Thanks for visiting the site !!! Visit below intrested Ads to support us if you like the site .Sharing is caring .keep distance and keep safe . Happy Learning ... 😀

SSL Connectivity issue due to 2400 MQRC

Weblogic to MQ Connectivity failing with 2400 Reason code

Trying to connect to QMGR using SVRCONN channel and cipher TLS_RSA_WITH_AES_256_CBC_SHA256 . When we try to connect it is always given MQRC 2400 or 2393 errors.

While use the TLS_RSA_WITH_AES_256_CBC_SHA256, we are getting the error below . TLS_RSA_WITH_AES_256_CBC_SHA256 is confiugred at MQ side in the SVRCONN Channel

Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2400’ (‘MQRC_UNSUPPORTED_CIPHER_SUITE’).

If we use the SSL_RSA_WITH_AES_256_CBC_SHA256, we are getting the error below error (RC=2393;)

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA],3=xx.xx.xx.xx/xx.xxxx.xx:1414 (x.xx.xx.xx),4=SSLSocket.createSocket,5=default]
Completion Code 2 (MQCC_FAILED), Reason Code 2393 (MQRC_SSL_INITIALIZATION_ERROR)

MQRC = MQRC_UNSUPPORTED_CIPHER_SUITE [2400]
MQRC = MQRC_SSL_INITIALIZATION_ERROR [2393]

If using an IBM JRE, then the default ciphersuite mappings should be fine.

If using an Oracle (non-IBM) JRE, you must disable the default ciphersuite mappings,so that the ciphersuite you specify is used for the non-IBM JRE.

To disable the ciphersuite mappings for a non-IBM runtime environments, the following Java System Property must be set:
   com.ibm.mq.cfg.useIBMCipherMappings=false
The 2400 MQRC_UNSUPPORTED_CIPHER_SUITE error commonly occurs if using a non-IBM JRE (like Oracle JRE) and not having the MQ required JVM system argument set:
   -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

If we are using Oralce JAVA for Weblogic then set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false .This will allow IBM MQ to use oracle ciphers suite names while connecting like TLS_RSA_WITH_AES_256_CBC_SHA256

If JAVA version is below 161 then we need to download[UnlimitedJCEPolicyJDK8] JCE Unlimited Strength Jurisdiction Policy Files ()to use a SHA256 Cipher Suite. For latest java version UnlimitedJCEPolicy files are alread there to support SHA256 .

If we get any SSL handshake due to the nature of implementation try to add below to override default keystore and truststore

-Djavax.net.ssl.keyStore=/u01/ssl/krystore.jks  -Djavax.net.ssl.trustStore=/u01/ssl/truststore.jks  -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStorePassword=password  -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

Issues resolved After Adding -Dcom.ibm.mq.cfg.useIBMCipherMappings=false in Weblogic JVM arguments for 2400 with cipher TLS_RSA_WITH_AES_256_CBC_SHA256 for handshake .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *