A customer was using MQ Visual Browse (MQVB) and configuring MQVB to use SSL to connect to a remote queue manger (WMQ v7.5.0.2). They said:
I am getting error “Reason Code = 2400”, when specifying TLS_RSA_WITH_AES_256_CBC_SHA as the SSL Cipher Spec Name.
They also said:
We have other MQ Java using SSL working with TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA using the IBM JRE.
Due to security standards here, there are 3 acceptable cipher specs we are allowed to use. Of the three, only the weakest (TRIPLE_DES_SHA_US) will work with MQ Visual Browse
Cipher Spec | Cipher Suite | Results |
TLS_RSA_WITH_AES_256_CBC_SHA | SSL_RSA_WITH_AES_256_CBC_SHA | Did not work |
TLS_RSA_WITH_AES_128_CBC_SHA | SSL_RSA_WITH_AES_128_CBC_SHA | Did not work |
TRIPLE_DES_SHA_US | SSL_RSA_WITH_3DES_EDE_CBC_SHA | Worked |
Currently, MQ Visual Browse (MQVB), MQ Visual Edit (MQVE) and MQ Batch Toolkit (MQBT) are build and deployed using Excelsior JET v7.6 (which is based on Oracle’s JRE v1.6.0_41).
My first thought was that the JRE needed the 256-bit JCE policy. I had the customer deploy the 256-bit JCE policy but it did not make any difference.
Next, I did a build and deployment of MQVB using Oracle’s JRE v1.6.0_41 but it resulted in the same issue for the customer.
Since, the customer has IBM’s JRE v1.6.0 installed on their PC, I had them rename the embedded Oracle JRE, so that MQVB would use the installed IBM JRE. This time everything worked.
Therefore, if you are using MQVB, MQVE or MQBT and are having issues trying to use certain MQ SSL Cipher Specs then let us know and we will get it sorted out.
Regards,
Roger Lacroix
Capitalware Inc.
2 Responses to MQVB, MQVE & MQBT JRE Cipher Spec Issue