MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

MQIPT unsupported cipherspec error

  • 1.  MQIPT unsupported cipherspec error

    Posted Tue January 02, 2024 01:57 PM

    Hello,

    I am configuring an MQ - MQ link via MQIPT, and I have cipherspec errors:
    MQCPI014 Protocol identifier (16030300) not recognized

    The goal is to start from QM1 in clear, and arrive on QM2 in TLS 1.2, with MQIPT in the middle.
    Environment:
    - Server 1, QM1, Windows 10, MQ 9.3
    - Server 2, QM2, Linux Centos, MQ 9.3
    - MQIPT: version 9.3.4, co-located with QM1
    - Certificates signed by a private CA.
    Results :
    - DQM QM1-QM2 link in clear text: OK
    - DQM QM1-QM2 link in TLS 1.2 (ECDHE_RSA_WITH_AES_256_GCM_SHA384) : OK
    - DQM QM1-QM2 link in clear via MQIPT: OK
    - DQM QM1-QM2 link in TLS 1.2 via MQIPT: KO 

    MQCPI014 Protocol identifier (16030300) not recognized
    MQCPE048 Path startup failure on port 14609, exception: IPTException: closeId=; closeMsg=; rc=60025
            
    BUT, if in the configuration I replace ECDHE_RSA_WITH_AES_256_GCM_SHA384 with SSL_RSA_WITH_AES_256_CBC_SHA256, no problem, everything works.

    I have the impression that ECDHE_RSA_WITH_AES_256_GCM_SHA384 is not supported by the JRE embedded in MQIPT (java version "1.8.0_381").
    I repeated the same tests with a Server 1 running Windows 11 & MQ 9.2, and the same thing happened.
    Do I need to add a specific parameter to use this cipherspec?

    Thanks for your help.

    FI, my mqipt.conf :

    #############
    # Fichier de configuration MQIPT
    # LM Demey - 10:41 02/01/2024
    #############
    # Global default properties for all routes
    [global]
    MinConnectionThreads=5
    MaxConnectionThreads=100
    IdleTimeout=20
    ClientAccess=true
    QMgrAccess=true
    Trace=0
    ConnectionLog=true
    MaxLogFileSize=50
    RemoteShutDown=true
    RemoteCommandAuthentication=required
    AccessPW=<mqiptPW>xxxx
    #
    [route]
    Name=Halo -> IPT -> OVH
    Active=true
    ListenerPort=14609
    Destination=51.75.19.xxx
    DestinationPort=14601
    SSLClient=true
    SSLClientCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
    SSLClientCAKeyRingPW=<mqiptPW>xxxxx
    SSLClientCipherSuites=SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    SSLClientKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
    SSLClientKeyRingPW=<mqiptPW>xxxxx
    #
    [route]
    Name=OVH -> IPT -> Halo
    Active=true
    ListenerPort=14109
    Destination=192.168.0.101
    DestinationPort=14101
    SSLServer=true
    SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
    SSLServerCipherSuites=
    SSLServerCAKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
    SSLServerCAKeyRingPW=<mqiptPW>xxxx
    SSLServerKeyRing=J:\\MQIPT_home\\ipt101_2024.p12
    SSLServerKeyRingPW=<mqiptPW>xxxx



    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------


Related Content