Question & Answer
Question
Why is TLS connection to MQ failing with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')" exception?
Also see note for JMSAdmin at the bottom.
Also see note for JMSAdmin at the bottom.
Answer
2400 MQRC_UNSUPPORTED_CIPHER_SUITE is due to the an issue where
the ciphersuite specified in the program is unknown either at the MQ client or the Java JRE.
the ciphersuite specified in the program is unknown either at the MQ client or the Java JRE.
This commonly occurs due to a difference in the ciphersuite names
between the IBM MQ JRE and the Oracle (non-IBM) JRE.
The MQ Java/JMS classes automatically do a mapping to ciphersuite names which are known to
the IBM JRE, but these are often not known to the Oracle (or non-IBM) JRE.
between the IBM MQ JRE and the Oracle (non-IBM) JRE.
The MQ Java/JMS classes automatically do a mapping to ciphersuite names which are known to
the IBM JRE, but these are often not known to the Oracle (or non-IBM) JRE.
If using an IBM JRE, then the default ciphersuite mappings should be fine.
If using an Oracle (non-IBM) JRE, you must disable the default ciphersuite mappings,
so that the ciphersuite you specify is used for the non-IBM JRE.
If using an Oracle (non-IBM) JRE, you must disable the default ciphersuite mappings,
so that the ciphersuite you specify is used for the non-IBM JRE.
To disable the ciphersuite mappings for a non-IBM runtime environments, the following Java System Property must be set:
com.ibm.mq.cfg.useIBMCipherMappings=false
For example, this can be configured by using the JVM argument:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
This is documented in the MQ product knowledgecenter at:
The 2400 MQRC_UNSUPPORTED_CIPHER_SUITE error commonly occurs if using a non-IBM JRE (like Oracle JRE) and
not having the MQ required JVM system argument set:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
not having the MQ required JVM system argument set:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
----
Additional Note:
If using the JMSAdmin utility to create your connection definitions...
JMSAdmin uses the MQ Java api, by default it may replace/map the ciphersuite you specify.
If you are defining a connection to be used with a Oracle (non-IBM) JRE and using a
ciphersuite/cipherspec, you do NOT want these mappings to occur.
To accomplish this, you must start the JMSAdmin tool and specify the
JVM system property, so the ciphers are not mapped per the IBM JRE.
You can copy JMSAdmin.bat to JMSAdmin2.bat, and then add the
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
to the java command which starts the JMSAdmin tool.
JVM system property, so the ciphers are not mapped per the IBM JRE.
You can copy JMSAdmin.bat to JMSAdmin2.bat, and then add the
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
to the java command which starts the JMSAdmin tool.
Then create a connection factory.. and it will NOT do the mapping.
example:
JMSAdmin2
InitCtx> DEF QCF(MyQCF) QMANAGER(TestMgr) CHANNEL(SSL.CHL)
HOST(192.168.x.x) PORT(1490) TRANSPORT(client)
SSLCIPHERSUITE(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLFIPSREQUIRED(NO)
HOST(192.168.x.x) PORT(1490) TRANSPORT(client)
SSLCIPHERSUITE(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLFIPSREQUIRED(NO)
InitCtx>dis qcf(MyQCF)
It shows the CIPHERSUITE and SSLFIPSREQUIRED*, ensure the ciphersuite is as you want it to be.
*FIPSREQUIRED must be NO for non-IBM JRE.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security->TLS (SSL)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
21 July 2020
UID
ibm16251263