HI All,

We want to enable TLS 1.3 between an application running on WAS 9.0.5.12 and IBM MQ 9.2.0.8 using the TLS_AES_256_GCM_SHA384 cipher specification, but the connection cannot be made. While there is nothing in the IBM MQ server logs, we are receiving the MQRC_UNSUPPORTED_CIPHER_SUITE error with reason code 2400 in WAS logs.Further investigation revealed that WAS requires Java 8 which is already there to enable TLS 1.3 and the version of the Websphere MQ Messaging provider, wmq.jmsra.rar, is 9.1.0.11.

There is nothing logged in IBM MQ sserver as connection is not reaching to MQ itself after updating the ciphers to TLS 1.3 .

Do we need any more settings at WAS end to enable TLS 1.3 for MQ.

In qm.ini file we have AllowTLSV13=True present and at WAS end we have removed all the ciphers and have included only TLS_AES_256_GCM_SHA384 but it doesn't seems to work.

Kindly help what configuration is needed to enable TLS 1.3 between WAS and MQ

> we have removed all the ciphers and have included only TLS_AES_256_GCM_SHA384 but it doesn't seems to work.

Please explain how you did this?  Also, are you sure you are at a high enough level of Java 8 that supports TLS 1.3.  i.e. Fix Packs applied to it.

Did you dump out the list of Ciphers when running the application in the JVM?  I'd suggest you run Java code from Atlassian Support's page here.  I also posted a write-up of the code on my blog here.

HI All,

We want to enable TLS 1.3 between an application running on WAS 9.0.5.12 and IBM MQ 9.2.0.8 using the TLS_AES_256_GCM_SHA384 cipher specification, but the connection cannot be made. While there is nothing in the IBM MQ server logs, we are receiving the MQRC_UNSUPPORTED_CIPHER_SUITE error with reason code 2400 in WAS logs.Further investigation revealed that WAS requires Java 8 which is already there to enable TLS 1.3 and the version of the Websphere MQ Messaging provider, wmq.jmsra.rar, is 9.1.0.11.

There is nothing logged in IBM MQ sserver as connection is not reaching to MQ itself after updating the ciphers to TLS 1.3 .

Do we need any more settings at WAS end to enable TLS 1.3 for MQ.

In qm.ini file we have AllowTLSV13=True present and at WAS end we have removed all the ciphers and have included only TLS_AES_256_GCM_SHA384 but it doesn't seems to work.

Kindly help what configuration is needed to enable TLS 1.3 between WAS and MQ

Hi there,

I think the issue here is related to the version of the MQ resource adapter (RA) that is being used. 

As you said, WebSphere Application Server 9.0.5.12 comes with the MQ 9.1.0.11 RA. Unfortunately, this version of the RA doesn't TLS 1.3 ciphers - in order to use them, the RA needs to be manually updated to the MQ 9.3 level. Details of how to do this can be found here:

https://www.ibm.com/docs/en/was/9.0.5?topic=adapter-installing-specific-maintenance-level-mq-resource 

Can you give that a go, and see if that fixes the issue?

Hope this helps!

> we have removed all the ciphers and have included only TLS_AES_256_GCM_SHA384 but it doesn't seems to work.

Please explain how you did this?  Also, are you sure you are at a high enough level of Java 8 that supports TLS 1.3.  i.e. Fix Packs applied to it.

Did you dump out the list of Ciphers when running the application in the JVM?  I'd suggest you run Java code from Atlassian Support's page here.  I also posted a write-up of the code on my blog here.

HI All,

We want to enable TLS 1.3 between an application running on WAS 9.0.5.12 and IBM MQ 9.2.0.8 using the TLS_AES_256_GCM_SHA384 cipher specification, but the connection cannot be made. While there is nothing in the IBM MQ server logs, we are receiving the MQRC_UNSUPPORTED_CIPHER_SUITE error with reason code 2400 in WAS logs.Further investigation revealed that WAS requires Java 8 which is already there to enable TLS 1.3 and the version of the Websphere MQ Messaging provider, wmq.jmsra.rar, is 9.1.0.11.

There is nothing logged in IBM MQ sserver as connection is not reaching to MQ itself after updating the ciphers to TLS 1.3 .

Do we need any more settings at WAS end to enable TLS 1.3 for MQ.

In qm.ini file we have AllowTLSV13=True present and at WAS end we have removed all the ciphers and have included only TLS_AES_256_GCM_SHA384 but it doesn't seems to work.

Kindly help what configuration is needed to enable TLS 1.3 between WAS and MQ