Search code examples
javasslintellij-ideaencryptionibm-mq

IntelliJ changes cipher spec after I set it in the properties

oracle sdk1.8

I'm trying to connect with my IBM MQ, but one way or another something somewhere overwrites my cipher spec (suite) settings I set in my code.

This is my JMSContext for my producer

    public JMSContext getJMSContext(Properties properties) throws JMSException {
    JmsFactoryFactory factory = JmsFactoryFactory.getInstance("com.ibm.msg.client.wmq");
    JmsConnectionFactory connectionFactory = factory.createConnectionFactory();
    connectionFactory.setStringProperty("XMSC_WMQ_HOST_NAME", properties.getProperty("mq.node.host"));
    connectionFactory.setIntProperty("XMSC_WMQ_PORT", Integer.parseInt(properties.getProperty("mq.node.port")));
    connectionFactory.setStringProperty("XMSC_WMQ_CHANNEL", properties.getProperty("mq.node.channel"));
    connectionFactory.setIntProperty("XMSC_WMQ_CONNECTION_MODE", 1);
    connectionFactory.setStringProperty("XMSC_WMQ_QUEUE_MANAGER", properties.getProperty("mq.node.queueManager"));
    connectionFactory.setIntProperty("XMSC_WMQ_CLIENT_RECONNECT_OPTIONS", 67108864);
    connectionFactory.setIntProperty("XMSC_WMQ_CLIENT_RECONNECT_TIMEOUT", 1800);
    connectionFactory.setStringProperty("XMSC_WMQ_APPNAME", properties.getProperty("mq.appName"));
    connectionFactory.setStringProperty("XMSC_WMQ_SSL_CIPHER_SPEC", "TLS_RSA_WITH_AES_256_CBC_SHA256");
    return connectionFactory.createContext();
}

however when I connect I get a failed handshake

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA256],3=fooserver,4=SSLSocket.createSocket,5=default]

As you can see it tries to set the cipher to the SSL when I explicitely set it to the TLS (which is also set in my ibm-mq settings and is a supported one in my JVM. I also updated the "securities" files) I debugged everything and everywhere and I dont see anything overwrite or set the cipher suite to SSL. So I am a bit lost.

Thanks

Solution

  • I am guessing that you are on a version of IBM MQ pre 9.3.3

    As per the IBM MQ documentation you need to tell the JMS client code to not use the IBM mappings, by passing in the Java parameter.

    -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

    You can configure whether your application uses the default IBM Java CipherSuite to IBM MQ CipherSpec mappings, or the Oracle CipherSuite to IBM MQ CipherSpec mappings. Therefore, you can use TLS CipherSuites whether your application uses an IBM JRE or an Oracle JRE.

    The Java System Property com.ibm.mq.cfg.useIBMCipherMappings controls which mappings are used. The property can be one of the following values:

    true : Use the IBM Java CipherSuite to IBM MQ CipherSpec mappings. This value is the default value.

    false : Use the Oracle CipherSuite to IBM MQ CipherSpec mappings.

    You should also check which cipher suite MQ is set to by running the mqsc command.

    DISPLAY CHANNEL(mq.node.channel) SSLCIPH