问题
I am trying to get an existing Java application connect to WebSphere MQ 8. This has worked in the past with other versions of Java and WMQ, but with Java 8 and WMQ8, this doesn't want to work. I am getting:
handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
SEND TLSv1.2 ALERT: fatal, description = handshake_failure
WRITE: TLSv1.2 Alert, length = 2
called closeSocket()
Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
I just can't see why this is occurring. I have set the various javax.net.ssl parameters. I use appropriate SSL_TRUSTSTORE & KEYSTORE that I have created. Have a SSL_CIPHERSUITE.
I have tried (almost) all of the documented CipherSuites that WMQ supports; I am working my through the entire list, with settings and environment like this:
- JAVA SSL_CIPHERSUITE = SSL_RSA_WITH_AES_256_CBC_SHA
- WMQ Channel SSL_CIPHERSUITE = TLS_RSA_WITH_AES_256_CBC_SHA
- MQ Client 7.0.0.1 -- I have tried switching to MQ Client 8, with no improvement
- IBM WebSphere MQ, Version: 8.0.0.5
- Nothing in AMQERR01.log corresponding to the client error
- Oracle Java 8 (Java(TM) SE Runtime Environment (build 1.8.0_60-b27)) -- with SSLv3 enabled (changed jdk.tls.disabledAlgorithms=RC4, DH keySize < 768)
Additional info:
- The customer (bank) is using MQ 7 so I don't have a choice in the matter of which QM they are using. But I have been testing locally with MQ 8 to check if that is part of the issue.
- I've tried: -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
- Using JCE Unlimited Strength Jurisdiction Policy Files from Oracle.
回答1:
MQ v7.0 was released June 27th 2008 (Fix Pack 7.0.0.1 was related January 20th 2009) and has been out of support since September 30th 2015 (over 1.5 years). Is per my answer below this version of MQ will not support TLS CipherSuites on a Oracle JRE, while you could update to a later Fix Pack I would strongly suggest that you move to a supported version of the MQ client. Newer MQ client versions can connect to older MQ queue managers. You can download a java only install of MQ 8.0 or MQ 9.0 jar files at the links below:
- IBM MQ v8.0 Client
- IBM MQ v9.0 Client
APAR IV66840 added new functionality to allow users of non-IBM Java runtime environments to make use of TLS CipherSuites.
For v7.0 this is included in Fix Pack 7.0.1.13 (note that Fix Pack 7.0.1.14 was the final for this version).
For 8.0 this is included in Fix Pack 8.0.0.2.
NOTE: This APAR is a client side fix.
To enable this option you would need to do the following:
To enable these non-default mappings for non-IBM runtime environments, the following Java System Property:
com.ibm.mq.cfg.useIBMCipherMappingsmust be set to the value:
falseFor example, this can be configured by using the JVM argument:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
You would then need to specify the CipherSuite as TLS_RSA_WITH_AES_256_CBC_SHA for a Oracle JRE, note that SSL_RSA_WITH_AES_256_CBC_SHA is the IBM JRE CipherSuite name.
After getting past the above you may then run into getting a AMQ9771, 2393 SSL Initialization error.
dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following:
In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.
When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
The link above to the oracle site states:
If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is permissible under local regulations.
If you do get the 2393 follow the advise above to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files.
回答2:
Did you read this page: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
Are you using a deprecated CipherSuite?
来源:https://stackoverflow.com/questions/43194227/java-connection-to-wmq-8