IBM Support

IC98041: DMPMQCFG FAILS WITH AMQ9518 WHEN USING SSL TO CONNECT TO REMOTE QUEUE MANAGER.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The dmpmqcfg utility program is being used to dump definitions
    on a remote queue manager.
    
    The user supplies the -c parameter to pass the client channel
    and connection information to connect to the remote queue
    manager.
    
    The program connects successfully with non-SSL channels but
    fails using SSL channels with "AMQ9518: File
    '/var/mqm/AMQCLCHL.TAB' not found."
    
    The AMQCLCHL.TAB file should not be required since the user
    did not want any Certificate Revocation checking to be
    performed, and the client channel information was supplied
    with the "mqsc -c" parameter.
    

Local fix

  • If the user wants no certificate revocation checks, copy a blank
    CCDT to /var/mqm on the client.
    
    If the user wants certificate revocation checks, ensure the CCDT
    is correctly populated with the information needed, and make
    it available in /var/mqm.
    
    Remember that alternative locations for the CCDT can be given
    via MQCHLLIB and MQCHLTAB environment variables.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of dmpmqcfg via an SSL client channel, but who want no
    Certificate Revocation checking to be done, and do not want to
    supply a Client Channel Definition Table to the client to
    configure this.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM SUMMARY:
    The client connection code running in the WebSphere MQ library
    code in the client application was initializing, and as part
    of this it was trying to initialize its certificate revocation
    checking component. Because the CLNTCONN definition supplied
    by the program did not include any certificate revocation
    information, the WebSphere MQ code tried to load the Client
    Channel Definition Table (CCDT) file to check for that
    information. The file did not exist. The initialization
    therefore failed, and the connection attempt to the queue
    manager was abandoned.
    
    However, the user did not want certificate revocation checking
    to be performed for this application. There was no easy way
    for them to assert this to the WebSphere MQ code, though.
    

Problem conclusion

  • A new parameter has been added to the mqclient.ini file, to
    enable a user to opt out of the certificate revocation
    initialization, if that is what they want to do:
    
    SSL stanza:
    
    ClientRevocationChecks
    
    Description: this setting determines if, and how, the
    WebSphere MQ client attempts to configure certificate revocation
    checking in the event of client connect call which uses an
    SSL/TLS channel:
    Acceptable values:
    - REQUIRED (this is the default): attempt to load certificate
    revocation configuration from the CCDT. The MQCONN fails if
    WebSphere MQ cannot open the CCDT.
    - DISABLED: do not configure certificate revocation checking
    at all
    - OPTIONAL: attempt to load certificate revocation configuration
    from the CCDT, but no error is reported if WebSphere MQ fails to
    open the CCDT - for example, if there is no CCDT file.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.5       7.5.0.4
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC98041

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7241

  • Reported release

    750

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-12-02

  • Closed date

    2014-01-23

  • Last modified date

    2014-01-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7241

Applicable component levels

  • R750 PSY

       UP

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5"}]

Document Information

Modified date:
22 September 2021