IBM Support

IT38009: AMQP Service fails to start channel with error MQRC 3361 (MQRCCF_SSL_CIPHER_SUITE_ERROR)

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When the Queue Manager is started and trace is enabled, AMQP
channels that have been configured to use TLS will fail to start
with the following error in the amqp_*.log logs:

AMQXR0013E: Error starting channel 'TLS.AMQP' (on host: 'null'
and port '0'). Reason: MQCC 2, MQRC 3361
(MQRCCF_SSL_CIPHER_SUITE_ERROR) PARM:

This will continue even if trace is turned off, because the
issue is dependent on trace being enabled when the queue manager
starts.

Local fix

  • This does not occur if the queue manager is started with trace
not enabled, so stop the trace and restart the queue manager.

Problem summary

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the IBM MQ 9.2 AMQP service.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
When using the AMQP service, if an AMQP channel has been
configured to use TLS, it will fail to start if the queue
manager is started with trace enabled.

The reason for the failure was that, during startup, the AMQP
service did a check to see if the security configuration had
been intialized.  This check always returned true, even if that
was not the case.  When trace was not enabled, the service then
continued to initialize the security configuration and set up
the internal list of cipher suites that it could use. However,
when trace was enabled, the service generated a trace record and
then did not perform the initialization of the security
configuration. When the service then tried to start a channel
that was configured to use TLS, the attempt failed and an
AMQXR0013E error message containing reason code 3361
(MQRCCF_SSL_CIPHER_SUITE_ERROR) was written to the AMQP service
log file (amqp_0.log):

AMQXR0013E: Error starting channel '<channel name>' (on host:
'null' and port '0'). Reason: MQCC 2, MQRC 3361
(MQRCCF_SSL_CIPHER_SUITE_ERROR) PARM: ...


An AMQP service trace covering the time of the issue would
contain the following entries:

hh.mm.ss.mmm thrd  @hashCode Trace formatter started at: Wed Aug
11 08:27:55 BST 2021
08.27.55.009   27            com.ibm.mq.util.logging.MQLogger
                                     ----+ Thread
Name:TraceController
08.27.55.009   27            com.ibm.mq.util.logging.MQLogger
                                     ----+ M log AMQUT0007I: The
java.util.logging configuration is now set to
/var/mqm/qmgrs/QM1/./amqp/amqptraceOn.properties.
08.27.55.379    1            com.ibm.mq.MQXRService./
                       ----+---- Thread Name:main
08.27.55.379    1
com.ibm.mq.MQXRService.MQXRSecurityEnvironment
      ----+---- } <clinit>
08.27.55.380    1  @d38a22f7
com.ibm.mq.MQXRService.MQXRSecurityEnvironment
      ----+----+ { <init> [false] [0] [] [] [[]] []
08.27.55.380    1  @d38a22f7
com.ibm.mq.MQXRService.MQXRSecurityEnvironment
      ----+----+ } <init>
08.27.55.381    1  static
com.ibm.mq.MQXRService.MQXRSecurityEnvironment
      ----+----+ { initialize
[com.ibm.mq.MQXRService.MQXRService@4ae99f72]
[com.ibm.mq.communications.PCFSPIAgent@5d200b8b] [false]
08.27.55.381    1
com.ibm.mq.MQXRService.MQXRSecurityEnvironment
      ----+----+ d initialize [Already initialized]
[[fipsRequired: false suiteBStrength: 0 SSLKeyRepository:
crlNamelistName:  supportedSSLCipherSuitesList: []
defaultCertificateLabel: ]]
08.27.55.382    1
com.ibm.mq.MQXRService.MQXRSecurityEnvironment
      ----+----+ } initialize
...
08.27.55.903    1  static    com.ibm.mq.MQXRService.MQXRService
                                   ----+----+- }
createCommunicationsFromMQChannelDefinition
com.ibm.mq.MQXRService.MQChannelConfigurationException: MQCC 2,
MQRC 3361 (MQRCCF_SSL_CIPHER_SUITE_ERROR) PARM:

Problem conclusion

  • The MQ AMQP service has been updated so that it correctly
initializes its internal list of cipher suites when it is
started with trace enabled. This then allows the AMQP service to
successfully start AMQP channels that have TLS enabled on them.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.x CD    9.2.4

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT38009
    • 

  • Reported component name
    MQ BASE V9.2
    • 

  • Reported component ID
    5724H7281
    • 

  • Reported release
    922
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-08-13
    • 

  • Closed date
    2021-10-07
    • 

  • Last modified date
    2021-10-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ BASE V9.2
    • 

  • Fixed component ID
    5724H7281
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"922"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            13 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback