IBM Support

IT22044: MQ Java clients receive MQRC 2063 and are unable to consume messages from AMS protected queues

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • An IBM MQ classes for Java or classes for JMS application is
able to send messages to an Advanced Message Security (AMS)
protected MQ queue however it is unable to consume the messages
afterwards.

When using the MQ classes for JMS to synchronously consume a
previously put message to an AMS protected queue, the following
exception is thrown:

com.ibm.msg.client.jms.DetailedJMSSecurityException:
  JMSWMQ2002: Failed to get a message from destination
'MY_AMS_QUEUE'.
IBM MQ classes for JMS attempted to perform an MQGET; however
IBM MQ reported an error.
Use the linked exception to determine the cause of this error.
at
com.ibm.msg.client.wmq.common.internal.Reason.reasonToException
at com.ibm.msg.client.wmq.common.internal.Reason.createException
at
com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall
Success
at
com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall
Success
at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.getMsg
at
com.ibm.msg.client.wmq.internal.WMQSyncConsumerShadow.receiveInt
ernal
at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.receive
at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.receive
at
com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receiveIn
boundMessage
at
com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receive
at com.ibm.mq.jms.MQMessageConsumer.receive
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call
failed with compcode '2' ('MQCC_FAILED') reason '2063'
('MQRC_SECURITY_ERROR').
	at
com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
ason.java:203)
	... 11 more
WMQ Completion code: 2
WMQ Reason code: 2063


The following messages are also written to the mqjms.log file:

----------------------------------------------------------------
----
com.ibm.mq.ese.prot.MessageProtectionBCImpl
  java.lang.Exception: No suitable trust path found
----------------------------------------------------------------
----
com.ibm.mq.ese.intercept.JmqiGetInterceptorImpl
The IBM MQ Advanced Message Security Java interceptor failed to
unprotect the received message.
An error occurred when the IBM MQ Advanced Message Security Java
interceptor was unprotecting the received message.
See subsequent messages in the exception for more details about
the cause of the error
----------------------------------------------------------------
----
com.ibm.mq.ese.service.EseMQServiceImpl
The IBM MQ Advanced Message Security interceptor has put a
defective message on error handling queue
'SYSTEM.PROTECTION.ERROR.QUEUE                   '.

EXPLANATION:
This is an informational message that indicates the IBM MQ
Advanced Message Security put a message it could not interpret
on the specified error handling queue.

ACTION:
Make sure only valid messages are put onto queues protected by
IBM MQ Advanced Message Security.
----------------------------------------------------------------
----

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the:

  - IBM MQ V9 classes for JMS
  - IBM MQ V9 classes for Java
  - IBM MQ V9 JCA Resource Adapter
  - IBM MQ V9 OSGi bundles

who connect to queue managers using the CLIENT transport mode,
consume messages from an Advanced Message Security (AMS)
protected queue and use chained certificates.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
When an Advanced Message Security (AMS) protected message is
consumed from an MQ queue by an classes for JMS or classes for
Java application that connects to a queue manager using the
CLIENT transport mode, the client side AMS interceptor will
attempt to unprotect the message before returning it to the
application.  If the application and AMS messaging solution used
a set of chained certificates, then a certification path could
not be built or verified using the signer information in the AMS
protected message because the issuer of the certificate used
when the message was put could not be found.

The Bouncy Castle library used by the IBM MQ Java client AMS
interceptor would throw the exception:

  No issuer certificate for certificate in certification path
found. [java.security.cert.CertPathBuilderException] at:

org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild


As an example, this issue would have affected applications that
use a set of three chain certificates consisting of a
self-signed root certificate, that is used to sign an
intermediary certificate which itself is then used to sign a
third personal certificate referenced within an AMS policy
definition.

As a result, the message was not unprotected and was moved to
the AMS error queue named, "SYSTEM.PROTECTION.ERROR.QUEUE".

    



Problem conclusion


    

  • The logic used by the IBM MQ V9 Java client Advanced Message
Security (AMS) interceptor to build a certification path for a
chained certificate used within an AMS policy has been updated.
 After this APAR, for messages protected using chained
certificates, the Java security PKIXBuilderParameters class is
used to determine the set of the most-trusted certificate
authorities from the AMS KeyStore used by the application that
is then used to build the certification path during the
processing of unprotecting the message.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.0 CD    9.0.5
v9.0 LTS   9.0.0.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT22044
    • 

  • Reported component name
    IBM MQ AMS V9.0
    • 

  • Reported component ID
    5724H7263
    • 

  • Reported release
    903
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-08-17
    • 

  • Closed date
    2017-10-23
    • 

  • Last modified date
    2017-10-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ AMS V9.0
    • 

  • Fixed component ID
    5724H7263
    • 



Applicable component levels


    

  • R903  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"903","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            23 October 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback