TIBCO ActiveMatrix BusinessWorks Plug-in for WebSphere MQ does not support high grade ciphers when enabling a TLS MQ connection.

book

Article ID: KB0092912

calendar_today

Updated On:

Products	Versions
TIBCO ActiveMatrix BusinessWorks Plug-in for IBM MQ	-
Not Applicable	-

Description

Description:

This happens on systems using Oracle JRE 1.7 which is shipped with TRA 5.9. The default JRE on zLinux and AIX system is the IBM JRE. IBM has added new functionality to allow users of non-IBM Java runtime environments to make use of TLS Cipher Suites. IBM has provided fix packs for WebSphere MQ 8.0.0.2. See http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IV66840. After following instructions in KB-44311 and installing unrestricted policy files on JRE, this issue still occurs. When enabling TLS in MQ Connection, only the low grade ciphers are available in the Cipher Suite drop down list.

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_DES_CBC_SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

SSL_RSA_WITH_NULL_MD5

SSL_RSA_WITH_NULL_SHA

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

In the BW logs, you will see the following entries.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

Symptoms:
When trying to use high grade ciphers such as "TLS_RSA_WITH_AES_256_CBC_SHA256", write it by hand into the Cipher Suite blank and try to connect to the MQ server. It then fails.
Cause:
JRE 1.7 ignores most high grade cipher suite specifications as being "unsupported". It excludes most of the 256 bit ciphers and digest algorithms.

Issue/Introduction

TIBCO ActiveMatrix BusinessWorks Plug-in for WebSphere MQ does not support high grade ciphers when enabling a TLS MQ connection.

Environment

Product: TIBCO ActiveMatrix BusinessWorks™ Plug-in for WebSphere MQ Version: 7.6.0 OS: All Supported Operating Systems Except zLinux and AIXProduct:TIBCO Runtime AgentVersion: 5.9.0Product: IBM WebSphere MQVersion: 8.0.0.2 or higher--------------------

Resolution

JRE 1.8 shipped with TRA 5.10 supports the high grade cipher family and will connect using the high grade cipher suite. To use it, update to TRA 5.10 using JRE 1.8 and do the following.

1). Use JRE provided with TRA 5.10 ( which is JRE 1.8 ).

2). Unrestricted policy files installed on that JRE.

3). The MQ client is at 8.0.0.2 or higher.

4). The parameter "java.property.com.ibm.mq.cfg.useIBMCipherMappings=false" is provided in the .tra file.

Feedback

thumb_up Yes

thumb_down No

Welcome to "KB Articles"