We have a few services that vendors call externally (inbound to our company) where the service connects directly to an IBM MQ connection and puts messages directly on the queue.
Just patched API Gateway from 10.0 CR03 to 10.0 CR05 and after the patch to CR05, the connection no longer works. The MQ error below gets thrown.
com.l7tech.external.assertions.mqnative.server.ServerMqNativeRoutingAssertion: 9616: Failed to establish MQ connection Will retry after 1000ms.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.
Unable to verify this MQ Native setting:queue manager - com.ibm.mq.MQException: MQJE001: Completion code '2': Reason '2400'
The error seems to suggest some sort of SSL cipher issue. I did notice that CR05 updated the java.security file in /opt/SecureSpan/JDK/jre/lib/security.
I did a comparison of the java.security file between prod (which hasn't been patched yet), and test (that has been patched) and there were some notable differences.
I've tried commenting out/removing some of the differences I noticed in the java.security and that didn't make a difference.
1. Removed "include jdk.disabled.namedCurves" from jdk.tls.disabledAlgorithms, jdk.jar.disabledAlgorithms and jdk.tls.disabledAlgorithms
2. Uncommented # jdk.tls.alpnCharset=UTF-8 and commented out jdk.tls.alpnCharset=ISO_8859_1
3. Removed TLSv1, TLSv1.1 from jdk.tls.disabledAlgorithms
4. Here are the steps to reproduce :
In the Layer7 API Gateway policy manager, click Tasks > Transports > Manage MQ Native Queues
You'll immediately get the error "Unable to verify this MQ Native setting:queue manager - com.ibm.mq.MQException: MQJE001: Completion code '2': Reason '2400'
Release : 10.0
Component : API GATEWAY
It appears that CR05 overwrites the /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties file where we had the 2 IBM MQ settings configured in.
1. re-added the following 2 settings to the system.properties file
2. restart the ssg service
3. test the MQ endpoint connection,
and it was able to connect successfully.