Problem Note 63974: The Secure Sockets Layer (SSL) handshake fails between IBM MQ and SAS® OnDemand Decision Engine
 |  |  |  |
The SAS OnDemand Decision Engine can be configured to use two-way SSL authentication with IBM MQ. In this configuration, the MQ Queue Manager's server-connection channel property SSLCAUTH is set to REQUIRED, meaning that client authentication is enabled for the handshake. Assuming that this and all other SSL configuration is correct, the SSL handshake still fails when the application uses the Oracle Java Runtime Environment (JRE).
When this failure occurs, the following error is logged to the MQ Queue Manager log:
When you try to start a channel by using a TLS cipher that runs in an Oracle JRE, the client certificate is not sent. This issue occurs even though client authentication is enabled. This is a problem in MQ, and the problem is documented in this IBM APAR: www-01.ibm.com/support/docview.wss?uid=swg1IT10837
In addition, this issue is expected to occur when two-way SSL is enabled between IBM MQ and the SAS® Fraud Management web application.
To resolve the issue, upgrade both the MQ server and client to the recommended MQ version that is specified in the APAR. Then, restart the MQ Queue Manager and the SAS OnDemand Decision Engine. The issue is fixed in the following MQ versions:
| IBM MQ Version | Maintenance Level |
|---|---|
| v7.1 | 7.1.0.8 |
| v7.5 | 7.5.0.7 |
| v8.0 | 8.0.0.5 |
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Fraud Management | Linux for x64 | 4.4_M1 | |||
| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2019-04-10 08:29:04 |
| Date Created: | 2019-04-04 09:59:16 |