Wednesday, May 12, 2021

Weblogic to MQ Connectivity failing with 2400 Reason code

 

Weblogic to MQ Connectivity failing with 2400 Reason code

Trying to connect to QMGR using SVRCONN channel and cipher TLS_RSA_WITH_AES_256_CBC_SHA256 . When we try to connect it is always given MQRC 2400 or 2393 errors.

While use the TLS_RSA_WITH_AES_256_CBC_SHA256, we are getting the error below . TLS_RSA_WITH_AES_256_CBC_SHA256 is confiugred at MQ side in the SVRCONN Channel

Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE').

If we use the SSL_RSA_WITH_AES_256_CBC_SHA256, we are getting the error below error (RC=2393;)

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA],3=xx.xx.xx.xx/xx.xxxx.xx:1414 (x.xx.xx.xx),4=SSLSocket.createSocket,5=default]
Completion Code 2 (MQCC_FAILED), Reason Code 2393 (MQRC_SSL_INITIALIZATION_ERROR)

MQRC = MQRC_UNSUPPORTED_CIPHER_SUITE [2400]
MQRC = MQRC_SSL_INITIALIZATION_ERROR [2393]

If using an IBM JRE, then the default ciphersuite mappings should be fine.

If using an Oracle (non-IBM) JRE, you must disable the default ciphersuite mappings,so that the ciphersuite you specify is used for the non-IBM JRE.

To disable the ciphersuite mappings for a non-IBM runtime environments, the following Java System Property must be set:
   com.ibm.mq.cfg.useIBMCipherMappings=false
The 2400 MQRC_UNSUPPORTED_CIPHER_SUITE error commonly occurs if using a non-IBM JRE (like Oracle JRE) and not having the MQ required JVM system argument set:
   -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

If we are using Oralce JAVA for Weblogic then set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false .This will allow IBM MQ to use oracle ciphers suite names while connecting like TLS_RSA_WITH_AES_256_CBC_SHA256

If JAVA version is below 161 then we need to download[UnlimitedJCEPolicyJDK8] JCE Unlimited Strength Jurisdiction Policy Files ()to use a SHA256 Cipher Suite. For latest java version UnlimitedJCEPolicy files are alread there to support SHA256 .

If we get any SSL handshake due to the nature of implementation try to add below to override default keystore and truststore

-Djavax.net.ssl.keyStore=/u01/ssl/krystore.jks  -Djavax.net.ssl.trustStore=/u01/ssl/truststore.jks  -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStorePassword=password  -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

Issues resolved After Adding -Dcom.ibm.mq.cfg.useIBMCipherMappings=false in Weblogic JVM arguments for 2400 with cipher TLS_RSA_WITH_AES_256_CBC_SHA256 for handshake .

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured

Weblogic Domain Migration

 In this blog we will see domain re-configuration which will be done as part of Weblogic migration from lower version to higher version [ Ex...