1

I am trying to get an existing Java application connect to WebSphere MQ 8. This has worked in the past with other versions of Java and WMQ, but with Java 8 and WMQ8, this doesn't want to work. I am getting:

handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
WRITE: TLSv1.2 Alert, length = 2
called closeSocket()
Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.

I just can't see why this is occurring. I have set the various javax.net.ssl parameters. I use appropriate SSL_TRUSTSTORE & KEYSTORE that I have created. Have a SSL_CIPHERSUITE.

I have tried (almost) all of the documented CipherSuites that WMQ supports; I am working my through the entire list, with settings and environment like this:

  1. JAVA SSL_CIPHERSUITE = SSL_RSA_WITH_AES_256_CBC_SHA
  2. WMQ Channel SSL_CIPHERSUITE = TLS_RSA_WITH_AES_256_CBC_SHA
  3. MQ Client 7.0.0.1 -- I have tried switching to MQ Client 8, with no improvement
  4. IBM WebSphere MQ, Version: 8.0.0.5
  5. Nothing in AMQERR01.log corresponding to the client error
  6. Oracle Java 8 (Java(TM) SE Runtime Environment (build 1.8.0_60-b27)) -- with SSLv3 enabled (changed jdk.tls.disabledAlgorithms=RC4, DH keySize < 768)

Additional info:

  • The customer (bank) is using MQ 7 so I don't have a choice in the matter of which QM they are using. But I have been testing locally with MQ 8 to check if that is part of the issue.
  • I've tried: -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
  • Using JCE Unlimited Strength Jurisdiction Policy Files from Oracle.
jedison
  • 908
  • 6
  • 15
  • Please update your question with these details: 1. Which SSL_CIPHERSUITE are you using on the Java side, 2. SSLCIPH on the SVRCONN channel, 3. Specific MQ Client version (ex: 8.0.0.6), 4. Specific MQ Server version, 5. any error in the MQ Queue manager AMQERR01.LOG that corresponds to the client error, 6. and if you are using IBM JRE or Oracle JRE. Recent versions of MQ have deprecated SSLv3 and some TLS cipher specs, and I suspect this is what is happening, I can answer your question once you update with the details requested. – JoshMc Apr 03 '17 at 23:46

2 Answers2

2

MQ v7.0 was released June 27th 2008 (Fix Pack 7.0.0.1 was related January 20th 2009) and has been out of support since September 30th 2015 (over 1.5 years). Is per my answer below this version of MQ will not support TLS CipherSuites on a Oracle JRE, while you could update to a later Fix Pack I would strongly suggest that you move to a supported version of the MQ client. Newer MQ client versions can connect to older MQ queue managers. You can download a java only install of MQ 8.0 or MQ 9.0 jar files at the links below:

APAR IV66840 added new functionality to allow users of non-IBM Java runtime environments to make use of TLS CipherSuites.

For v7.0 this is included in Fix Pack 7.0.1.13 (note that Fix Pack 7.0.1.14 was the final for this version).

For 8.0 this is included in Fix Pack 8.0.0.2.

NOTE: This APAR is a client side fix.

To enable this option you would need to do the following:

To enable these non-default mappings for non-IBM runtime environments, the following Java System Property:

com.ibm.mq.cfg.useIBMCipherMappings

must be set to the value:

false

For example, this can be configured by using the JVM argument:

-Dcom.ibm.mq.cfg.useIBMCipherMappings=false

You would then need to specify the CipherSuite as TLS_RSA_WITH_AES_256_CBC_SHA for a Oracle JRE, note that SSL_RSA_WITH_AES_256_CBC_SHA is the IBM JRE CipherSuite name.

After getting past the above you may then run into getting a AMQ9771, 2393 SSL Initialization error.

dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following:

In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms.

Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.

When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.

This is noted in the JDK/JRE documentation: For Oracle 1.7:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

The link above to the oracle site states:

If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.

It is the user's responsibility to verify that this action is permissible under local regulations.

If you do get the 2393 follow the advise above to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files.

JoshMc
  • 10,239
  • 2
  • 19
  • 38
  • Yes, the customer (bank) is using MQ 7 so I don't have a choice in the matter of which QM they are using. I've tried: -Dcom.ibm.mq.cfg.useIBMCipherMappings=false and the JCE Unlimited Strength Jurisdiction Policy Files from Oracle. All wonderful suggestions, but not a solution yet. – jedison Apr 05 '17 at 10:30
  • @jedison I stated "Newer MQ client versions can connect to older MQ queue managers." so you are fine to use a newer client version, what specific version of MQ client jar files are you using? Do they support the new useIBMCipherMappings setting? What error do you get when using that setting vs not using that setting? – JoshMc Apr 05 '17 at 10:52
  • Currently, I am working with MQ Client 7.0.0.1. My understanding if that the useIBMCipherMappings setting works, and there is no difference in the error. – jedison Apr 05 '17 at 14:39
  • @jedison if you review my answer you will see the useIBMCipherMappings setting was not added in 7.0 until 7.0.1.13. 7.0.0.1 would be unable to use a Oracle JRE with TLS cipherspecs. – JoshMc Apr 05 '17 at 15:52
  • Thanks, @JoshMc, indeed that seems to be where the problem is coming from. – jedison Apr 06 '17 at 13:57
0

Did you read this page: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm

Are you using a deprecated CipherSuite?

Roger
  • 7,062
  • 13
  • 20
  • Yes, I have read this page and many, many others. No, it is not a deprecated CipherSuite. – jedison Apr 04 '17 at 20:57
  • Different JVM, so did you install JCE Unlimited Strength Jurisdiction Policy Files? http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html Without it, you can't do encryption/decryption beyond 128 bits. – Roger Apr 04 '17 at 22:01