IBM Support

IC98041: DMPMQCFG FAILS WITH AMQ9518 WHEN USING SSL TO CONNECT TO REMOTE QUEUE MANAGER.

A fix is available

WebSphere MQ V7.5 Fix Pack 7.5.0.4

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The dmpmqcfg utility program is being used to dump definitions
on a remote queue manager.

The user supplies the -c parameter to pass the client channel
and connection information to connect to the remote queue
manager.

The program connects successfully with non-SSL channels but
fails using SSL channels with "AMQ9518: File
'/var/mqm/AMQCLCHL.TAB' not found."

The AMQCLCHL.TAB file should not be required since the user
did not want any Certificate Revocation checking to be
performed, and the client channel information was supplied
with the "mqsc -c" parameter.

Local fix

  • If the user wants no certificate revocation checks, copy a blank
CCDT to /var/mqm on the client.

If the user wants certificate revocation checks, ensure the CCDT
is correctly populated with the information needed, and make
it available in /var/mqm.

Remember that alternative locations for the CCDT can be given
via MQCHLLIB and MQCHLTAB environment variables.

Problem summary

  • ****************************************************************
USERS AFFECTED:
Users of dmpmqcfg via an SSL client channel, but who want no
Certificate Revocation checking to be done, and do not want to
supply a Client Channel Definition Table to the client to
configure this.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM SUMMARY:
The client connection code running in the WebSphere MQ library
code in the client application was initializing, and as part
of this it was trying to initialize its certificate revocation
checking component. Because the CLNTCONN definition supplied
by the program did not include any certificate revocation
information, the WebSphere MQ code tried to load the Client
Channel Definition Table (CCDT) file to check for that
information. The file did not exist. The initialization
therefore failed, and the connection attempt to the queue
manager was abandoned.

However, the user did not want certificate revocation checking
to be performed for this application. There was no easy way
for them to assert this to the WebSphere MQ code, though.

Problem conclusion

  • A new parameter has been added to the mqclient.ini file, to
enable a user to opt out of the certificate revocation
initialization, if that is what they want to do:

SSL stanza:

ClientRevocationChecks

Description: this setting determines if, and how, the
WebSphere MQ client attempts to configure certificate revocation
checking in the event of client connect call which uses an
SSL/TLS channel:
Acceptable values:
- REQUIRED (this is the default): attempt to load certificate
revocation configuration from the CCDT. The MQCONN fails if
WebSphere MQ cannot open the CCDT.
- DISABLED: do not configure certificate revocation checking
at all
- OPTIONAL: attempt to load certificate revocation configuration
from the CCDT, but no error is reported if WebSphere MQ fails to
open the CCDT - for example, if there is no CCDT file.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v7.5       7.5.0.4

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC98041
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7241
    • 

  • Reported release
    750
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-12-02
    • 

  • Closed date
    2014-01-23
    • 

  • Last modified date
    2014-01-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ BASE MULTIP
    • 

  • Fixed component ID
    5724H7241
    • 



Applicable component levels


    

  • R750  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 September 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback