ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Java / JMS » WMQ v6 SSL – Java Client

Post new topic  Reply to topic
 WMQ v6 SSL – Java Client « View previous topic :: View next topic » 
Author Message
venusboy
PostPosted: Mon Aug 06, 2007 11:45 am    Post subject: WMQ v6 SSL – Java Client Reply with quote

Acolyte

Joined: 11 Jun 2002
Posts: 51
Hello,

I have recently upgraded a Solaris 8 server from WMQv5 CSD10 to WMQv6.0.2.1. We have numerous Java clients connecting to WMQ using SSL that have been working fine in version 5.

However in version 6 I get the following exception:

08/06/07 14:50:35 - Process(907.1 User(mqsi) Program(amqrmppa)
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'XXXXX'.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'XXXXX. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'RC4_SHA_US'. The name of the CipherSpec negotiated during the SSL handshake is
'RC4_SHA_US'. A code is displayed if the name of the negotiated CipherSpec
cannot be determined.
ACTION:
Change the channel definitions for 'XXXXX' so the two ends have
matching CipherSpecs and restart the channel. If the certificate in use by one
end of the channel is a Global Server Certificate, then the negotiated
CipherSpec may not match that specified on either end of the channel. This is
because the SSL protocol allows a Global Server Certificate to automatically
negotiate a higher level of encryption. In these cases specify a CipherSpec
which meets the requirements of the Global Server Certificate.
----- amqccisa.c : 851 --------------------------------------------------------

I have read http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg1IY79142 but I am using RC4_SHA_US and read the documentation on the mismatches, but nothing really sprang out.

How do I know if the CipherSpec meets the requirements of the Global Server Certificate? Especially if this works fine in version 5 and works for non-Java clients.

Interesting the following hold true:

1. If I use the IBM JDK that resides within the mq_install/ssl directory then it connects fine. Assuming it's due to the extra security policy required by the GSK.
2. If I use the IBM JDK that does not reside within the mq_install/ssl it fails. It also fails on the standard Sun JDK (used 1.4.2.05 to 1.4.2.15).
3. C/C++ applications using SSL work fine (however these do use the CMS).
4. Going though all the CipherSpec supported, only TLS seem to work.

Has anyone got any ideas why it only works with the TLS?

Note - Am using JMS and am using the version 5 library files.
Back to top
View user's profile Send private message
venusboy
PostPosted: Mon Aug 06, 2007 11:53 am    Post subject: Reply with quote

Acolyte

Joined: 11 Jun 2002
Posts: 51
Actually I didn't fully read the first entry within the error message:

During the SSL handshake

So this would indicate that the cipher is not supported at the SSL Server side.

This would explain why only TLS can be used but it does not explain why:

1. CMS clients work fine using the same cipher.
2. The Java Client works fine if it uses the WMQ GSK JRE.

Oh, and would this be WMQ installation or Java API?
Back to top
View user's profile Send private message
venusboy
PostPosted: Thu Aug 09, 2007 9:24 am    Post subject: Reply with quote

Acolyte

Joined: 11 Jun 2002
Posts: 51
The following APAR explains the issue:

http://www-1.ibm.com/support/docview.wss?rs=171&context=SSFKSJ&context=SSWHKB&dc=DB550&q1=IY79333&uid=swg1IY79333&loc=en_US&cs=utf-8&lang=en
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Java / JMS » WMQ v6 SSL – Java Client
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.