![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 22%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM8%3C/text%3E%3C/svg%3E)
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,222 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Mandar Mahadadalkar ,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are encountering an issue with integrating an MQ Connector in your Logic App due to a mismatch in supported cipher suites. The MQ server's MQ channel is configured with a TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite, the connection fails when using this specific cipher suite. However, when you test with another MQ channel using a certificate with the ANY_TLS12_OR_HIGHER configuration, the connection succeeds. You would like to know how to solve the issue.
Solution
To solve these challenges, you need to understand that the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 is indeed considered a weak cipher and is not recommended for use in Azure App Service that was the reason it fails. There are some resources that confirm this:
- Azure app service - how to disable weak ciphers: https://stackoverflow.com/questions/61927334/azure-app-service-how-to-disable-weak-ciphers.
- Public Preview: Disabling Weaker TLS Cipher Suites: https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html.
- Configure custom settings - Azure App Service Environment: https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings.
- Support for legacy TLS protocols and cipher suites in Azure Offerings: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/support-for-legacy-tls-protocols-and-cipher-suites-in-azure/ba-p/3952099.
- TLS policy overview for Azure Application Gateway: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview.
- Verify the list of supported cipher suites in Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code?tabs=windows
Update the MQ Channel Configuration
However, you can update the MQ Channel Configuration by access your MQ server's configuration and identify the channel that is currently using TLS_RSA_WITH_AES_128_CBC_SHA256 and also, update the channel's cipher specification to use ANY_TLS12_OR_HIGHER or a more inclusive set of cipher suites.
Example of the code is here after you have connected to your queue manager CMD:
ALTER CHANNEL(channel_name) CHLTYPE(SVRCONN) SSLCIPH('ANY_TLS12_OR_HIGHER')
Reconfigure MQ Channel
Secondly, you can change the MQ channel configuration to use a more general TLS configuration like ANY_TLS12_OR_HIGHER. If the above not working, because you need to Reconfigure MQ Channel. For resources on how you can achieve a step by step configurations are here in the links below:
- Connect to IBM MQ - Azure Logic Apps: https://learn.microsoft.com/en-us/azure/connectors/connectors-create-api-mq.
- How to use Azure App Configuration for your ASP.NET Core app: https://www.youtube.com/watch?v=zRFPPKh1Rq0.
OPTION to Configure Custom TLS/SSL Policies
Thirdly, if applicable to your environment you will need to configure custom TLS/SSL policies in ASE.
Kindly check the resources below to be able to achieve this:
- Using Azure Functions Proxies https://dontpaniclabs.com/blog/post/2021/06/02/using-azure-functions-proxies/.
Make Azure Function as a proxy
Fourthly, in this option, you can use an Azure Function as a proxy to handle the connection with the required cipher suite. Kindly use the below links for more details step-by-steps:
- Play with Proxy in Azure Function App: https://techcommunity.microsoft.com/t5/apps-on-azure-blog/play-with-proxy-in-azure-function-app/ba-p/2614677.
- Manage connections in Azure Functions: https://learn.microsoft.com/en-us/azure/azure-functions/manage-connections.
References
The resources used above as a link served as the original source for this solution.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,