IBM MQ8.0 - AMQ9503 Channel negotiation failed

5
votes

I have problem connecting to IBM MQ8.0 from Java client when SSL enabled at client channel(SVRCONN). When SSL is disabled(SSLAUTH to OPTIONAL) at channel, the flow is working fine.

Client is java with JRE1.7. MQ server version is IBM MQ8.0

Created self-signed certificates and exchanged properly as per MQ setup references.

javax.net.debug=ssl option cofirms in the log that certificate exchange and SSL handshake is successful.

But when java client code is trying to get MQManager object, following MQ Exception thrown. 

com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ...

caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ...

caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]

I have configured to use TLS_RSA_WITH_AES_256_CBC_SHA256 as cipherspec in both client side and MQ client channel(SVRCONN).
Tried with other cipherspecs like TLS_RSA_WITH_AES_128_CBC_SHA, error remains same. 

MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????'  

Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start. 

ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel.

But remote side, I have only java client which is uses MQ libraries to connect to MQ server.

SSLLog Page-4 SSLLog Page-5

Not able to get data from server, so added image of last 2 pages from SSL logs.

MQ server side logs are already given above. Along with there is a default log AMQ9999: Channel '????' to host 1.2.3.4 ended abnormally. The same error is getting logged repeatedly with . Didn't find any other logs.

MQ client code snippet below.

void connect2MQ()
{
    MQEnvironment.hostname=1.2.3.4
    MQEnvironment.port=1414
    MQEnvironment.channel=CLIENT.SVRCONN.SSL
    if(SSLEnabled.equals("Y") // It is set to 'Y' in main method
    {
        MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA";
        System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath");
        System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath");
        System.setProperty("javax.net.ssl.trustStorePassword","Pass");
        System.setProperty("javax.net.ssl.keyStorePassword","Pass");
        System.setProperty("javax.net.ssl.trustStoreType","JKS");
        System.setProperty("javax.net.ssl.keyStoreType","JKS");
    }

    try {
        MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here
        ...
    }
1
javassl-certificateibm-mq
I am using Oracle JRE1.7Krishna
Which specific version of MQ v8 jar files are you using? You can find out by running the following command on any of the com.ibm.mq*.jar files: unzip -p com.ibm.mq.jar META-INF/MANIFEST.MF|grep Implementation-Version.JoshMc
Client side: Implementation-Version: 8.0.0.4 - p800-004-151017. Verified in MQ server with command 'dspmqver' which results Version: 8.0.0.4, Level: p800-004-151017Krishna
Are you using -Dcom.ibm.mq.cfg.useIBMCipherMappings=false?JoshMc
Please also confirm the jar file you checked the version of is from "But remote side, I have only java client which is uses MQ libraries".JoshMc

1 Answers

3
votes

It appears you are hitting the issue described in APAR IT10837. This is fixed in the 8.0.0.5 and later MQ Classes for Java and MQ Classes for JMS client jar files, I would suggest moving to 8.0.0.7 which is the latest v8 version.

The error messages don't match but the symptoms of it working with SSLCAUTH(OPTIONAL) and not working with SSLCAUTH(REQUIRED) matches up as does the version you are running not having the fix.

There is a IBM developerWorks MQdev Blog by Tom Leend titled "MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE! which describes a work around if you are not at a level of MQ that has the fix.

---- Code Snippet Start ----
KeyStore keyStore = KeyStore.getInstance("JKS");
java.io.FileInputStream keyStoreInputStream = new java.io.FileInputStream("/home/tom/myKeyStore.jks");
keyStore.load (keyStoreInputStream, password_char_array);

KeyStore trustStore trustStore = KeyStore.getInstance ("JKS");
java.io.FileInputStream trustStoreInputStream = new java.io.FileInputStream("/home/tom/myTrustStore.jks");
trustStore.load (trustStoreInputStream, password_char_array);

keyStoreInputStream.close();
trustStoreInputStream.close();

KeyManagerFactory keyManagerFactory = 
  KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
TrustManagerFactory trustManagerFactory = 
  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore,password);
trustManagerFactory.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLSv1"); 
sslContext.init(keyManagerFactory.getKeyManagers(), 
  trustManagerFactory.getTrustManagers(), 
  null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); 

// classes for JMS
//myJmsConnectionFactory.setObjectProperty(
//  WMQConstants.WMQ_SSL_SOCKET_FACTORY, sslSocketFactory);

// classes for Java
MQEnvironment.sslSocketFactory = sslSocketFactory;
---- Code Snippet End ----