Wednesday, 11 November 2015

AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel

Following on from my earlier post: -


I also saw this: -

11/11/15 20:31:03 - Process(39916.7) User(mqm) Program(amqrmppa)
                    Host(nemdemo.uk.ibm.com) Installation(Installation1)
                    VRMF(8.0.0.0) QMgr(TESTQM)

AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'TEST.QMGR.SVRCONN'.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'TEST.QMGR.SVRCONN'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_AES_128_CBC_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'TLS_RSA_WITH_AES_256_CBC_SHA256'. A code is displayed if
the name of the negotiated CipherSpec cannot be determined.
ACTION:
Change the channel definitions for 'TEST.QMGR.SVRCONN' so the two ends have
matching CipherSpecs and restart the channel. If the certificate in use by one
end of the channel is a Global Server Certificate, then the negotiated
CipherSpec may not match that specified on either end of the channel. This is
because the SSL protocol allows a Global Server Certificate to automatically
negotiate a higher level of encryption. In these cases specify a CipherSpec
which meets the requirements of the Global Server Certificate.


in my MQ log - /var/mqm/qmgrs/TESTQM/errors/AMQERR01.LOG.

Again, this happened when I attempted to start the Message Driven Bean (MDB) in WAS, which is the "client" to the MQ "server".

This time around, the message was more meaningful.

The connection from WAS is using a SSL Configuration that asserts a specific Cipher Specification - SSL_RSA_WITH_AES_256_CBC_SHA256 : -

AdminTask.createSSLConfig('[-alias WAS_to_WMQ -type JSSE -scopeName (cell):'+cellID+' -keyStoreName CellDefaultKeyStore -keyStoreScopeName (cell):'+cellID+' -trustStoreName CellDefaultTrustStore -trustStoreScopeName (cell):'+cellID+'  -jsseProvider IBMJSSE2 -sslProtocol TLSv1.2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers SSL_RSA_WITH_AES_256_CBC_SHA256 ]')

whereas the MQ Channel was expecting a slightly different one: -

echo "DIS CHANNEL("TEST.QMGR.SVRCONN") SSLCIPH" | runmqsc TESTQM

5724-H72 (C) Copyright IBM Corp. 1994, 2014.
Starting MQSC for queue manager TESTQM.


     1 : DIS CHANNEL(TEST.QMGR.SVRCONN) SSLCIPH
AMQ8414: Display Channel details.
   CHANNEL(TEST.QMGR.SVRCONN)              CHLTYPE(SVRCONN)
   SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.

Once I updated the Channel to use the same Cipher Specification as WAS: -

echo "ALTER CHANNEL("TEST.QMGR.SVRCONN") CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)" | runmqsc TESTQM

the MDB started without problems.




No comments: