'JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')

I am getting the following exception while trying to make a connection with remote MQ from my Java client on my local machine:

com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE')

This is with Java version 1.7, the Oralce JRE, cipher suite 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the following Maven dependencies:

<dependency>
  <groupId>com.ibm.mq</groupId>
  <artifactId>allclient</artifactId>
  <version>9.0.0</version>
</dependency>
<dependency>
  <groupId>com.sun.messaging.mq</groupId>
  <artifactId>fscontext</artifactId>
  <version>4.4.2</version>
</dependency>


Solution 1:[1]

Update

Updating each point provided before with more current information.

  1. IBM MQ 9.2 and higher now support TLS1.3. The TLS1.3 ciphersuites now use the standard names which match in both Oracle Java and IBM Java, the use of -Dcom.ibm.mq.cfg.useIBMCipherMappings=false should no longer be required of you are able to use a TLS1.3 ciphersuite.

  2. The signature algorithm SHA224withRSA is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256. Oracle JRE 1.7.0_171 or later and 1.8.0_162 or later now come with unlimited strength policy files enabled by default and support SHA224withRSA.

  3. The JCE Unlimited Strength Jurisdiction Policy Files required to use a SHA256 Cipher Suite are now included and enabled by default in the above versions or later.


There are three things that impact this:

  1. If you want to use Oracle JRE you need to set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false, this will allow IBM MQ to use the Oracle Cipher Suite names like TLS_RSA_WITH_AES_256_CBC_SHA256

  2. The signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7 and is required to use the Oracle Cipher Suite TLS_RSA_WITH_AES_256_CBC_SHA256. Based on this you would need to go to Oracle JRE 1.8.

  3. You will need to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files to use a SHA256 Cipher Suite.


The information above is covered in more detail in my answer to another post "MQ Error on SSL enabled".

Solution 2:[2]

You can also try this additional params:

-Djavax.net.ssl.trustStorePassword=mqpassword -Djavax.net.ssl.keyStorePassword=mqpassword  -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false 

Solution 3:[3]

Use this along with the JVM parameter as older version can be an issue :

    <dependency>
        <groupId>com.ibm.mq</groupId>
        <artifactId>com.ibm.mq.allclient</artifactId>
        <version>9.1.0.7</version>
    </dependency>

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Snehal Masne
Solution 3 Smart Coder