| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Java client with TLS using IBM JRE |
« View previous topic :: View next topic » |
| Author |
Message
|
| nsakthi |
 Posted: Wed Dec 20, 2017 6:16 am Post subject: Java client with TLS using IBM JRE |
 |
|
Novice
Joined: 20 Dec 2012
Posts: 18
|
We have Java client (IBM JRE 1.7.0) application which uses TLS to connect MQ with the below properties set.
connectionProperties = fiava.util.Hashtable@2762} size = 7
0 = fiava.util.Hashtable$Entry©2766} “fipsRequired“ -> “1“
1 = fiava.util.Hashtable$Entry©2767} “port“ -> “19000“
2 = fiava.util.Hashtable$Entry©2768} “hostname‘ -> “MOUG.xxxx.com“
3 = fiava.util.Hashtable$Entry©2769} “SSL Socket Factory“
4 = fiava.util.Hashtable$Entry©2770} “channel“ -> “MOUG.CLIENT.CONN“
5 = fiava.util.Hashtable$Entry©2771} “SSL Cipher Suite“ -> “SSL_RSA_WITH_AES_128_CBC_SHA“
6 = fiava.util.Hashtable$Entry©2772} “transport“ -> “MQSeries“
We see the below exception while trying to make a connection.
Caused by: com.ibm.mq.jmqi.JmqiException: CC = 2; RC = 2393; AMQ9204: Connection to host 'MOUG.xxxx.com (19000)' rejected. [1 = com.ibm.mq.jmqi.JmqiException [CC = 2; RC = 2393; AMQ9771: SSL handshake failed. [1 = java.lang.IllegalArgumentException [Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA], 3 = MOUG.xxxx.com / 10.62.228.20: 19000 (MOUG.xxxx.com), 4 = SSLSocket.createSocket, 5 = default]], 3 = MOUG.xxxx.com (19000), 5 = RemoteTCPConnection.makeSocketSecure]
Please advise |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Dec 20, 2017 8:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So we see the ciphersuite, what is the cipherspec on the channel?
Why did you specify the SSLSocketFactory in the hashtable if you are not going to assign one?
What did you pass as JVM args to load the key and trust stores? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Dec 20, 2017 12:13 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
If you run the command "java -version" for the java that you are using, what is the output?
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| nsakthi |
| Posted: Wed Dec 20, 2017 9:35 pm Post subject: |
|
|
Novice
Joined: 20 Dec 2012
Posts: 18
|
We found the problem that crypto provider for FIPS compliance was missing in java.security file, Later the issue was resolved after we added this entry in java.security file 
security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
Java version 1.7.0 is installed on the server.
:[/usr/java71_64/jre/bin] 154% ./java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pap6470_27sr3fp40-20160422_01(SR3 FP40))
IBM J9 VM (build 2.7, JRE 1.7.0 AIX ppc64-64 Compressed References 20160406_298393 (JIT enabled, AOT enabled)
J9VM - R27_Java727_SR3_20160406_0942_B298393
JIT - tr.r13.java_20160328_114186
GC - R27_Java727_SR3_20160406_0942_B298393_CMPRSS
J9CL - 20160406_298393)
JCL - 20160421_01 based on Oracle jdk7u101-b14
But I am wondering why this crypto provider for FIPS compliance is not a default provider in JRE installation? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
