Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')

I am getting the following exception while trying to make a connection with remote MQ from my Java client on my local machine:

com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')

This is with Java version 1.7, the Oralce JRE, cipher suite 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the following Maven dependencies:

<dependency>
  <groupId>com.ibm.mq</groupId>
  <artifactId>allclient</artifactId>
  <version>9.0.0</version>
</dependency>
<dependency>
  <groupId>com.sun.messaging.mq</groupId>
  <artifactId>fscontext</artifactId>
  <version>4.4.2</version>
</dependency>
like image 739
Waqas Ahmed Avatar asked May 02 '17 11:05

Waqas Ahmed


2 Answers

Update

Updating each point provided before with more current information.

  1. IBM MQ 9.2 and higher now support TLS1.3. The TLS1.3 ciphersuites now use the standard names which match in both Oracle Java and IBM Java, the use of -Dcom.ibm.mq.cfg.useIBMCipherMappings=false should no longer be required of you are able to use a TLS1.3 ciphersuite.

  2. The signature algorithm SHA224withRSA is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256. Oracle JRE 1.7.0_171 or later and 1.8.0_162 or later now come with unlimited strength policy files enabled by default and support SHA224withRSA.

  3. The JCE Unlimited Strength Jurisdiction Policy Files required to use a SHA256 Cipher Suite are now included and enabled by default in the above versions or later.


There are three things that impact this:

  1. If you want to use Oracle JRE you need to set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false, this will allow IBM MQ to use the Oracle Cipher Suite names like TLS_RSA_WITH_AES_256_CBC_SHA256

  2. The signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7 and is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256. Based on this you would need to go to Oracle JRE 1.8.

  3. You will need to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files to use a SHA256 Cipher Suite.


The information above is covered in more detail in my answer to another post "MQ Error on SSL enabled".

like image 93
JoshMc Avatar answered Nov 07 '22 04:11

JoshMc


You can also try this additional params:

-Djavax.net.ssl.trustStorePassword=mqpassword -Djavax.net.ssl.keyStorePassword=mqpassword  -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false 
like image 21
Snehal Masne Avatar answered Nov 07 '22 04:11

Snehal Masne