IT25529: MQ Resource Adapter deployed in Liberty receives a certificate chain error when creating a TLS connection

APAR status

• Closed as program error.

Error description

• After enabling the wmqJmsClient-2.0 and transportSecurity-1.0
  features in WebSphere Liberty application server and deploying
  the MQ Resource Adapter an attempt to create a TLS client
  connection to an IBM MQ queue manager fails.
  
  The following exception is reported in the messages.log file:
  
  [5/4/18 13:48:21:228 UTC] 0000003e SystemOut O
  handling exception: javax.net.ssl.SSLHandshakeException:
  com.ibm.jsse2.util.h: PKIX path building failed:
  
  java.security.cert.CertPathBuilderException:
  PKIXCertPathBuilderImpl could not build a valid CertPath.;
  internal cause is:
  
   java.security.cert.CertPathValidatorException: The certificate
  issued by CN= Internal Root CA, O=My Corporation, C=US is not
  trusted; internal cause is:
  
   java.security.cert.CertPathValidatorException: Certificate
  chaining error
  
  The WebSphere Liberty trace shows that the configured default
  Keystore and
  Truststore locations (as per the server.xml file) are being
  ignored and the JVM default cacerts file is being used to find
  certificates enchanged during the TLS handshake.
  

Local fix

• Use the javax.net.ssl Java system properties to override the
  default keystore and truststore used by the WebSphere Liberty
  server JVM.  For example:
  
  -Djavax.net.ssl.trustStore=/localTrustStore.jks
  -Djavax.net.ssl.trustStorePassword=TrustStorePassword
  -Djavax.net.ssl.keyStore=/localKeyStore.jks
  -Djavax.net.ssl.keyStorePassword=KeyStorePassword
  
  These must be specified in the jvm.options file for the server.
  

Problem summary

• ****************************************************************
  USERS AFFECTED:
  This issue affects users of the:
  
    - IBM MQ JCA resource adapter
  
  who have JMS applications running inside WebSphere Liberty
  application server and are using the transportSecurity-1.0
  feature to create TLS connections from JMS applications to MQ
  queue managers.
  
  
  Platforms affected:
  MultiPlatform
  
  ****************************************************************
  PROBLEM DESCRIPTION:
  When the ssl-1.0 WebSphere Liberty feature was used, the IBM MQ
  JCA resource adapter (MQ RA) would use the Liberty server
  defined default SSL configuration after APAR IT16056.  This was
  because the Liberty server created an SSLContext from the
  default SSL configuration, and made that SSLContext the server
  default by calling the SSLContext.setDefault() Java API. This
  made the default SSLContext of the Liberty server the default
  SSLContext for the process.  Therefore, when the MQ-RA obtained
  an SSLSocketFactory object (used when creating secure TCP/IP
  connections to queue managers) from the default SSLContext, the
  JSSE provider used the expected certificate stores for the
  secure socket handshake procedure.
  
  WebSphere Liberty added a new security feature named
  "transportSecurity-1.0" that superseded the ssl-1.0 feature and
  changes the behaviour previously described such that the default
  SSLContext is not set from the server's default SSL
  configuration.  When the transportSecurity-1.0 feature is
  enabled, the Liberty server created a custom SSL Socket factory
  that used the Java security property ssl.SocketFactory.provider.
  
  A call to SSLContext.getDefault() returns the default context
  SSLContext of the Java Secure Socket Extension (JSSE) provider.
  A call to SSLSocketFactory.getDefault() returns an
  SSLSocketFactory that is based on the Liberty server custom
  socket factory provider that uses the Liberty SSLContext.
  
  Because of this change in behaviour between the ssl-1.0 and
  transportSecurity-1.0 Liberty server features, the MQ RA did not
  use the expected certificate stores during the secure socket
  handshaking.  As such, certificate chains could not be validated
  and the connection fails with the exceptions noted in this APAR.
  

Problem conclusion

• The MQ JCA Resource Adapter has been updated to call
  SSLSocketFactory.getDefault() when running in a Liberty server
  environment with the wmqJmsClient-2.0 feature enabled in order
  to obtain a socket factory instance to use when creating secure
  TCP/IP sockets to queue managers.
  
  ---------------------------------------------------------------
  The fix is targeted for delivery in the following PTFs:
  
  Version    Maintenance Level
  v9.0 LTS   9.0.0.6
  v9.1 LTS   9.1.0.1
  
  The latest available maintenance can be obtained from
  'WebSphere MQ Recommended Fixes'
  http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
  
  If the maintenance level is not yet available information on
  its planned availability can be found in 'WebSphere MQ
  Planned Maintenance Release Dates'
  http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
  ---------------------------------------------------------------
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  IBM MQ BASE M/P

• Fixed component ID

  5724H7261

Applicable component levels