I am getting the following exception while trying to make a connection with remote MQ from my Java client on my local machine:
com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')
This is with Java version 1.7, the Oralce JRE, cipher suite 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the following Maven dependencies:
<dependency>
<groupId>com.ibm.mq</groupId>
<artifactId>allclient</artifactId>
<version>9.0.0</version>
</dependency>
<dependency>
<groupId>com.sun.messaging.mq</groupId>
<artifactId>fscontext</artifactId>
<version>4.4.2</version>
</dependency>
Update
Updating each point provided before with more current information.
IBM MQ 9.2 and higher now support TLS1.3. The TLS1.3 ciphersuites now use the standard names which match in both Oracle Java and IBM Java, the use of -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
should no longer be required of you are able to use a TLS1.3 ciphersuite.
The signature algorithm SHA224withRSA
is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256
. Oracle JRE 1.7.0_171 or later and 1.8.0_162 or later now come with unlimited strength policy files enabled by default and support SHA224withRSA
.
The JCE Unlimited Strength Jurisdiction Policy Files required to use a SHA256 Cipher Suite are now included and enabled by default in the above versions or later.
There are three things that impact this:
If you want to use Oracle JRE you need to set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
, this will allow IBM MQ to use the Oracle Cipher Suite names like TLS_RSA_WITH_AES_256_CBC_SHA256
The signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7 and is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256
. Based on this you would need to go to Oracle JRE 1.8.
You will need to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files to use a SHA256 Cipher Suite.
The information above is covered in more detail in my answer to another post "MQ Error on SSL enabled".
You can also try this additional params:
-Djavax.net.ssl.trustStorePassword=mqpassword -Djavax.net.ssl.keyStorePassword=mqpassword -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With