We have enabled SSL on
1. MQ version '7.1.0.7'
2. OS->'Linux 2.6.32-642.11.1.el6.x86_64'
3. two months back [aug-2016] and its working fine with SSL enabled and disabled mode
Java Client uses
1. jdk1.7.0_21
2. Worked cipher/suite -> SSL_RSA_WITH_RC4_128_SHA <> RC4_SHA_US
When I try to connect to a MQ v7.1.0.7 queue manager the application is throwing below error:
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:228) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:95) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:882)
In the queue manager error log AMQERR01.LOG
I see this:
AMQ9616: The CipherSpec proposed is not enabled on the server. EXPLANATION: The SSL or TLS subsystem at the server end of a channel been configured in such a way that it has rejected the CipherSpec proposed by an SSL or TLS client. This rejection occurred during the secure socket handshake (i.e. it happened before the proposed CipherSpec was compared with the CipherSpec in the server channel definition).
We have a MQ v6.0.2.12 queue manager where this is working fine.
Could some one provide help what went wrong for system , which was working before?
Resolved by adding below lines in qm.ini file
SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=Y
Updated (2017/01/27) with additional questions:
Worked below TLSv1
TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUE
TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLSv1 TRUE
Failed with TLSv1.2
TLS_RSA_WITH_RC4_128_SHA256 SSL_RSA_WITH_RC4_128_SHA TLSv1.2 FALSE
I tried with these settings:
SSLContext sslContext = SSLContext.getInstance("TLSv1");
-Dcom.ibm.mq.cfg.preferTLS=true
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
Error is com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'
In the AMQERR01.LOG
There is a mismatch between the CipherSpecs on the local and remote ends of channel 'TEST.CH'. The channel will not run until this mismatch is resolved.The CipherSpec required in the local channel definition is 'TLS_RSA_WITH_RC4_128_SHA256'. The name of the CipherSpec negotiated during the SSL handshake is 'RC4_SHA_US'. A code is displayed if the name of the negotiated CipherSpec cannot be determined
Updated (2017/01/29) with additional questions:
- SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
- MQEnvironment.sslFipsRequired = true;
MQEnvironment.sslCipherSuite ="SSL_RSA_WITH_AES_256_CBC_SHA256";
- ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)
- REFRESH SECURITY TYPE(SSL)
6.Client Execute /apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices.thinclient_8.5.0.jar MQProducerSSL
Getting error as MQJE001: Completion Code '2', Reason '2400' MQRC_UNSUPPORTED_CIPHER_SUITE (2400)
Updated (2017/01/30) with additional questions:
Still same error , but in my client java prg have enabled System.setProperty("javax.net.debug", "all"); to see all activities while execute client. Its Printing TLS_RSA_WITH_AES_256_CBC_SHA256 as Ignoring unavailable cipher suite: as below
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Before call
MQJE001: Completion Code '2', Reason '2400'.
MQJE001: Completion Code '2', Reason '2400'.
Tested with IBM-JDK-71 Same Exception
SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<><>ECDHE_ECDSA_3DES_EDE_CBC_SHA256
SSL_ECDHE_RSA_WITH_NULL_SHA<><>ECDHE_RSA_NULL_SHA256
Updated (2017/01/31) with additional questions:
com.ibm.mq.jar
Specification-Version: 7.1.0.1 Specification-Vendor: IBM Corporation Implementation-Title: WebSphere MQ classes for Java Implementation-Version: 7.1.0.1 - k710-001-120424
com.ibm.mq.jmqi.jar
Specification-Version: 7.1.0.1 Specification-Vendor: IBM Corporation Implementation-Title: WebSphere MQ Interface for Java Implementation-Version: 7.1.0.1 - k710-001-120424
Updated (2017/01/31 A) with additional questions:
Since MQ and Client Running in same machine ,got Specification-Version: 7.1.0.7 jars
Testing done with 2 scenarios by changing the classpath
- Without
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
got exception MQJE001: Completion Code '2', Reason '2400'
- With
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
got exception MQJE001: Completion Code '2', Reason '2393'
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674) at MQProducerSSL.main(MQProducerSSL.java:89) Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
Updated (2017/01/31 B) with additional questions:
MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) /apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
MQJE001: Completion Code '2', Reason '2397'.
MQJE001: Completion Code '2', Reason '2397'. com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674) at MQProducerSSL.main(MQProducerSSL.java:89)
Worked below TLSv1
----Spec---- TLS_RSA_WITH_DES_CBC_SHA
---Suite---- SSL_RSA_WITH_DES_CBC_SHA
TLSv1 TRUE
Not working , when given below parameters , throwing **MQJE001: Completion Code '2', Reason '2400'** -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Dcom.ibm.mq.cfg.preferTLS=true
doubt on TLSv1 , if TLSv1 working without above parameters , why need to provide -Dcom.ibm.mq.cfg.preferTLS=true for TLSv2?
even with IBM-JDK 7.1 also TLSv2 not working, what could be issue?
Need to try with MQ8?
Updated (2017/02/01) with additional questions:
Complete Exception in console
MQJE001: Completion Code '2', Reason '2397'. com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674) at MQProducerSSL.main(MQProducerSSL.java:89) Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]],3=localhost(2017),5=RemoteTCPConnection.protocolConnect] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2098) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1347) at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924) at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:221) ... 10 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1310) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:356) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:265) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1709) ... 13 more Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:987) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:285) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1280) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1273) at java.security.AccessController.doPrivileged(Native Method) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1271) ... 18 more Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available at java.security.Signature.getInstance(Signature.java:224) at sun.security.ssl.JsseJce.getSignature(JsseJce.java:241) at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1552) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:982) ... 29 more
from AMQERR01.LOG
----- amqrmrsa.c : 930 -------------------------------------------------------- 01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa) Host(testvm) Installation(Installation1) VRMF(7.1.0.7) QMgr(TLSTEST.QM) AMQ9665: SSL connection closed by remote end of channel '????'. EXPLANATION: The SSL or TLS connection was closed by the remote host 'localhost (127.0.0.1)' during the secure socket handshake. The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start. ACTION: Check the remote end of the channel for SSL and TLS errors. Fix them and restart the channel. ----- amqccisa.c : 6478 ------------------------------------------------------- 01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa) Host(testvm) Installation(Installation1) VRMF(7.1.0.7) QMgr(TLSTEST.QM) AMQ9492: The TCP/IP responder program encountered an error. EXPLANATION: The responder program was started but detected an error. The host name was 'localhost (127.0.0.1)'; in some cases the host name cannot be determined and so is shown as '????'. ACTION: Look at previous error messages in the error files to determine the error encountered by the responder program. ----- amqrmrsa.c : 930 --------------------------------------------------------
removed old jars from classpath , but still same exception
Console Output have below lines printed for Algorithm
matching alias: ibmwebspheremqtlstest.qm *** Certificate chain chain [0] = [ [ Version: V3 Signature Algorithm: SHA1withRSA,
In client , passing key.jks file , which is created at MQ level with 'runmqckm'
whether need to specify different Algorithm on creation for TLSv2 ?
TLSV2 WORKED WITH JDK8 and ibm/java-x86_64-71
SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); **Oracle JDK8** MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) **IBM-JDK 7.1** MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_SHA256"; ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
But question on how to work any TLSv2 cipher with lesser version of Oracle java than 8?
To resolve/work-around the issue:will try one by one
1) use the IBM JVM
2) test with Oracle Java v8
3) Try MQ v8
4) other option to set SSLCAUTH=OPTIONAL and not require client side certificate.
Trying with JDK8 and MQ8
Now Trying to do the same with JDK8 + MQ8 , MQServer8 and MQSeriesGSKit-8.0.0-4.x86_64 installed , but now issue with creating certificate with runmqckm command
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
runmqckm
bash: runmqckm: command not found
partially Worked with runmqakm
But failed to create jks files as below
runmqakm -keydb -create -db /var/mqm/qmgrs/TLSTEST!QM/ssl/key.jks -pw password -type jks
CTGSK3017W The database type "jks" is not recognized.
Resolved
No Need to set below path
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
New Question on TLSv2 Ciphersuite