I have problem connecting to IBM MQ8.0 from Java client when SSL enabled at client channel(SVRCONN). When SSL is disabled(SSLAUTH to OPTIONAL) at channel, the flow is working fine.
Client is java with JRE1.7. MQ server version is IBM MQ8.0
Created self-signed certificates and exchanged properly as per MQ setup references.
javax.net.debug=ssl option cofirms in the log that certificate exchange and SSL handshake is successful.
But when java client code is trying to get MQManager object, following MQ Exception thrown.
com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ...
caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ...
caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]
I have configured to use TLS_RSA_WITH_AES_256_CBC_SHA256 as cipherspec in both client side and MQ client channel(SVRCONN).
Tried with other cipherspecs like TLS_RSA_WITH_AES_128_CBC_SHA, error remains same.
MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????'
Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start.
ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel.
But remote side, I have only java client which is uses MQ libraries to connect to MQ server.
SSLLog Page-4 SSLLog Page-5
Not able to get data from server, so added image of last 2 pages from SSL logs.
MQ server side logs are already given above. Along with there is a default log AMQ9999: Channel '????' to host 1.2.3.4 ended abnormally. The same error is getting logged repeatedly with . Didn't find any other logs.
MQ client code snippet below.
void connect2MQ()
{
MQEnvironment.hostname=1.2.3.4
MQEnvironment.port=1414
MQEnvironment.channel=CLIENT.SVRCONN.SSL
if(SSLEnabled.equals("Y") // It is set to 'Y' in main method
{
MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA";
System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath");
System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath");
System.setProperty("javax.net.ssl.trustStorePassword","Pass");
System.setProperty("javax.net.ssl.keyStorePassword","Pass");
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
}
try {
MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here
...
}