search cancel

com.l7tech.external.assertions.mqnative.server.ServerMqNativeRoutingAssertion: 9616: Failed to establish MQ connection

book

Article ID: 243927

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have a few services that vendors call externally (inbound to our company) where the service connects directly to an IBM MQ connection and puts messages directly on the queue.

Just patched API Gateway from 10.0 CR03 to 10.0 CR05 and after the patch to CR05, the connection no longer works.  The MQ error below gets thrown.

com.l7tech.external.assertions.mqnative.server.ServerMqNativeRoutingAssertion: 9616: Failed to establish MQ connection  Will retry after 1000ms.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2400'.

Unable to verify this MQ Native setting:queue manager - com.ibm.mq.MQException: MQJE001: Completion code '2': Reason '2400'

 

The error seems to suggest some sort of SSL cipher issue.  I did notice that CR05 updated the java.security file in /opt/SecureSpan/JDK/jre/lib/security.

I did a comparison of the java.security file between prod (which hasn't been patched yet), and test (that has been patched) and there were some notable differences.

 

I've tried commenting out/removing some of the differences I noticed in the java.security and that didn't make a difference.

1. Removed "include jdk.disabled.namedCurves" from jdk.tls.disabledAlgorithms, jdk.jar.disabledAlgorithms and jdk.tls.disabledAlgorithms

2. Uncommented # jdk.tls.alpnCharset=UTF-8 and commented out jdk.tls.alpnCharset=ISO_8859_1

3. Removed TLSv1, TLSv1.1 from jdk.tls.disabledAlgorithms

4.  Here are the steps to reproduce :

 In the Layer7 API Gateway policy manager, click Tasks > Transports > Manage MQ Native Queues

  1. Click Add and fill in the fields for the MQ connection
    1. Connection name = "your connection name"
    2. Direction: = select "Outbound - Gateway can route messages to Queue"
    3. Host name = "Enter the name of the MQ host"
    4. Port = "Enter the port to connect to the queue manager"
    5. Queue manager name = "Enter the name of the queue manager"
    6. Channel name = "Enter the channel to connect to"
    7. Queue name = "Enter the name of the queue messages will be routed to"
    8. We have credentials checked as we use id/pw to be able to access the queue, but you can leave this blank
    9. Check "Enable SSL" and select the cipher spec "TLS_RSA_WITH_AES_256_CBC_SHA256"
    10. Click "Test Settings"

 You'll immediately get the error "Unable to verify this MQ Native setting:queue manager - com.ibm.mq.MQException: MQJE001: Completion code '2': Reason '2400'

 

 

Environment

Release : 10.0

Component : API GATEWAY

Cause

It appears that CR05 overwrites the /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties file where we had the 2 IBM MQ settings configured in.

 com.ibm.mq.cfg.useIBMCipherMappings=false

com.ibm.mq.cfg.preferTLS=true

Resolution

1.  re-added the following 2 settings  to the system.properties file

       com.ibm.mq.cfg.useIBMCipherMappings=false

      com.ibm.mq.cfg.preferTLS=true

2.  restart the ssg service

3.  test the MQ endpoint connection,

and it was able to connect successfully.

Additional Information

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=768817#bm16f77577-6f5d-4595-a03d-5711271e98b6