6

I am trying to create a connection to an mq manager that has ssl auth enabled. I am using Java 1.8

I have this code

TrustStrategy trustStrategy = new TrustSelfSignedStrategy();
KeyStore trustStore = KeyStore.getInstance("JKS");
try (FileInputStream fileInputStream = new FileInputStream(propertyReader.getProperty(QUEUE_KEYSTORE))) {
trustStore.load(fileInputStream, propertyReader.getProperty(QUEUE_KEYSTOREPASS).toCharArray());
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(trustStore, "changeit".toCharArray());
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);

final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

connectionFactory.setTransportType(WMQConstants.WMQ_CM_CLIENT);
connectionFactory.setHostName(propertyReader.getProperty(QUEUE_HOST));
connectionFactory.setQueueManager(propertyReader.getProperty(QUEUE_MANAGER));
connectionFactory.setChannel(propertyReader.getProperty(QUEUE_CHANNEL));
connectionFactory.setSSLCipherSuite(propertyReader.getProperty(QUEUE_CIPHERSUITE));
connectionFactory.setPort(Integer.parseInt(propertyReader.getProperty(QUEUE_PORT)));
connectionFactory.setSSLSocketFactory(sslContext.getSocketFactory());

When I try to create the connection I get this exception:

com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

I can see the following in the logs:

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
No available cipher suite for TLSv1
handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28                               ......(
called closeSocket()

Is this saying that it is still trying to use TLSv1 instead of TLCv1.2? I have jce unlimited strength enabled in my security file.

Update with details:

IBM MQ Jar Version: 6.0.2.5

java version "1.8.0_201"

Java(TM) SE Runtime Environment (build 1.8.0_201-b26)

JoshMc
  • 10,239
  • 2
  • 19
  • 38
Lucross
  • 75
  • 1
  • 1
  • 6
  • 1
    Need more info. What version of IBM MQ jar files are you using, check the `MANIFEST.MF` in a `com.ibm.mq*.jar` file. What specific java version are you using, provide the output from `java - version`. Please edit the question and add these details. – JoshMc Mar 12 '20 at 15:05
  • I have updated the question with the details asked for. – Lucross Mar 12 '20 at 15:29
  • 1
    This jumps out at me: `Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1`. See https://stackoverflow.com/questions/33089150/enable-tlsv1-2-and-tls-rsa-with-aes-256-cbc-sha256-cipher-suite What is the **server** you're connecting to running? – Andrew Henle Mar 12 '20 at 15:34
  • 1
    V6 did not support tlsv1.2. It has also been out of support since 2012. Move to 9.1, it is even on Maven. – JoshMc Mar 12 '20 at 15:41
  • Server is using TLS_RSA_WITH_AES_256_CBC_SHA256 cipher. – Lucross Mar 12 '20 at 15:42
  • The server would not be v6 then. – JoshMc Mar 12 '20 at 17:05
  • 1
    If you want to use TLS1.2 ciphersuites you need to move to a version of jar files that supports it. – JoshMc Mar 12 '20 at 17:08
  • Did my answer help you resolve your problem? – JoshMc Mar 13 '20 at 15:14
  • Yes, I just got it all working now. I had some issue migrating to the newer version of the IBM MQ jar, but those are solved now &the connection was established. Thank you very much for you help! – Lucross Mar 13 '20 at 17:01
  • What were the issues? Was it related to that there is now just a single jar (`com.ibm.mq.allclient.jar`) and the Oracle `jms.jar` vs the older v6 having many different jar files? – JoshMc Mar 13 '20 at 17:44
  • Yeah, that was some of the problem. I needed `jms-api` jar. I also had to load in the mq jar separately on the classpath instead of including it as part of the application. Before that I was getting a `NullPointerException` while trying to create a `new MQQueueConnectionFactory() `. – Lucross Mar 14 '20 at 19:14
  • @TwishaKotecha Please don't add [unnecessary bold formatting](https://meta.stackoverflow.com/a/327175/6296561) to posts. – Zoe Mar 30 '20 at 14:10
  • Also, this question has been [indirectly referenced on meta](https://meta.stackoverflow.com/q/395928/6296561) and may experience the meta effect. – Zoe Mar 30 '20 at 14:11
  • It doesn't make any sense to use the same file as both keystore and truststore. They serve completely different purposes. Clearly you don't have a private key in your truststore: nor should you. You need a private key and its certificate in your *keystore.* – user207421 Oct 09 '21 at 10:05

2 Answers2

1

You have stated you are using IBM MQ jar files from v6.0.2.5, this went out of support from IBM in September 30th 2012. See end of this question for additional details on the only CipherSuites that were supported in that old version.

You can use Maven to get the current IBM MQ v9.1.0.4 LTS support client at the following link:

MVN REPOSITORY » com.ibm.mq com.ibm.mq.allclient

I checked old documentation saved as PDF and MQ v6 only supported SSL and TLS1.0 ciphers, the list is below:

SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
JoshMc
  • 10,239
  • 2
  • 19
  • 38
0

I was facing same issue in open jdk 1.8 after spending lot of time in searching solution i have resolved it by changing below property from java.security file.

security.overridePropertiesFile=false

Change this property to false if it is true in your case.

Peter Csala
  • 17,736
  • 16
  • 35
  • 75
Pravin Borde
  • 29
  • 1
  • 1
  • 5