IBM Support

IT35389: Exception reason code 2063 thrown when AMS Java clients access CA certificate chains within cryptographic hardware

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • An IBM MQ classes for JMS application has been configured to use
Advanced Message Security (AMS) to get protected messages stored
on a queue. The CA certificate chain required by the application
to decrypt the message is stored in cryptographic hardware. When
the application tries to get a protected message, the following
exception is thrown:

com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2002:
Failed to get a message from destination '<queue_name>'.
IBM MQ classes for JMS attempted to perform an MQGET; however
IBM MQ reported an error.
Use the linked exception to determine the cause of this error.
    at
com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(
Reason.java)
    at
com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
ason.java)
    at
com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall
Success(WMQMessageConsumer.java)
    at
com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall
Success(WMQMessageConsumer.java)
    at
com.ibm.msg.client.wmq.internal.WMQConsumerShadow.getMsg(WMQCons
umerShadow.java)
    at
com.ibm.msg.client.wmq.internal.WMQSyncConsumerShadow.receiveInt
ernal(WMQSyncConsumerShadow.java)
    at
com.ibm.msg.client.wmq.internal.WMQConsumerShadow.receive(WMQCon
sumerShadow.java)
    at
com.ibm.msg.client.wmq.internal.WMQMessageConsumer.receive(WMQMe
ssageConsumer.java)
    at
com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receiveIn
boundMessage(JmsMessageConsumerImpl.java)
    at
com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receive(J
msMessageConsumerImpl.java)
    at
com.ibm.mq.jms.MQMessageConsumer.receive(MQMessageConsumer.java)
	......
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call
failed with compcode '2' ('MQCC_FAILED') reason '2063'
('MQRC_SECURITY_ERROR').
    at
com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
ason.java)
    ... 13 more

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This affects users of:

- The IBM MQ classes for Java
- The IBM MQ classes for JMS
- The IBM MQ resource adapter

who have applications that use Advanced Message Security (AMS),
where the digital certificates required by AMS are stored in
PKCS #11 cryptographic hardware.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
IBM MQ 9.2 provides the ability for Java clients which use
Advanced Message Security (AMS) to access personal certificates
and CA certificates stored in cryptographic hardware.

When accessing a CA certificate chain stored in crytographic
hardware, the Java AMS code would incorrectly attempt to access
the certificate chain using the wrong keystore and generated an
internal NullPointerException. This resulted in the application
receiving an exception containing MQ reason code 2063
(MQRC_SECURITY_ERROR).

An IBM MQ Java trace collected at the time the exception
containing MQ reason code 2063 occurred would contain entries
similar to the ones shown below:

c.i.m.ese.core.EseUser
       ----+----+----+----  d  getKeyStoreAccess() getter
[Primary keystore: <keystore> secondary keystore: <keystore 2>]
c.i.m.ese.prot.MessageProtectionBCImpl(MessageProtectionBCImpl)
       ----+----+----+-  X  unprotect(byte [
],SecurityPolicy,AMBIHeader,SmqiObject,EseUser)
the keystore parameter must be non-null
[java.lang.NullPointerException] at:

java.security.cert.PKIXParameters.<init>(PKIXParameters.java:140
)

java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParam
eters.java:125)

com.ibm.mq.ese.prot.MessageProtectionBCImpl.constructPKIXBuilder
Parameters(MessageProtectionBCImpl.java:1256)

com.ibm.mq.ese.prot.MessageProtectionBCImpl.validateSignedData(M
essageProtectionBCImpl.java:1140)

com.ibm.mq.ese.prot.MessageProtectionBCImpl.getUnprotectedFromSi
gned(MessageProtectionBCImpl.java:877)

com.ibm.mq.ese.prot.MessageProtectionBCImpl.unprotect(MessagePro
tectionBCImpl.java:734)

com.ibm.mq.ese.prot.MessageProtectionWrapper.unprotect(MessagePr
otectionWrapper.java:99)
........

    



Problem conclusion


    

  • To resolve this issue, the Java AMS code has been updated to use
the correct keystore when accessing CA certificate chains stored
in crytographic hardware.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.2 LTS   9.2.0.3
v9.x CD    9.2.2

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT35389
    • 

  • Reported component name
    MQ BASE V9.2
    • 

  • Reported component ID
    5724H7281
    • 

  • Reported release
    920
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-12-30
    • 

  • Closed date
    2021-02-10
    • 

  • Last modified date
    2021-07-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ BASE V9.2
    • 

  • Fixed component ID
    5724H7281
    • 



Applicable component levels


    








      
              
                            

              

              [{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 July 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback