Cant connect to MQ Spring boot SSL

Question

I am trying to establish a connection to the MQ service

For SSL connection I use the commands

-Djavax.net.ssl.trustStore=/opt/app/key.jks" 
-Djavax.net.ssl.trustStorePassword=111111

Appliction.properties config

ibm.mq.connName=10.20.31.25(1414)
ibm.mq.channel=OIV.CHAN
ibm.mq.queueManager=OIV
ibm.mq.user=TEST
ibm.mq.password=passw0rd
ibm.mq.ssl-cipher-spec=TLS_RSA_WITH_AES_256_CBC_SHA

When the application starts, everything is ok

 INFO  IbmJmsConfiguration - Initializing SSL context: 
protocol=TLSv1.2, keyStore=null, trustStore=/opt/app/key.jks

 INFO  IbmJmsConfiguration - SSL context initialized: 
keyManagers item(s) = 0, trustManagers item(s) = 1

But when making a request to MQ, I get an error

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA256]

text error

    Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake 
    failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite 
    SSL_RSA_WITH_AES_256_CBC_SHA],3=10.90.51.15/10.90.50.15:1414 
    (10.96.51.15),4=SSLSocket.createSocket,5=default]
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2360)
 at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.bindAndConnectSocket(RemoteTCPConnection.java:816)
 at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1381)
 at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:976)
 at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getNewConnection(RemoteConnectionSpecification.java:553)
 at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:233)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:141)
 at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:127)
 at com.ibm.mq.jmqi.remote.api.RemoteFAP$Connector.jmqiConnect(RemoteFAP.java:13302)
 ... 74 common frames omitted
Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA
 at sun.security.ssl.CipherSuite.valueOf(CipherSuite.java:228)
 at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:79)
 at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2491)
 at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2351)
 ... 82 common frames omitted

If you are not using an IBM Java then you need the following Java system property: `com.ibm.mq.cfg.useIBMCipherMappings=false`. Note your configuration lists `TLS_RSA_WITH_AES_256_CBC_SHA` which is an Oracle java TLS1.0 ciphersuite. The error lists `SSL_RSA_WITH_AES_256_CBC_SHA256` which is an IBM TLS1.2 ciphersuite. Can you confirm what you are actually specifying and what the output of `java -version` is. Also what version of IBM MQ are your jar files from? — JoshMc, Nov 08 '20 at 17:57
1) I have its propery com.ibm.mq.cfg.useIBMCipherMappings=false 2) TLS_RSA_WITH_AES_256_CBC_SHA its TLS 1.2 https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/ 3) java version "1.8.0_271" 4) my jars, gradle : com.ibm.mq.allclient9.1.2.0 and mq-jms-spring-bootstarter2.1.2 — Александр, Nov 09 '20 at 00:57
Can you update you question with the right configuration, currently it shows the TLS1.0 ciphersuite. In addition the error shows `Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA256` which indicates it is being changed from you configuration unless this error was from a time when you tried that value. — JoshMc, Nov 09 '20 at 02:43
Thanks for the answer. I need TLS 1.2. What in my configuration shows on TLS1. 0? Yes for some reason I specify TLS_RSA_WITH_AES_256_CBC_SHA and in an error absolutely another — Александр, Nov 09 '20 at 06:12
`TLS_RSA_WITH_AES_256_CBC_SHA` is TLS1.0 in IBM MQ, see this knowledge center [page](https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm). Try `TLS_RSA_WITH_AES_256_CBC_SHA256` instead for a TLS1.2 ciphersuite. — JoshMc, Nov 09 '20 at 06:13
changed for the TLS_RSA_WITH_AES_256_CBC_SHA256, same error :( — Александр, Nov 09 '20 at 07:18
Can you add the full stack of the latest error to your question above by clicking edit. — JoshMc, Nov 09 '20 at 07:33
This still points to lack of `com.ibm.mq.cfg.useIBMCipherMappings=false`, but I've also never seen the ciphersuite being changed from `TLS_RSA_WITH_AES_256_CBC_SHA256` to `SSL_RSA_WITH_AES_256_CBC_SHA256`. Can you run a IBM MQ classes for JMS trace and check that it is picking up the property? — JoshMc, Nov 09 '20 at 21:41
I see the issue it is that however you are setting the java system property `com.ibm.mq.cfg.useIBMCipherMappings=false` is not taking effect. I noticed that your spring boot config has `ibm.mq.ssl-cipher-spec=`, when I checked the github site it looks like it should be `ibm.mq.sslCipherSpec=`, in any case if you set a cipherspec without the java system property set to false it will map the cipherspec to the IBM java ciphersuite name, this is where the SSL_ comes from. If you set the java system property it will not translate it as the cipherspec and Oracle java ciphersuite match. — JoshMc, Nov 09 '20 at 23:19
With the mq-jms-spring-boot-starter it also appears you can specify `ibm.mq.useIBMCipherMapping=false` in your properties config to have the java system property set for you. — JoshMc, Nov 09 '20 at 23:56
If you had used `ibm.mq.sslCipherSuite` instead you would still have a problem since with out the java system property it would return a 2400 error instead of a 2393. — JoshMc, Nov 10 '20 at 00:25

Cant connect to MQ Spring boot SSL

0 Answers0