Weblogic to MQ Connectivity failing with 2400 Reason code
Trying to connect to QMGR using SVRCONN channel and cipher TLS_RSA_WITH_AES_256_CBC_SHA256 . When we try to connect it is always given MQRC 2400 or 2393 errors.
While use the TLS_RSA_WITH_AES_256_CBC_SHA256, we are getting the error below . TLS_RSA_WITH_AES_256_CBC_SHA256 is confiugred at MQ side in the SVRCONN Channel
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2400’ (‘MQRC_UNSUPPORTED_CIPHER_SUITE’).
If we use the SSL_RSA_WITH_AES_256_CBC_SHA256, we are getting the error below error (RC=2393;)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA],3=xx.xx.xx.xx/xx.xxxx.xx:1414 (x.xx.xx.xx),4=SSLSocket.createSocket,5=default]
Completion Code 2 (MQCC_FAILED), Reason Code 2393 (MQRC_SSL_INITIALIZATION_ERROR)
MQRC = MQRC_UNSUPPORTED_CIPHER_SUITE [2400]
MQRC = MQRC_SSL_INITIALIZATION_ERROR [2393]
If using an IBM JRE, then the default ciphersuite mappings should be fine.
If using an Oracle (non-IBM) JRE, you must disable the default ciphersuite mappings,so that the ciphersuite you specify is used for the non-IBM JRE.
To disable the ciphersuite mappings for a non-IBM runtime environments, the following Java System Property must be set: com.ibm.mq.cfg.useIBMCipherMappings=false
The 2400 MQRC_UNSUPPORTED_CIPHER_SUITE error commonly occurs if using a non-IBM JRE (like Oracle JRE) and not having the MQ required JVM system argument set: -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
If we are using Oralce JAVA for Weblogic then set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false .This will allow IBM MQ to use oracle ciphers suite names while connecting like TLS_RSA_WITH_AES_256_CBC_SHA256
If JAVA version is below 161 then we need to download[UnlimitedJCEPolicyJDK8] JCE Unlimited Strength Jurisdiction Policy Files ()to use a SHA256 Cipher Suite. For latest java version UnlimitedJCEPolicy files are alread there to support SHA256 .
If we get any SSL handshake due to the nature of implementation try to add below to override default keystore and truststore
-Djavax.net.ssl.keyStore=/u01/ssl/krystore.jks -Djavax.net.ssl.trustStore=/u01/ssl/truststore.jks -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStorePassword=password -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
Issues resolved After Adding -Dcom.ibm.mq.cfg.useIBMCipherMappings=false in Weblogic JVM arguments for 2400 with cipher TLS_RSA_WITH_AES_256_CBC_SHA256 for handshake .