IBM Support

IT21589: MQ-Java/JMS v7.5/v8 classes are unable to consume AMS secured messages created with MQ v9.0 client code

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A message is generated and put to an AMS enabled queue using a
C-application which utilises the IBM MQ v9.0 client libraries.

An attempt is then made to consume the message using a WebSphere
MQ classes for Java application which is using the WebSphere MQ
v7.5 client libraries (.jar files).  The 'get' fails with an
exception of the following form:

com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason
'2063'.
        at
com.ibm.mq.MQDestination.getInt(MQDestination.java:659)
        at com.ibm.mq.MQDestination.get(MQDestination.java:456)
        at MyApplication.getMessage(MyApplication.java:109)
        at MyApplication.main(MyApplication.java:45)

and the message buffer is populated with encrypted data, rather
than the decrypted message data which was expected.


In addition to the above exception being output, a pair of log
messages are also output to the log file (mqjms0.log by default)
which reads:

----------------------------------------------------------------
----
August 7, 2017 3:31:00 PM BST[main]
com.ibm.mq.ese.intercept.JmqiGetInterceptorImpl
The IBM WebSphere MQ Advanced Message Security Java interceptor
failed to unprotect the received message.
An error occurred when the IBM WebSphere MQ Advanced Message
Security Java interceptor was unprotecting the received message.
See subsequent messages in the exception for more details about
the cause of the error
----------------------------------------------------------------
----
August 7, 2017 3:31:00 PM BST[main]
com.ibm.mq.ese.service.EseMQServiceImpl
The IBM WebSphere MQ Advanced Message Security interceptor has
put a defective message on error handling queue
'SYSTEM.PROTECTION.ERROR.QUEUE                   '.

EXPLANATION:
This is an informational message that indicates the IBM
WebSphere MQ Advanced Message Security put a message it could
not interpret on the specified error handling queue.

ACTION:
Make sure only valid messages are put onto queues protected by
IBM WebSphere MQ Advanced Message Security.
----------------------------------------------------------------
----

Local fix

  • none available - fix required

Problem summary

  • ****************************************************************
USERS AFFECTED:
Users of the WebSphere MQ classes for Java/JMS v7.5 or v8.0 who
are consuming messages from AMS protected queues, where the
messages put to those queues were secured using an MQ v9.0
client.

Users of the IBM MQ classes for Java/JMS v9.0 to consume the
same messages are not affected but this issue.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
When a message is protected using the IBM MQ Advanced Message
Security (AMS) function, a 'PDMQ' header is added to the message
which the IBM MQ client libraries use to decrypt the messages at
the message endpoints.

In order to accommodate AMS enhancements at MQ v9.0, the 'PDMQ'
header was extended in size.  This change was intended to be
backward compatible with older clients, as the header defines
its length and the location where the encrypted payload data
starts.

The IBM MQ classes for Java/JMS were updated during the
development of MQ v9.0 to use these values.  However older
levels of code (WebSphere MQ classes for Java/JMS v7.5 and v8.0)
used fixed values for the header length and data offset
location, instead of the header defined length value.

As a consequence, when a message was generated and protected
using a MQ v9.0 client, and then consumed using the WebSphere MQ
classes for Java/JMS v7.5 or v8.0, a incorrect data byte offset
was used when getting the the encrypted bytes to send to the
decryption libraries, which subsequently failed to decrypt the
data.

The exception thrown by the WebSphere MQ classes for Java
libraries was of the form:

com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason
'2063'.
        at
com.ibm.mq.MQDestination.getInt(MQDestination.java:659)
        at com.ibm.mq.MQDestination.get(MQDestination.java:456)
        at MyApplication.MyMethod(MyApplication.java:106)

with no linked exception, and the message would be moved to to
the queue:

    SYSTEM.PROTECTION.ERROR.QUEUE


In addition, two messages were output to the 'mqjms0.log' log
file as seen in the above description which stated that message
decryption had failed, and that the message was moved to the
queue 'SYSTEM.PROTECTION.ERROR.QUEUE'.

Problem conclusion

  • The WebSphere MQ classes for Java/JMS v7.5/v8.0 have been
updated to use the message data offset value as stated within
the PDMQ header, which ensures that the correct encrypted data
is used by during the decryption process.

the v9.0 code change associated with this APAR provides no
external behavioural change (this problem does not affect the
IBM MQ v9.0 classes for Java/JMS).  Instead, it enhances some of
the internal diagnostics which are output to trace when trace is
enabled.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v7.5       7.5.0.9
v8.0       8.0.0.9
v9.0 CD    9.0.5
v9.0 LTS   9.0.0.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT21589
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7241
    • 

  • Reported release
    750
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-07-25
    • 

  • Closed date
    2017-11-21
    • 

  • Last modified date
    2017-11-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ BASE MULTIP
    • 

  • Fixed component ID
    5724H7241
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback