Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Here is the mqipt conn log : 

mqiptxxx.log :
Wed Jan 03 12:58:22 CET 2024 conn accept vps-xxxx.ovh.net(35426)     HALO(14109)                         OK       14109-0                                      
Wed Jan 03 12:58:22 CET 2024 conn close  vps-xxxx.ovh.net(35426)     HALO(14109)                         ERROR    14109-0      SSLHandshakeException: no cipher suites in common

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 10:52 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

What type of keys do you have in MQ and MQIPT?

Elliptic curve, vs RSA. You would have no Cipher in common between and Elliptic Curve Key and an RSA Key.... The ECDHE_RSA ciphers still all require an RSA key on both sides...

I expect you only have one private key in your key ring on MQIPT, right?

------------------------------
Francois Brandelik

Original Message:
Sent: Wed January 03, 2024 08:27 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Here is the mqipt conn log : 

mqiptxxx.log :
Wed Jan 03 12:58:22 CET 2024 conn accept vps-xxxx.ovh.net(35426)     HALO(14109)                         OK       14109-0                                      
Wed Jan 03 12:58:22 CET 2024 conn close  vps-xxxx.ovh.net(35426)     HALO(14109)                         ERROR    14109-0      SSLHandshakeException: no cipher suites in common

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 10:52 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

I just tried to set the variable for FIPS :

set MQIPT_JVM_OPTIONS="-Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"

--> same error.

Concerning the certificates, they are RSA, and I think they are good:
- in the first test (QM1 - QM2 with TLS), each Queue Manager has its own certificate.
- In the second test (QM1 - MQIPT - QM2 with TLS) I used QM1's certificate to build the MQIPT store.

For the moment, I'm not in a blocked siuration, as I'm using SSL_RSA_WITH_AES_256_CBC_SHA256.
But : 
- I'd like to understand what's going on
- I prefer a cipherspec that allows perfect forward secrecy. 
If I have a bit of time, I'll redo tests with downlevel versions of MQIPT, so I can see if it's a bug brought by the latest versions.

PS: in the very distant past, it was possible to access open but not yet corrected IBM APARs in fixes. I can't find these pages anymore. Does anyone know if they still exist?

Thanks.

What type of keys do you have in MQ and MQIPT?

Elliptic curve, vs RSA. You would have no Cipher in common between and Elliptic Curve Key and an RSA Key.... The ECDHE_RSA ciphers still all require an RSA key on both sides...

I expect you only have one private key in your key ring on MQIPT, right?

------------------------------
Francois Brandelik

Original Message:
Sent: Wed January 03, 2024 08:27 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Here is the mqipt conn log : 

mqiptxxx.log :
Wed Jan 03 12:58:22 CET 2024 conn accept vps-xxxx.ovh.net(35426)     HALO(14109)                         OK       14109-0                                      
Wed Jan 03 12:58:22 CET 2024 conn close  vps-xxxx.ovh.net(35426)     HALO(14109)                         ERROR    14109-0      SSLHandshakeException: no cipher suites in common

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 10:52 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

The error in the connection log is for route 14109 (OVH -> IPT -> Halo), while the MQCPE048 error is for route 14609, so these are two unrelated errors.

For the MQCPE048 error, 16030300 looks like a TLS Client Hello record, so I suspect that something is attempting to make a TLS connection to the MQIPT route that is configured to accept a plaintext connection (SSLServer=false). Maybe SSLCIPH was not blank in the QM1->MQIPT sender channel at some point when you were setting this up?

For the route 14109 error that affects the QM2->MQIPT connection, since SSLServerCipherSuites is blank, MQIPT accepts any CipherSuite that is supported by the JRE. If the qmgr and MQIPT have no cipher suites in common, then the available CipherSpecs on QM2 must be restricted to a set that doesn't include ECDHE_RSA_AES_256_GCM_SHA384. Is AllowedCipherSpecs set in the qm.ini file?

Regards

Gwydion

I just tried to set the variable for FIPS :

set MQIPT_JVM_OPTIONS="-Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"

--> same error.

Concerning the certificates, they are RSA, and I think they are good:
- in the first test (QM1 - QM2 with TLS), each Queue Manager has its own certificate.
- In the second test (QM1 - MQIPT - QM2 with TLS) I used QM1's certificate to build the MQIPT store.

For the moment, I'm not in a blocked siuration, as I'm using SSL_RSA_WITH_AES_256_CBC_SHA256.
But : 
- I'd like to understand what's going on
- I prefer a cipherspec that allows perfect forward secrecy. 
If I have a bit of time, I'll redo tests with downlevel versions of MQIPT, so I can see if it's a bug brought by the latest versions.

PS: in the very distant past, it was possible to access open but not yet corrected IBM APARs in fixes. I can't find these pages anymore. Does anyone know if they still exist?

Thanks.

What type of keys do you have in MQ and MQIPT?

Elliptic curve, vs RSA. You would have no Cipher in common between and Elliptic Curve Key and an RSA Key.... The ECDHE_RSA ciphers still all require an RSA key on both sides...

I expect you only have one private key in your key ring on MQIPT, right?

------------------------------
Francois Brandelik

Original Message:
Sent: Wed January 03, 2024 08:27 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Here is the mqipt conn log : 

mqiptxxx.log :
Wed Jan 03 12:58:22 CET 2024 conn accept vps-xxxx.ovh.net(35426)     HALO(14109)                         OK       14109-0                                      
Wed Jan 03 12:58:22 CET 2024 conn close  vps-xxxx.ovh.net(35426)     HALO(14109)                         ERROR    14109-0      SSLHandshakeException: no cipher suites in common

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 10:52 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Thanks Gwydion,

It's possible that there's an error in my mqipt.conf file, I'll check it out.
The Queue Managers were created specifically for testing, there is nothing special in the qm.ini or elsewhere.

But there's something that bothers me: 
- with cipherspec SSL_RSA_WITH_AES_256_CBC_SHA256 everything works
- with cipherspec SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 there is a problem.
Could an error in the configuration file have this effect?

I'm going to redo the whole set of tests with both cipherspecs, and share the results using the real Queue Manager names, so as to make the logs understandable.

The error in the connection log is for route 14109 (OVH -> IPT -> Halo), while the MQCPE048 error is for route 14609, so these are two unrelated errors.

For the MQCPE048 error, 16030300 looks like a TLS Client Hello record, so I suspect that something is attempting to make a TLS connection to the MQIPT route that is configured to accept a plaintext connection (SSLServer=false). Maybe SSLCIPH was not blank in the QM1->MQIPT sender channel at some point when you were setting this up?

For the route 14109 error that affects the QM2->MQIPT connection, since SSLServerCipherSuites is blank, MQIPT accepts any CipherSuite that is supported by the JRE. If the qmgr and MQIPT have no cipher suites in common, then the available CipherSpecs on QM2 must be restricted to a set that doesn't include ECDHE_RSA_AES_256_GCM_SHA384. Is AllowedCipherSpecs set in the qm.ini file?

Regards

Gwydion

I just tried to set the variable for FIPS :

set MQIPT_JVM_OPTIONS="-Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"

--> same error.

Concerning the certificates, they are RSA, and I think they are good:
- in the first test (QM1 - QM2 with TLS), each Queue Manager has its own certificate.
- In the second test (QM1 - MQIPT - QM2 with TLS) I used QM1's certificate to build the MQIPT store.

For the moment, I'm not in a blocked siuration, as I'm using SSL_RSA_WITH_AES_256_CBC_SHA256.
But : 
- I'd like to understand what's going on
- I prefer a cipherspec that allows perfect forward secrecy. 
If I have a bit of time, I'll redo tests with downlevel versions of MQIPT, so I can see if it's a bug brought by the latest versions.

PS: in the very distant past, it was possible to access open but not yet corrected IBM APARs in fixes. I can't find these pages anymore. Does anyone know if they still exist?

Thanks.

What type of keys do you have in MQ and MQIPT?

Elliptic curve, vs RSA. You would have no Cipher in common between and Elliptic Curve Key and an RSA Key.... The ECDHE_RSA ciphers still all require an RSA key on both sides...

I expect you only have one private key in your key ring on MQIPT, right?

------------------------------
Francois Brandelik

Original Message:
Sent: Wed January 03, 2024 08:27 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Here is the mqipt conn log : 

mqiptxxx.log :
Wed Jan 03 12:58:22 CET 2024 conn accept vps-xxxx.ovh.net(35426)     HALO(14109)                         OK       14109-0                                      
Wed Jan 03 12:58:22 CET 2024 conn close  vps-xxxx.ovh.net(35426)     HALO(14109)                         ERROR    14109-0      SSLHandshakeException: no cipher suites in common

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 10:52 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------

Apart from setting SSLServerCipherSuites or SSLClientCipherSuites, the only thing I can think of that would allow one of those ciphers and not the other is the list of disabled algorithms in the java.security file for the MQIPT JRE (<MQIPT_installation_path>/java/jre/lib/security/java.security). If that file hasn't been modified from what's supplied with MQIPT, both cipher suites should be enabled. To prove that both cipher suites are enabled in MQIPT, you could set Trace=5 in the mqipt.conf file. The list of enabled cipher suites is printed to the trace file when a connection is received.

Regards

Gwydion

Thanks Gwydion,

It's possible that there's an error in my mqipt.conf file, I'll check it out.
The Queue Managers were created specifically for testing, there is nothing special in the qm.ini or elsewhere.

But there's something that bothers me: 
- with cipherspec SSL_RSA_WITH_AES_256_CBC_SHA256 everything works
- with cipherspec SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 there is a problem.
Could an error in the configuration file have this effect?

I'm going to redo the whole set of tests with both cipherspecs, and share the results using the real Queue Manager names, so as to make the logs understandable.

The error in the connection log is for route 14109 (OVH -> IPT -> Halo), while the MQCPE048 error is for route 14609, so these are two unrelated errors.

For the MQCPE048 error, 16030300 looks like a TLS Client Hello record, so I suspect that something is attempting to make a TLS connection to the MQIPT route that is configured to accept a plaintext connection (SSLServer=false). Maybe SSLCIPH was not blank in the QM1->MQIPT sender channel at some point when you were setting this up?

For the route 14109 error that affects the QM2->MQIPT connection, since SSLServerCipherSuites is blank, MQIPT accepts any CipherSuite that is supported by the JRE. If the qmgr and MQIPT have no cipher suites in common, then the available CipherSpecs on QM2 must be restricted to a set that doesn't include ECDHE_RSA_AES_256_GCM_SHA384. Is AllowedCipherSpecs set in the qm.ini file?

Regards

Gwydion

I just tried to set the variable for FIPS :

set MQIPT_JVM_OPTIONS="-Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"

--> same error.

Concerning the certificates, they are RSA, and I think they are good:
- in the first test (QM1 - QM2 with TLS), each Queue Manager has its own certificate.
- In the second test (QM1 - MQIPT - QM2 with TLS) I used QM1's certificate to build the MQIPT store.

For the moment, I'm not in a blocked siuration, as I'm using SSL_RSA_WITH_AES_256_CBC_SHA256.
But : 
- I'd like to understand what's going on
- I prefer a cipherspec that allows perfect forward secrecy. 
If I have a bit of time, I'll redo tests with downlevel versions of MQIPT, so I can see if it's a bug brought by the latest versions.

PS: in the very distant past, it was possible to access open but not yet corrected IBM APARs in fixes. I can't find these pages anymore. Does anyone know if they still exist?

Thanks.

What type of keys do you have in MQ and MQIPT?

Elliptic curve, vs RSA. You would have no Cipher in common between and Elliptic Curve Key and an RSA Key.... The ECDHE_RSA ciphers still all require an RSA key on both sides...

I expect you only have one private key in your key ring on MQIPT, right?

------------------------------
Francois Brandelik

Original Message:
Sent: Wed January 03, 2024 08:27 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Here is the mqipt conn log : 

mqiptxxx.log :
Wed Jan 03 12:58:22 CET 2024 conn accept vps-xxxx.ovh.net(35426)     HALO(14109)                         OK       14109-0                                      
Wed Jan 03 12:58:22 CET 2024 conn close  vps-xxxx.ovh.net(35426)     HALO(14109)                         ERROR    14109-0      SSLHandshakeException: no cipher suites in common

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 10:52 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

Sorry, I read the text description and didn't notice that the config file had the correct spelling! Am reading more carefully now!

I have had, and discarded various ideas of what your problem might be!

• I thought it might be because you were not negotiating TLS 1.2 since you don't mention 

  SSLClientProtocols=TLSv1.2

  in your configuration. But the working cipher suite is also a TLS 1.2, so I have discounted that idea.
• I thought it might be that you had the wrong certificate type, because it worked with one cipher suite but failed with another, but the failing one is still one that requires a certificate with an RSA public key, just like the working one, so I have discounted that idea.
• I thought it perhaps possible that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 requires the 'unrestricted' policy files to be configured in the JRE. The defaults of what is used appear to have flipped, so I really have no clue which to expect you have. I can't find a definitive list of what ciphers suites are in or out, but I did find something that said, Cipher suites that use AES_256 require the JCE Unlimited Strength Jurisdiction Policy Files, so I guess you already have the Unlimited strength policy files as your working cipher suite uses AES_256, so I have discounted that idea.

Can you show us what an MQIPT Connection Log has to say?

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 02:17 PM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello Morag,
Yes, I've read that documentation too, and I'm using SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(see my .conf file).
I've done a lot of testing (especially replacing with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), but when MQIPT starts there is a check, and if a cipherspec is unknown, there is an error.

So I think SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the right value in the .conf file. 
As I know that Java is sometimes fussy about cipherspecs, and that IBM and Java names are different, I'm thinking of a missing parameter on the Java side.
Or maybe it's the first bug of 2024!

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion

Original Message:
Sent: Tue January 02, 2024 01:03 PM
From: Morag Hughson
Subject: MQIPT unsupported cipherspec error

IBM Docs (https://www.ibm.com/docs/en/ibm-mq/9.3?topic=thru-ssltls-support-in-mqipt) suggest that SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is enabled by default.

Can you try this spelling? I.e. SSL_ on the front of what you have.

Cheers, 

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue January 02, 2024 10:56 AM
From: Luc-Michel Demey
Subject: MQIPT unsupported cipherspec error

Hello,

I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
MQCPI014 Protocol identifier (16030300) not recognized

The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
Environment:
- Server 1, QM1, Windows 10, MQ 9.3
- Server 2, QM2, Linux Centos, MQ 9.3
- MQIPT: version 9.3.4, co-located with QM1
- Certificates signed by a private CA.
Results :
- DQM QM1-QM2 link in clear text: OK
- DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
- DQM QM1-QM2 link in clear via MQIPT: OK
- DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

MQCPI014 Protocol identifier (16030300) not recognized
MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
        
BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
Do I need to add a specific parameter to use this cipherspec?

Thanks for your help.

FI, my mqipt.conf :

#############
# Fichier de configuration MQIPT
# LM Demey - 10:41 02/01/2024
#############
# Global default properties for all routes
[global]
MinConnectionThreads=5
MaxConnectionThreads=100
IdleTimeout=20
ClientAccess=true
QMgrAccess=true
Trace=0
ConnectionLog=true
MaxLogFileSize=50
RemoteShutDown=true
RemoteCommandAuthentication=required
AccessPW=<mqiptPW>xxxx
#
[route]
Name=Halo -> IPT -> OVH
Active=true
ListenerPort=14609
Destination=51.75.19.xxx
DestinationPort=14601
SSLClient=true
SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientCAKeyRingPW=<mqiptPW>xxxxx
SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLClientKeyRingPW=<mqiptPW>xxxxx
#
[route]
Name=OVH -> IPT -> Halo
Active=true
ListenerPort=14109
Destination=192.168.0.101
DestinationPort=14101
SSLServer=true
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCipherSuites=
SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerCAKeyRingPW=<mqiptPW>xxxx
SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
SSLServerKeyRingPW=<mqiptPW>xxxx

------------------------------
Luc-Michel Demey
DEMEY CONSULTING
lmd@demey-consulting.fr
#IBMChampion
------------------------------