I wrote a program to put messages into MQ . It works fine when I don't have SSL configuration in place. If I configure SSL in QueueManager and Channel, always getting An MQException occurred: Completion Code 2, Reason 2400 MQJE011: Socket connection attempt refused. Tried with different cipher suite Please advise how to resolve it.
SSL properties :
com.ibm.mq.MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_256_GCM_SHA384";
System.setProperty("javax.net.ssl.trustStore", "D:/keystore/testKS.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "12345678");
System.setProperty("javax.net.ssl.keyStore", "D:/keystore/testKS.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "12345678");
This answer specific to Java code .
Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.
When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 , you need to ensure JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
This is mentioned in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
For IBM JRE: ** Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files.
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.71.doc/security-component/jsse2Docs/ciphersuites.html?lang=en
This is similar to the issue noted with IBM MQ Explorer in :
https://developer.ibm.com/answers/questions/187285/why-is-a-mqrc-ssl-initialization-error-displayed-w.html
Please updated this JAR File run with MSPKI and Cipher value “TLS_RSA_WITH_AES_256_CBC_SHA”
New policy jar which will support all the algorithms, you need to update jars into your C:\java-8\jdk1_8_0\jre\lib\security
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
The MQRC return code you were given is a very strong hint. Your first act to diagnose any problem should be to look up the MQRC number. You can do this quickly at a command prompt on any machine with MQ installed by typing
mqrc 2400
You can also look it up in Knowledge Center.
MQRC_UNSUPPORTED_CIPHER_SUITE (2400)
If you read the more detailed information at the above link that fully describes the reason code, you will see that it means the JSSE does not support that cipher.
@Shashi has given you the answer in the comment above that the cipher you are using was very recently introduced.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With