| Author |
Message
|
| Scubie |
 Posted: Mon Jun 06, 2016 3:53 am Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU |
 |
|
Apprentice
Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa
|
Hi All
We have just upgraded to Websphere MQ 7.5.0.6 on Redhat Linux 7.1 with Java 1.7 and need to establish a secure connection from wildfly-8.2.1.
I have tried numerous options/ciphersuites even tried re-enabling the following:
AllowSSLV3=y
AllowWeakCipherSpec=Yes
in the qm.ini.
I however get either :
WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE').
(I have enabled various cipher suites in the listener-https of Wildfly)
or
“AMQ9637: Channel is lacking a certificate.”
(key.kdb file is created, security refreshed etc)
I am using Oracle Java (not IBM Java) and have also installed the 2 jar's to allow for this...
I am at the end of my tether right now and will appreciate any guidance please!
Thank you
_________________
________________________________
Carlo Henrico
Live fast, die young, enjoy a good looking corpse! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Jun 06, 2016 4:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well Carlo... there is a lot that changed in the SSL context since the beginning of 7.5 (7.5.0.0)...
It would really help if you could specify for both sides:
- The algorithm with which the key was created
- The size (length) of the key
- The cipherspec / ciphersuite to be used
- The setting for SSLFIPS
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jun 06, 2016 4:59 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I have to ask the obvious question - you did restart the queue manager after the changes to the qm.ini file?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Jun 06, 2016 12:25 pm Post subject: Re: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHE |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| Scubie wrote: |
I am using Oracle Java (not IBM Java) and have also installed the 2 jar's to allow for this...
|
Since you are using the Oracle Java, be aware of this APAR -> http://www-01.ibm.com/support/docview.wss?uid=swg1IT10837
Also, you should be aware that pre-8.0, it is not a supported client configuration unless you install the MQ Client software on the client server and reference the jars from the appropriate location. "installed the 2 jar's" sounds unsupported, to me.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Scubie |
| Posted: Mon Jun 06, 2016 12:55 pm Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU |
|
|
Apprentice
Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa
|
Thank you so far for the replies, to answer the quickest one first:
exerk - yes thanks, I did restart. Also did security refresh.
fjb_saper:
The algorithm with which the key was created
QM: Signature Algorithm: sha256WithRSAEncryption
WF: Signature Algorithm: sha256WithRSAEncryption
The size (length) of the key
QM: Public-Key: (1024 bit)
WF: Public-Key: (2048 bit)
The cipherspec / ciphersuite to be used
QM: SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
WF: <property name="jms.queue.manager.sslCipherSuite" value="TLS_RSA_WITH_AES_128_CBC_SHA256"/>
The setting for SSLFIPS
QM: SSLFIPS(NO)
WF: No setting
tczielke:
When you download the fix for Oracle Java support it consists of 2 jar's which according to the instructions should be placed in the java jre/lib/security folder as temporary workaround for not using IBM Java.
Thank you so far
Cheers
Carlo
_________________
________________________________
Carlo Henrico
Live fast, die young, enjoy a good looking corpse! |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jun 06, 2016 4:07 pm Post subject: Re: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHE |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Scubie wrote: |
I am using Oracle Java (not IBM Java) and have also installed the 2 jar's to allow for this... |
What are names of the 2 Oracle jars? Which config document are following?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 06, 2016 7:59 pm Post subject: Re: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHE |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Scubie wrote: |
QM: Public-Key: (1024 bit)
WF: Public-Key: (2048 bit)
The cipherspec / ciphersuite to be used
QM: SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
WF: <property name="jms.queue.manager.sslCipherSuite" value="TLS_RSA_WITH_AES_128_CBC_SHA256"/>
The setting for SSLFIPS
QM: SSLFIPS(NO)
WF: No setting
tczielke:
When you download the fix for Oracle Java support it consists of 2 jar's which according to the instructions should be placed in the java jre/lib/security folder as temporary workaround for not using IBM Java.
Thank you so far
Cheers
Carlo |
Your ciphersuite should probably be SSL_RSA_WITH_AES_128_CBC_SHA256 WITH SSLFIPS set to true. (See correspondances in the manual).
However I highlighted your real problem in red. Today there is no way to get a SHA2 ciphersuite to work with a key-size under 2048...
So you need to reissue the qmgrs private/public key with the right minimum size... (2K).
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Scubie |
| Posted: Mon Jun 06, 2016 9:10 pm Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU |
|
|
Apprentice
Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa
|
Hi fjb_saper
Thank you for the help so far.
Now I have the following:
The algorithm with which the key was created
QM: Signature Algorithm: sha256WithRSAEncryption
WF: Signature Algorithm: sha256WithRSAEncryption
The size (length) of the key
QM: Public-Key: (2048 bit)
WF: Public-Key: (2048 bit)
The cipherspec / ciphersuite to be used
QM: SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) (from https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm)
WF: <property name="jms.queue.manager.sslCipherSuite" value="SSL_RSA_WITH_AES_128_CBC_SHA256"/>
The setting for SSLFIPS
QM: SSLFIPS(YES)
WF: No setting
I am however still getting:
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE').
in Wildfly log when I start up. Nothing in MQ error logs.
_________________
________________________________
Carlo Henrico
Live fast, die young, enjoy a good looking corpse! |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 07, 2016 1:56 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Your reference is for MQ8. You are running on 7.5.
Please check first:
With your current settings does it work if you are running on an IBM JVM (Provided with the full MQ Client install) ?
If yes, search (google) for the relevant technote on developerworks about using a non IBM JVM (there is an environment variable to be set?). That would allow you the TLS ciphersuite.
See JVM argument and apar in http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
| Code: |
| -Dcom.ibm.mq.cfg.useIBMCipherMappings=false |
Hope it helps
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Scubie |
| Posted: Tue Jun 07, 2016 3:00 am Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU |
|
|
Apprentice
Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa
|
Hi
I tried IBM JVM (had to download V7, MQ 7 comes with V6). It however gives other errors:
JBAS015804: Error initializing vault -- org.jboss.as.server.services.security.VaultReaderException: JBAS013313: Vault Reader Exception:
And Wildfly terminates.
I have also set:
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.debug=all"
Carlo
_________________
________________________________
Carlo Henrico
Live fast, die young, enjoy a good looking corpse! |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jan 12, 2021 5:37 am Post subject: MQRC 2400 Possible Causes? |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
WAS 8.5.5 on RHEL
MQ Z/OS 9.0.0 QM
WAS is getting a MQRC 2400 (Cipher not supported).
What are the possible causes of this?
Cipher is set to SSL_RSA_WITH_AES_128_CBC_SHA
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Jan 12, 2021 6:17 am Post subject: Re: MQRC 2400 Possible Causes? |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| zpat wrote: |
WAS 8.5.5 on RHEL
MQ Z/OS 9.0.0 QM
WAS is getting a MQRC 2400 (Cipher not supported).
What are the possible causes of this?
Cipher is set to SSL_RSA_WITH_AES_128_CBC_SHA |
I assume WAS is using an IBM JRE here? SSL_RSA_WITH_AES_128_CBC_SHA (the proper name is TLS_RSA_WITH_AES_128_CBC_SHA per the IETF specification) is a TLS 1.0 CipherSuite. You may want to check if WAS is set up to not support that low of a TLS CipherSuite.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jan 12, 2021 11:59 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The SSL context says IBMJSSE2
Do they need to enable TLS 1.0 somewhere? I know some patching levels of Unix disable it.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Jan 12, 2021 12:25 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I am not familiar with WAS, so can not comment. Not sure what you situation is, but it would be better to just go to a TLS 1.2 CipherSuite.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
|
|
