ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityWebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU

Post new topicReply to topic
WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU View previous topic :: View next topic
Author Message
Scubie
PostPosted: Mon Jun 06, 2016 3:53 am Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU Reply with quote

Apprentice

Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa

Hi All

We have just upgraded to Websphere MQ 7.5.0.6 on Redhat Linux 7.1 with Java 1.7 and need to establish a secure connection from wildfly-8.2.1.

I have tried numerous options/ciphersuites even tried re-enabling the following:
AllowSSLV3=y
AllowWeakCipherSpec=Yes
in the qm.ini.

I however get either :

WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE').

(I have enabled various cipher suites in the listener-https of Wildfly)

or

AMQ9637: Channel is lacking a certificate.

(key.kdb file is created, security refreshed etc)

I am using Oracle Java (not IBM Java) and have also installed the 2 jar's to allow for this...

I am at the end of my tether right now and will appreciate any guidance please!

Thank you
_________________
________________________________
Carlo Henrico

Live fast, die young, enjoy a good looking corpse!
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Mon Jun 06, 2016 4:39 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20436
Location: LI,NY

Well Carlo... there is a lot that changed in the SSL context since the beginning of 7.5 (7.5.0.0)...
It would really help if you could specify for both sides:
  • The algorithm with which the key was created
  • The size (length) of the key
  • The cipherspec / ciphersuite to be used
  • The setting for SSLFIPS


Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Mon Jun 06, 2016 4:59 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6208

I have to ask the obvious question - you did restart the queue manager after the changes to the qm.ini file?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
tczielke
PostPosted: Mon Jun 06, 2016 12:25 pm Post subject: Re: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHE Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 908
Location: Illinois, USA

Scubie wrote:

I am using Oracle Java (not IBM Java) and have also installed the 2 jar's to allow for this...


Since you are using the Oracle Java, be aware of this APAR -> http://www-01.ibm.com/support/docview.wss?uid=swg1IT10837

Also, you should be aware that pre-8.0, it is not a supported client configuration unless you install the MQ Client software on the client server and reference the jars from the appropriate location. "installed the 2 jar's" sounds unsupported, to me.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Scubie
PostPosted: Mon Jun 06, 2016 12:55 pm Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU Reply with quote

Apprentice

Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa

Thank you so far for the replies, to answer the quickest one first:

exerk - yes thanks, I did restart. Also did security refresh.


fjb_saper:
The algorithm with which the key was created
QM: Signature Algorithm: sha256WithRSAEncryption
WF: Signature Algorithm: sha256WithRSAEncryption
The size (length) of the key
QM: Public-Key: (1024 bit)
WF: Public-Key: (2048 bit)
The cipherspec / ciphersuite to be used
QM: SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
WF: <property name="jms.queue.manager.sslCipherSuite" value="TLS_RSA_WITH_AES_128_CBC_SHA256"/>
The setting for SSLFIPS
QM: SSLFIPS(NO)
WF: No setting

tczielke:
When you download the fix for Oracle Java support it consists of 2 jar's which according to the instructions should be placed in the java jre/lib/security folder as temporary workaround for not using IBM Java.

Thank you so far

Cheers

Carlo
_________________
________________________________
Carlo Henrico

Live fast, die young, enjoy a good looking corpse!
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Mon Jun 06, 2016 4:07 pm Post subject: Re: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHE Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8840
Location: US: west coast, almost. Otherwise, enroute.

Scubie wrote:

I am using Oracle Java (not IBM Java) and have also installed the 2 jar's to allow for this...

What are names of the 2 Oracle jars? Which config document are following?
_________________
Five out of four people have trouble with fractions. - Steven Wright.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jun 06, 2016 7:59 pm Post subject: Re: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHE Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20436
Location: LI,NY

Scubie wrote:

QM: Public-Key: (1024 bit)
WF: Public-Key: (2048 bit)
The cipherspec / ciphersuite to be used
QM: SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
WF: <property name="jms.queue.manager.sslCipherSuite" value="TLS_RSA_WITH_AES_128_CBC_SHA256"/>
The setting for SSLFIPS
QM: SSLFIPS(NO)
WF: No setting

tczielke:
When you download the fix for Oracle Java support it consists of 2 jar's which according to the instructions should be placed in the java jre/lib/security folder as temporary workaround for not using IBM Java.

Thank you so far

Cheers

Carlo

Your ciphersuite should probably be SSL_RSA_WITH_AES_128_CBC_SHA256 WITH SSLFIPS set to true. (See correspondances in the manual).
However I highlighted your real problem in red. Today there is no way to get a SHA2 ciphersuite to work with a key-size under 2048...
So you need to reissue the qmgrs private/public key with the right minimum size... (2K).

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Scubie
PostPosted: Mon Jun 06, 2016 9:10 pm Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU Reply with quote

Apprentice

Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa

Hi fjb_saper

Thank you for the help so far.

Now I have the following:

The algorithm with which the key was created
QM: Signature Algorithm: sha256WithRSAEncryption
WF: Signature Algorithm: sha256WithRSAEncryption
The size (length) of the key
QM: Public-Key: (2048 bit)
WF: Public-Key: (2048 bit)
The cipherspec / ciphersuite to be used
QM: SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) (from https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm)
WF: <property name="jms.queue.manager.sslCipherSuite" value="SSL_RSA_WITH_AES_128_CBC_SHA256"/>
The setting for SSLFIPS
QM: SSLFIPS(YES)
WF: No setting

I am however still getting:

Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE').

in Wildfly log when I start up. Nothing in MQ error logs.
_________________
________________________________
Carlo Henrico

Live fast, die young, enjoy a good looking corpse!
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Tue Jun 07, 2016 1:56 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20436
Location: LI,NY

Your reference is for MQ8. You are running on 7.5.
Please check first:

With your current settings does it work if you are running on an IBM JVM (Provided with the full MQ Client install) ?
If yes, search (google) for the relevant technote on developerworks about using a non IBM JVM (there is an environment variable to be set?). That would allow you the TLS ciphersuite.

See JVM argument and apar in http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
Code:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false

Hope it helps
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Scubie
PostPosted: Tue Jun 07, 2016 3:00 am Post subject: WebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU Reply with quote

Apprentice

Joined: 09 Oct 2001
Posts: 26
Location: Pretoria, South Africa

Hi

I tried IBM JVM (had to download V7, MQ 7 comes with V6). It however gives other errors:

JBAS015804: Error initializing vault -- org.jboss.as.server.services.security.VaultReaderException: JBAS013313: Vault Reader Exception:

And Wildfly terminates.


I have also set:

JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.debug=all"

Carlo
_________________
________________________________
Carlo Henrico

Live fast, die young, enjoy a good looking corpse!
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Tue Jan 12, 2021 5:37 am Post subject: MQRC 2400 Possible Causes? Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5726
Location: UK

WAS 8.5.5 on RHEL
MQ Z/OS 9.0.0 QM

WAS is getting a MQRC 2400 (Cipher not supported).

What are the possible causes of this?

Cipher is set to SSL_RSA_WITH_AES_128_CBC_SHA
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Jan 12, 2021 6:17 am Post subject: Re: MQRC 2400 Possible Causes? Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 908
Location: Illinois, USA

zpat wrote:
WAS 8.5.5 on RHEL
MQ Z/OS 9.0.0 QM

WAS is getting a MQRC 2400 (Cipher not supported).

What are the possible causes of this?

Cipher is set to SSL_RSA_WITH_AES_128_CBC_SHA


I assume WAS is using an IBM JRE here? SSL_RSA_WITH_AES_128_CBC_SHA (the proper name is TLS_RSA_WITH_AES_128_CBC_SHA per the IETF specification) is a TLS 1.0 CipherSuite. You may want to check if WAS is set up to not support that low of a TLS CipherSuite.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Jan 12, 2021 11:59 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5726
Location: UK

The SSL context says IBMJSSE2

Do they need to enable TLS 1.0 somewhere? I know some patching levels of Unix disable it.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Jan 12, 2021 12:25 pm Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 908
Location: Illinois, USA

I am not familiar with WAS, so can not comment. Not sure what you situation is, but it would be better to just go to a TLS 1.2 CipherSuite.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityWebSphere MQ call failed '2400' ('MQRC_UNSUPPORTED_CIPHER_SU
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.