APAR status
Closed as program error.
Error description
An IBM MQ classes for Java or classes for JMS application is able to send messages to an Advanced Message Security (AMS) protected MQ queue however it is unable to consume the messages afterwards. When using the MQ classes for JMS to synchronously consume a previously put message to an AMS protected queue, the following exception is thrown: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2002: Failed to get a message from destination 'MY_AMS_QUEUE'. IBM MQ classes for JMS attempted to perform an MQGET; however IBM MQ reported an error. Use the linked exception to determine the cause of this error. at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException at com.ibm.msg.client.wmq.common.internal.Reason.createException at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall Success at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall Success at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.getMsg at com.ibm.msg.client.wmq.internal.WMQSyncConsumerShadow.receiveInt ernal at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.receive at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.receive at com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receiveIn boundMessage at com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receive at com.ibm.mq.jms.MQMessageConsumer.receive Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2063' ('MQRC_SECURITY_ERROR'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Re ason.java:203) ... 11 more WMQ Completion code: 2 WMQ Reason code: 2063 The following messages are also written to the mqjms.log file: ---------------------------------------------------------------- ---- com.ibm.mq.ese.prot.MessageProtectionBCImpl java.lang.Exception: No suitable trust path found ---------------------------------------------------------------- ---- com.ibm.mq.ese.intercept.JmqiGetInterceptorImpl The IBM MQ Advanced Message Security Java interceptor failed to unprotect the received message. An error occurred when the IBM MQ Advanced Message Security Java interceptor was unprotecting the received message. See subsequent messages in the exception for more details about the cause of the error ---------------------------------------------------------------- ---- com.ibm.mq.ese.service.EseMQServiceImpl The IBM MQ Advanced Message Security interceptor has put a defective message on error handling queue 'SYSTEM.PROTECTION.ERROR.QUEUE '. EXPLANATION: This is an informational message that indicates the IBM MQ Advanced Message Security put a message it could not interpret on the specified error handling queue. ACTION: Make sure only valid messages are put onto queues protected by IBM MQ Advanced Message Security. ---------------------------------------------------------------- ----
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the: - IBM MQ V9 classes for JMS - IBM MQ V9 classes for Java - IBM MQ V9 JCA Resource Adapter - IBM MQ V9 OSGi bundles who connect to queue managers using the CLIENT transport mode, consume messages from an Advanced Message Security (AMS) protected queue and use chained certificates. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: When an Advanced Message Security (AMS) protected message is consumed from an MQ queue by an classes for JMS or classes for Java application that connects to a queue manager using the CLIENT transport mode, the client side AMS interceptor will attempt to unprotect the message before returning it to the application. If the application and AMS messaging solution used a set of chained certificates, then a certification path could not be built or verified using the signer information in the AMS protected message because the issuer of the certificate used when the message was put could not be found. The Bouncy Castle library used by the IBM MQ Java client AMS interceptor would throw the exception: No issuer certificate for certificate in certification path found. [java.security.cert.CertPathBuilderException] at: org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild As an example, this issue would have affected applications that use a set of three chain certificates consisting of a self-signed root certificate, that is used to sign an intermediary certificate which itself is then used to sign a third personal certificate referenced within an AMS policy definition. As a result, the message was not unprotected and was moved to the AMS error queue named, "SYSTEM.PROTECTION.ERROR.QUEUE".
Problem conclusion
The logic used by the IBM MQ V9 Java client Advanced Message Security (AMS) interceptor to build a certification path for a chained certificate used within an AMS policy has been updated. After this APAR, for messages protected using chained certificates, the Java security PKIXBuilderParameters class is used to determine the set of the most-trusted certificate authorities from the AMS KeyStore used by the application that is then used to build the certification path during the processing of unprotecting the message. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 CD 9.0.5 v9.0 LTS 9.0.0.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT22044
Reported component name
IBM MQ AMS V9.0
Reported component ID
5724H7263
Reported release
903
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-08-17
Closed date
2017-10-23
Last modified date
2017-10-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ AMS V9.0
Fixed component ID
5724H7263
Applicable component levels
R903 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"903","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
23 October 2017