Reputation: 619
MQ SSL error, protocol is disabled or cipher suites are inappropriate
I have a MQ spring jms application that has been working fine using SSL channel. However after a recent java security patch that was applied the application stopped working with below error.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:209) ~[com.ibm.mqjms-7.5.0.0.jar:7.5.0.0 - p000-L120604]
... 45 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.Handshaker.activate(Handshaker.java:438) ~[na:1.6.0_34]
at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1414) ~[na:1.6.0_34]
I notice that the new java security file has this line added that is causing this failure in SSL connection to MQ.
jdk.tls.disabledAlgorithms=SSLv3
I can not get this line removed as this is shared environment, what are my options to make this work. I am using MQQueueConnectionFactory configured and injected into my spring JMS components.
Thank you
Upvotes: 4
Views: 13365
Answers (3)
Reputation: 16810
Can you not use this -
java.security.Security.setProperty("jdk.tls.disabledAlgorithms","")
This change was introduced in JDK8.
Upvotes: 3
Reputation: 1830
You need to set matching SipherSpecs suited for TLS on both the server connection channel on the queue manager and your client.
This should help with the client side:
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
While doing the QM side is easiest by using MQ Explorer, and just looking at the SSL properties of the server connection channel specified in the connection factory.
Upvotes: 0
Reputation: 772
For reactive support purposes where you have to get this working (as soon as possible), comment/disable that policy in that security file. This will allow the Spring application to continue as it is before.
But you need to work towards a permanent fix either by using the TLS version of the same cipher or moving to a new TLS cipher.
Upvotes: 2
Related Questions
- IBM MQ Error Code 2397 using java SSL
- IBM MQ throws java.lang.UnsupportedOperationException on SSL handshake
- JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')
- While Establishing SSL between IBM MQ and JMS client,recieving "com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed" error
- No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
- failed to establish SSL communication b/w client process and MQ series
- How to correct IBM MQ Error when SSL is enabled
- JMS connection handshake is failing for SSLCipherSuite SSL_RSA_WITH_AES_256_CBC_SHA
- SSL with WebSphere MQ 7
- SSLHandshakeException when connection to WebSphere MQ via JMS/JNDI