_RSA_WITH_AES_128_CBC_SHA" as one of CipherSuites. But I'm not sure what's exactly wrong on QMgr configuration. Thanks for any hints.

Sorry using of TLS_RSA_WITH_AES_128_CBC_SHA as MQEnvironment.sslCipherSuite was not correct, even if the cipher is in getSupportedSSLParameters() .getCipherSuites(), client raises [MQJE001: Completion Code '2', Reason '2400'] for anyelse nonsence string passed as sslCipherSuite. — Marek-A-, Oct 05 '16 at 15:25

score 1 · Answer 1 · answered Oct 05 '16 at 16:14

1

You should read the following 2 IBM MQ bulletins:

answered Oct 05 '16 at 16:14

Roger

7,062
13
20

Thanks Roger, I didn't test connection from IBM SDK yet, but I'll have to do that as we deploy app on WebSphere, Weblogic and also stand alone JRE processes connects the MQ QManager. – Marek-A- Oct 06 '16 at 07:05

score 0 · Answer 2 · edited May 23 '17 at 12:00

When I filter only MQ supported ciphers listed at SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS

and check all Java version : 1.7.0_75 supported ciphers filtered over MQ supported from link above I receive following result:

public class SSLSupported {

    // http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
    static String[] MQ_SUPPORTED = { "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "SSL_ECDHE_ECDSA_WITH_NULL_SHA",
            "SSL_ECDHE_ECDSA_WITH_RC4_128_SHA",
            "SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
            "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
            "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "SSL_ECDHE_RSA_WITH_NULL_SHA", 
            "SSL_ECDHE_RSA_WITH_RC4_128_SHA",
            "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
            "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
            "SSL_RSA_FIPS_WITH_DES_CBC_SHA", 
            "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
            "SSL_RSA_WITH_AES_128_CBC_SHA", 
            "SSL_RSA_WITH_AES_128_CBC_SHA256",
            "SSL_RSA_WITH_AES_128_GCM_SHA256", 
            "SSL_RSA_WITH_AES_256_CBC_SHA",
            "SSL_RSA_WITH_AES_256_CBC_SHA256",
            "SSL_RSA_WITH_AES_256_GCM_SHA384", 
            "SSL_RSA_WITH_DES_CBC_SHA",
            "SSL_RSA_WITH_NULL_MD5", 
            "SSL_RSA_WITH_NULL_SHA",
            "SSL_RSA_WITH_NULL_SHA256", 
            "SSL_RSA_WITH_RC4_128_MD5",
            "SSL_RSA_WITH_RC4_128_SHA" };

    public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException {
        // Create an SSLContext that uses our TrustManager
        SSLContext context = SSLContext.getInstance("TLS");
        TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkClientTrusted(X509Certificate[] certs,
                    String authType) {
            }

            public void checkServerTrusted(X509Certificate[] certs,
                    String authType) {
            }

        } };

        context.init(null, trustAllCerts, new SecureRandom());

        SSLParameters params = context.getSupportedSSLParameters();
        String[] suites = params.getCipherSuites();
        System.out.println("Java version : " + System.getProperty("java.runtime.version"));
        System.out.println("Connecting with " + suites.length + " cipher suites supported:");

        List<String> mqSupported= Arrays.asList(MQ_SUPPORTED);

        for (int i = 0; i < suites.length; i++) 
            if (mqSupported.contains(suites[i])) 
                System.out.println(suites[i]);

    }

}

Java version : 1.7.0_75-b13
Connecting with 63 cipher suites supported:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5

I used following cipherSuite:

MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_3DES_EDE_CBC_SHA"

problem is that MQ QueueManager reported all these above as "Weak CipherSpec" e.g:

(WARNING Weak CipherSpec) SSL 3.0, Secure Hash Algorithm, 168-bit Triple DES encryption

so I had to make configuration changes in MQ installation: [mq.ini]

SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=ALL

and also (as Roger noticed by his response): [java.security]

#   jdk.tls.disabledAlgorithms=SSLv3

than it starts to communicate over TLSv1, but I'd like to use TLSv1.2 ciphers and it still doesn't works, I used Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (jre7) and also:

SSLContext context = SSLContext.getInstance("TLSv1.2");
SSLContext.setDefault(context);

or

MQEnvironment.sslSocketFactory = new SSLSocketFactoryEx();

with SSLSocketFactoryEx implementation by this post.

But nothing works well, so I'm still on TLSv1.

MQQueueManager. raises MQJE001: Completion Code '2', Reason '2400' for specified MQEnvironment.sslCipherSuite

2 Answers2