TLS/SSL troubleshooting information
Use the information listed here to help you solve problems with your TLS/SSL system.
Overview
For the error caused by Using non-FIPS cipher with FIPS enabled on client, you
receive the following error message:
- JMSCMQ001
-
IBM® MQ call failed with completion code 2 ('MQCC_FAILED') reason 2397 ('MQRC_JSSE_ERROR')
For every other problem documented within this topic you receive either the previous error
message, or the following error message, or both:
- JMSWMQ0018
-
Failed to connect to queue manager 'queue-manager-name' with connection mode 'connection-mode' and host name 'host-name'
For each problem documented within this topic, the following information is provided:
- Output from the sample
SystemOut.logorConsole, detailing the cause of the exception.. - Queue manager error log information.
- Solution to the problem.
Note:
- You should always list out the stacks and the cause of the first exception.
- Whether or not the error information is written to the stdout log file depends on how the application is written, and on which framework you are using.
- The sample code includes stacks and line numbers. This information is useful guidance, but the stacks and line numbers are likely to change from one fix pack to another. You should use the stacks and line numbers as a guide to locating the correct section, and not use the information specifically for diagnostic purposes.
Cipher suite not set on client
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec.
- Solution
- Set a CipherSuite on the client so that both ends of the channel have a matching CipherSuite or CipherSpec pair.
Cipher suite not set on server
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec.
- Solution
- Change channel 'SYSTEM.DEF.SVRCONN' to specify a valid CipherSpec.
Cipher Mismatch
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel 'SYSTEM.DEF.SVRCONN'.
- Solution
- Change either the SSLCIPH definition of the server-connection channel or the Cipher suite of the client so that the two ends have a matching CipherSuite or CipherSpec pair.
Missing client personal certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure that the key database of the queue manager contains a signed personal certificate from the truststore of the client.
Missing server personal certificate
- Output
- Caused by:
Caused by:com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host closed connection during handshake], 3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ... 12 more
Caused by:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.qc.a(qc.java:158) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 morejava.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:19) at com.ibm.jsse2.qc.a(qc.java:207) - Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure that the key database of the queue manager contains a signed personal certificate from the truststore of the client.
Missing server signer on client
- Output
- Caused by:
Caused by:com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.],3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ...
Caused by:javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match. ...
Caused by:com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match. at com.ibm.jsse2.util.h.a(h.java:99) at com.ibm.jsse2.util.h.b(h.java:27) at com.ibm.jsse2.util.g.a(g.java:14) at com.ibm.jsse2.yc.a(yc.java:68) at com.ibm.jsse2.yc.a(yc.java:17) at com.ibm.jsse2.yc.checkServerTrusted(yc.java:154) at com.ibm.jsse2.bb.a(bb.java:246) ... 28 more
Caused by:java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match. at com.ibm.security.cert.BasicChecker.(BasicChecker.java:111) at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:174) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:265) at com.ibm.jsse2.util.h.a(h.java:13) ... 34 morejava.security.cert.CertPathValidatorException: Signature does not match. at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:297) at com.ibm.security.cert.BasicChecker.(BasicChecker.java:108) - Queue manager error logs
- AMQ9665: SSL connection closed by remote end of channel '????'.
- Solution
- Add the certificate used to sign the personal certificate of the queue manager to the truststore of the client.
Missing client signer on server
- Output
- Caused by:
Caused by:com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[Software caused connection abort: socket write error], 3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ... 12 morejava.net.SocketException: Software caused connection abort: socket write error at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:120) at java.net.SocketOutputStream.write(SocketOutputStream.java:164) at com.ibm.jsse2.c.a(c.java:57) at com.ibm.jsse2.c.a(c.java:34) at com.ibm.jsse2.qc.b(qc.java:527) at com.ibm.jsse2.qc.a(qc.java:635) at com.ibm.jsse2.qc.a(qc.java:743) at com.ibm.jsse2.ab.a(ab.java:550) at com.ibm.jsse2.bb.b(bb.java:194) at com.ibm.jsse2.bb.a(bb.java:162) at com.ibm.jsse2.bb.a(bb.java:7) at com.ibm.jsse2.ab.r(ab.java:529) at com.ibm.jsse2.ab.a(ab.java:332) at com.ibm.jsse2.qc.a(qc.java:435) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) - Queue manager error logs
- AMQ9633: Bad SSL certificate for channel '????'.
- Solution
- Add the certificate used to sign the personal certificate of the client to the key database of the queue manager.
SSLPEER set on server does not match certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9643: Remote SSL peer name error for channel 'SYSTEM.DEF.SVRCONN' on host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9636: SSL distinguished name does not match peer name, channel 'SYSTEM.DEF.SVRCONN'.
- Solution
- Ensure the value of SSLPEER set on the server-connection channel matches the distinguished name of the certificate.
SSLPEER set on client does not match certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2398;AMQ9636: SSL distinguished name does not match peer name, channel '?'. [CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1215) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9208: Error on receive from host host-name (address).
- Solution
- Ensure the value of SSLPEER set in the client matches the distinguished name of the certificate.
Using a non-FIPS cipher with FIPS enabled on client
- Output
-
Caused by:Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:578) at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:214) at com.ibm.msg.client.wmq.internal.WMQConnection.getConnectOptions(WMQConnection.java:1423) at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:339) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection (WMQConnectionFactory.java:6865) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection (WMQConnectionFactory.java:6221) at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection (JmsConnectionFactoryImpl.java:285) at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection (JmsConnectionFactoryImpl.java:233) at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6016) at com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6041) at tests.SimpleSSLConn.runTest(SimpleSSLConn.java:46) at tests.SimpleSSLConn.main(SimpleSSLConn.java:26)com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:202) - Queue manager error logs
- Not applicable.
- Solution
- Use a FIPS-enabled cipher, or disable FIPS on the client.
Using a non-FIPS cipher with FIPS enabled on the queue manager
- Output
- Caused by:
Caused by:com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: handshake_failure], 3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ... 12 morejavax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.ibm.jsse2.j.a(j.java:13) at com.ibm.jsse2.j.a(j.java:18) at com.ibm.jsse2.qc.b(qc.java:601) at com.ibm.jsse2.qc.a(qc.java:100) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) - Queue manager error logs
- AMQ9616: The CipherSpec proposed is not enabled on the server.
- Solution
- Use a FIPS-enabled cipher, or disable FIPS on the queue manager.
Can not find client keystore using IBM JRE
- Output
- Caused by:
Caused by:com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'localhost(1418)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN]],3=localhost(1418),5=RemoteConnection.analyseErrorSegment] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2450) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1396) at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376) at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:561) at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:342) ... 8 morecom.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure the JVM property
javax.net.ssl.keyStorespecifies the location of a valid keystore.
Can not find client keystore using Oracle JRE
- Output
- Caused by:
Caused by:java.security.PrivilegedActionException: java.io.FileNotFoundException: C:\<filepath>\wrongkey.jks (The system cannot find the file specified) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(Unknown Source) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.(Unknown Source) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at java.lang.Class.newInstance0(Unknown Source) at java.lang.Class.newInstance(Unknown Source) ... 28 morejava.io.FileNotFoundException: C:\<filepath>\wrongkey.jks (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.(Unknown Source) at java.io.FileInputStream.(Unknown Source) at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(Unknown Source) at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(Unknown Source) - Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure the JVM property
javax.net.ssl.keyStorespecifies the location of a valid keystore.
Keystore password error - IBM JRE
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) - Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure that the value of the JVM property
javax.net.ssl.keyStorePasswordspecifies the password for the keystore specified byjavax.net.ssl.keyStore.
Truststore password error - IBM JRE
- Output
- Caused by:
Caused by:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available at com.ibm.jsse2.j.a(j.java:13) at com.ibm.jsse2.qc.a(qc.java:204) at com.ibm.jsse2.ab.a(ab.java:342) at com.ibm.jsse2.ab.a(ab.java:222) at com.ibm.jsse2.bb.a(bb.java:157) at com.ibm.jsse2.bb.a(bb.java:492) at com.ibm.jsse2.ab.r(ab.java:529) at com.ibm.jsse2.ab.a(ab.java:332) at com.ibm.jsse2.qc.a(qc.java:435) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 morejava.security.cert.CertificateException: No X509TrustManager implementation available at com.ibm.jsse2.xc.checkServerTrusted(xc.java:2) at com.ibm.jsse2.bb.a(bb.java:246) - Queue manager error logs
- AMQ9665: SSL connection closed by remote end of channel
'????'. - Solution
- Ensure that the value of the JVM property
javax.net.ssl.trustStorePasswordspecifies the password for the keystore specified byjavax.net.ssl.trustStore.
Can not find or open queue manager key database
- Output
- Caused by:
Caused by:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.qc.a(qc.java:158) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 morejava.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:19) at com.ibm.jsse2.qc.a(qc.java:207) - Queue manager error logs
- AMQ9657: The key repository could not be opened (channel
'????'). - Solution
- Ensure that the key repository you specify exists and that its permissions are such that the IBM MQ process involved can read from it.
Can not find or use queue manager key database password stash file
- Output
- Caused by:
Caused by:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.qc.a(qc.java:158) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 moreava.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:19) at com.ibm.jsse2.qc.a(qc.java:207) - Queue manager error logs
- AMQ9660: SSL key repository: password stash file absent or unusable.
- Solution
- Ensure that a password stash file has been associated with the key database file in the same directory, and that the user ID, under which IBM MQ is running, has read access to both files.