TIBCO Businessworks unable to make conenction to old MQ servers using TLS cipher in binding file when using MQ JARs from MQ versions older than MQ 8.
Article ID: KB0084620
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Description:
Old MQ versions does not support TLS cipher used against s non-IBM JRE. During the connection, it will throw the following exception.
Symptoms:
Old MQ server and MQ Client library only works with SSLv3 cipher suits against BW. i.e, SSL_RSA_WITH_RC4_128_SHA . The cipher TLS_RSA_WITH_AES_128_CBC_SHA would report the error, "Unsupported Cipher Suite". This is because old MQ versions do not support the TLS cipher used against non-IBM JREs. If you want this support, a hotfix must be applied. (See Reference section below).
Cause:
MQ did not support TLS cipherspec with Java when using non-IBM JRE/JDKs until MQ v8.
Old MQ versions does not support TLS cipher used against s non-IBM JRE. During the connection, it will throw the following exception.
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'host(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=mqhqmt01.cert.amadeus.net/<server>:<port> (Cert),4=SSLSocket.createSocket,5=default]],3=server(port),5=RemoteTCPConnection.makeSocketSecure]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1862)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1144)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:337)
... 18 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=domain/server:port (mqhqmt01.cert.amadeus.net),4=SSLSocket.createSocket,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:1836)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:778)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1092)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:682)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:347)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:259)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1491)
... 20 more
Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA
Symptoms:
Old MQ server and MQ Client library only works with SSLv3 cipher suits against BW. i.e, SSL_RSA_WITH_RC4_128_SHA . The cipher TLS_RSA_WITH_AES_128_CBC_SHA would report the error, "Unsupported Cipher Suite". This is because old MQ versions do not support the TLS cipher used against non-IBM JREs. If you want this support, a hotfix must be applied. (See Reference section below).
Cause:
MQ did not support TLS cipherspec with Java when using non-IBM JRE/JDKs until MQ v8.
Issue/Introduction
TIBCO Businessworks unable to make conenction to old MQ servers using TLS cipher in binding file when using MQ JARs from MQ versions older than MQ 8.
Resolution
Append the following line to the .tra file to make the BW/Designer handshake succeed with MQ server.
java.property. com.ibm.mq.cfg.useIBMCipherMappings=false
Ask the MQ team to use MQ 8 and its client library (recommended) or install hotfix(http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840) for MQ 7.x servers if its cipher is desired between BW and MQ.
java.property. com.ibm.mq.cfg.useIBMCipherMappings=false
Ask the MQ team to use MQ 8 and its client library (recommended) or install hotfix(http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840) for MQ 7.x servers if its cipher is desired between BW and MQ.
Additional Information
Hotfix to support tls against Non-IBM JRE for MQ 7.x etc? http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
Check the Accepted answer for details? https://developer.ibm.com/answers/questions/178651/what-tls-ciphersuites-are-supported-when-connectin.html
Feedback
Yes
No
Powered by
