Support Article
MQ SSL handshake fails RC=2393;AMQ9204
SA-14136
Summary
Connection to secured MQ through Connect-MQ fails.
Error Messages
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2393' ('MQRC_SSL_INITIALIZATION_ERROR').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223)
... 30 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'your_host(1425)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=23
93;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_256_CBC_SHA],3=your_host/127.0.0.1:your_port
(your_host),4=SSLSocket.createSocket,5=default]],3=your_host(your_port),5=RemoteTCPConnection.makeSocketSecure]
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:2011)
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1228)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:363)
... 29 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WI
TH_AES_256_CBC_SHA],3=your_host/127.0.0.1:your_port (your_host),4=SSLSocket.createSocket,5=default]
at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:1754)
Steps to Reproduce
Invoke Connect-MQ to secure MQ channel from an activity.Root Cause
A defect or configuration issue in the operating environment. After adding SSL DEBUG, "-Djavax.net.debug=true" argument to the JVM, it was observed that incorrect keyStore and trustStore were picked during SSL handshake.
18:31:16,538 INFO [stdout] () keyStore is :
18:31:16,539 INFO [stdout] () keyStore type is : jks
18:31:16,539 INFO [stdout] () keyStore provider is :
18:31:16,539 INFO [stdout] () init keystore
18:31:16,539 INFO [stdout] () init keymanager of type SunX509
18:31:16,540 INFO [stdout] () trustStore is: /usr/java/jdk-1.7.0_71-x86_64/jre/lib/security/cacerts
18:31:16,541 INFO [stdout] () trustStore type is : jks
18:31:16,541 INFO [stdout] () trustStore provider is :
On Inspecting the argument added to the JVM it was observed that there was white space and carriage return causing this issue, where right keystore and truststore file were not picked during SSL handshake.
Resolution
Make the following change to the operating environment:
Remove white spaces from the JVM argument for SSL to resolve the issue.
Published September 23, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.