APAR status
Closed as program error.
Error description
When the Queue Manager is started and trace is enabled, AMQP channels that have been configured to use TLS will fail to start with the following error in the amqp_*.log logs: AMQXR0013E: Error starting channel 'TLS.AMQP' (on host: 'null' and port '0'). Reason: MQCC 2, MQRC 3361 (MQRCCF_SSL_CIPHER_SUITE_ERROR) PARM: This will continue even if trace is turned off, because the issue is dependent on trace being enabled when the queue manager starts.
Local fix
This does not occur if the queue manager is started with trace not enabled, so stop the trace and restart the queue manager.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the IBM MQ 9.2 AMQP service. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: When using the AMQP service, if an AMQP channel has been configured to use TLS, it will fail to start if the queue manager is started with trace enabled. The reason for the failure was that, during startup, the AMQP service did a check to see if the security configuration had been intialized. This check always returned true, even if that was not the case. When trace was not enabled, the service then continued to initialize the security configuration and set up the internal list of cipher suites that it could use. However, when trace was enabled, the service generated a trace record and then did not perform the initialization of the security configuration. When the service then tried to start a channel that was configured to use TLS, the attempt failed and an AMQXR0013E error message containing reason code 3361 (MQRCCF_SSL_CIPHER_SUITE_ERROR) was written to the AMQP service log file (amqp_0.log): AMQXR0013E: Error starting channel '<channel name>' (on host: 'null' and port '0'). Reason: MQCC 2, MQRC 3361 (MQRCCF_SSL_CIPHER_SUITE_ERROR) PARM: ... An AMQP service trace covering the time of the issue would contain the following entries: hh.mm.ss.mmm thrd @hashCode Trace formatter started at: Wed Aug 11 08:27:55 BST 2021 08.27.55.009 27 com.ibm.mq.util.logging.MQLogger ----+ Thread Name:TraceController 08.27.55.009 27 com.ibm.mq.util.logging.MQLogger ----+ M log AMQUT0007I: The java.util.logging configuration is now set to /var/mqm/qmgrs/QM1/./amqp/amqptraceOn.properties. 08.27.55.379 1 com.ibm.mq.MQXRService./ ----+---- Thread Name:main 08.27.55.379 1 com.ibm.mq.MQXRService.MQXRSecurityEnvironment ----+---- } <clinit> 08.27.55.380 1 @d38a22f7 com.ibm.mq.MQXRService.MQXRSecurityEnvironment ----+----+ { <init> [false] [0] [] [] [[]] [] 08.27.55.380 1 @d38a22f7 com.ibm.mq.MQXRService.MQXRSecurityEnvironment ----+----+ } <init> 08.27.55.381 1 static com.ibm.mq.MQXRService.MQXRSecurityEnvironment ----+----+ { initialize [com.ibm.mq.MQXRService.MQXRService@4ae99f72] [com.ibm.mq.communications.PCFSPIAgent@5d200b8b] [false] 08.27.55.381 1 com.ibm.mq.MQXRService.MQXRSecurityEnvironment ----+----+ d initialize [Already initialized] [[fipsRequired: false suiteBStrength: 0 SSLKeyRepository: crlNamelistName: supportedSSLCipherSuitesList: [] defaultCertificateLabel: ]] 08.27.55.382 1 com.ibm.mq.MQXRService.MQXRSecurityEnvironment ----+----+ } initialize ... 08.27.55.903 1 static com.ibm.mq.MQXRService.MQXRService ----+----+- } createCommunicationsFromMQChannelDefinition com.ibm.mq.MQXRService.MQChannelConfigurationException: MQCC 2, MQRC 3361 (MQRCCF_SSL_CIPHER_SUITE_ERROR) PARM:
Problem conclusion
The MQ AMQP service has been updated so that it correctly initializes its internal list of cipher suites when it is started with trace enabled. This then allows the AMQP service to successfully start AMQP channels that have TLS enabled on them. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.x CD 9.2.4 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT38009
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
922
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-08-13
Closed date
2021-10-07
Last modified date
2021-10-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"922"}]
Document Information
Modified date:
13 October 2021