Hello Mandar Mahadadalkar ,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are encountering an issue with integrating an MQ Connector in your Logic App due to a mismatch in supported cipher suites. The MQ server's MQ channel is configured with a TLS_RSA_WITH_AES_128_CBC_SHA256
cipher suite, the connection fails when using this specific cipher suite. However, when you test with another MQ channel using a certificate with the ANY_TLS12_OR_HIGHER
configuration, the connection succeeds. You would like to know how to solve the issue.
Solution
To solve these challenges, you need to understand that the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256
is indeed considered a weak cipher and is not recommended for use in Azure App Service that was the reason it fails. There are some resources that confirm this:
- Azure app service - how to disable weak ciphers: https://stackoverflow.com/questions/61927334/azure-app-service-how-to-disable-weak-ciphers.
- Public Preview: Disabling Weaker TLS Cipher Suites: https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html.
- Configure custom settings - Azure App Service Environment: https://video2.skills-academy.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings.
- Support for legacy TLS protocols and cipher suites in Azure Offerings: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/support-for-legacy-tls-protocols-and-cipher-suites-in-azure/ba-p/3952099.
- TLS policy overview for Azure Application Gateway: https://video2.skills-academy.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview.
- Verify the list of supported cipher suites in Azure App Service.
Update the MQ Channel Configuration
However, you can update the MQ Channel Configuration by access your MQ server's configuration and identify the channel that is currently using TLS_RSA_WITH_AES_128_CBC_SHA256
and also, update the channel's cipher specification to use ANY_TLS12_OR_HIGHER
or a more inclusive set of cipher suites.
Example of the code is here after you have connected to your queue manager CMD:
ALTER CHANNEL(channel_name) CHLTYPE(SVRCONN) SSLCIPH('ANY_TLS12_OR_HIGHER')
Reconfigure MQ Channel
Secondly, you can change the MQ channel configuration to use a more general TLS configuration like ANY_TLS12_OR_HIGHER. If the above not working, because you need to Reconfigure MQ Channel. For resources on how you can achieve a step by step configurations are here in the links below:
- Connect to IBM MQ - Azure Logic Apps: https://video2.skills-academy.com/en-us/azure/connectors/connectors-create-api-mq.
- How to use Azure App Configuration for your ASP.NET Core app: https://www.youtube.com/watch?v=zRFPPKh1Rq0.
OPTION to Configure Custom TLS/SSL Policies
Thirdly, if applicable to your environment you will need to configure custom TLS/SSL policies in ASE.
Kindly check the resources below to be able to achieve this:
- Using Azure Functions Proxies https://dontpaniclabs.com/blog/post/2021/06/02/using-azure-functions-proxies/.
Make Azure Function as a proxy
Fourthly, in this option, you can use an Azure Function as a proxy to handle the connection with the required cipher suite. Kindly use the below links for more details step-by-steps:
- Play with Proxy in Azure Function App: https://techcommunity.microsoft.com/t5/apps-on-azure-blog/play-with-proxy-in-azure-function-app/ba-p/2614677.
- Manage connections in Azure Functions: https://video2.skills-academy.com/en-us/azure/azure-functions/manage-connections.
References
The resources used above as a link served as the original source for this solution.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,