KB Article #178678

IBM MQ responds with MQRC_UNSUPPORTED_CIPHER_SUITE when trying to use TLS ciphers

Problem

  • How to use TLS ciphers with IBM MQ client connections instead of older SSL ciphers.
  • Getting MQRC_UNSUPPORTED_CIPHER_SUITE when setting up TLS for IBM MQ connection.
  • Before 7.5.3 SP9, API Gateway shipped with IBM MQ 7.5.0.2 JARs and IBM MQ did not support TLS connections with non-IBM JREs until MQv8. Is there any way to use a TLS connection between the API Gateway and IBM MQ?


Resolution

As of 7.5.3 SP9 and later, API Gateway uses IBM MQ client jars 7.5.0.8, that contains the fix to allow for TLS ciphers. However, two configuration changes must be done to enable it:

  1. Add <VMArg name="-Dcom.ibm.mq.cfg.useIBMCipherMappings=false"/> to your jvm.xml file and restart.
  2. Use the Java name (not the IBM cipher name) of a higher level cipher in your Policy Studio > environment config > external connections > JMS Services > your MQ service > advanced tab > Cipher suite.


Cipher name mappings can be found here: (7.5), (8.0), and (9.1) ; though those links may be subject to change.


Note, depending on your version of Policy Studio the highest one you can select from the provided list is "TLS_RSA_WITH_AES_256_CBC_SHA", a TLS cipher, but perhaps only TLSv1.0.


Also depending on the Policy Studio version, you may be able to enter your own string into that field instead, such as "TLS_RSA_WITH_AES_256_CBC_SHA256" a TLSv1.2 level cipher. That is the recommended one to try, as it is on the 7.5 list, and should be available to both the 7.5 client and later IBM MQ servers.




Old answer, kept for historical reasons:

This requires that you obtain a fixpack from IBM (an IBM account will be required for this), specifically the FixPack 7.5.0.7 and then set the -Dcom.ibm.mq.cfg.useIBMCipherMappings=false Java property in jvm.xml.


The platform of the fixpack is not relevant, we only need the JAR files from the fixpack. Assuming an up to date 7.5.3 install, that would mean the following JARs would be copied to /ext/lib


  • com.ibm.mq.jar
  • com.ibm.mq.headers.jar
  • com.ibm.mq.jmqi.jar
  • com.ibm.mq.pcf.jar
  • com.ibm.mqjms.jar
  • dhbcore.jar


Then restart the API gateway and configure the gateway and the channel with matching ciphers.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.