IBM Support

IC83494: WMQ V7.1: JMS CLIENT CONNECTION VIA SSL ENABLED CHANNEL FAILS WITH RC 2399 MQRC_SSL_PEER_NAME_ERROR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A WebSphere MQ classes for Java Message Service (JMS) or
    WebSphere MQ classes for Java client application tries to make a
    connection to a queue manager secured with SSL/TLS. This fails
    with a JMSException, with reason code MQRC_SSL_PEER_NAME_ERROR.
    The exception is similar to:
    
    JMSWMQ0018: "Failed to connect to queue manager 'QMNAME' with
    connection mode '1' and host name 'servername(port#)'."  The
    liked exception reports WMQ reason code 2399
    MQRC_SSL_PEER_NAME_ERROR and error AMQ9640: SSL invalid peer
    name, channel '?', attribute 'OID.2.5.4.17 (x2)'.
    
    The above error is seen when the SSL certificate's
    distinguished name (DN) includes one of the attributes:
    
    SERIALNUMBER
    MAIL
    E
    UID
    USERID
    DC
    STREET
    PC
    POSTALCODE
    UNSTRUCTUREDNAME
    UNSTRUCTUREDADDRESS
    DNQ
    

Local fix

  • Recreate the personal certificate used by the client
    application without specifying any of the optional attributes
    from the list above in the distinguished name (DN).
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of:
    
    - The WebSphere MQ V7 classes for Java.
    - The WebSphere MQ V7 classes for JMS.
    - The WebSphere MQ V7 Resource Adapter.
    - The WebSphere Application Server V7 WebSphere MQ messaging
    provider.
    - The WebSphere Application Server V8 WebSphere MQ messaging
    provider.
    - The WebSphere Application Server V8.5 WebSphere MQ messaging
    provider.
    - The WebSphere Application Server V6.1 WebSphere MQ messaging
    provider who have configured the WebSphere variable
    MQ_INSTALL_ROOT to point to a WebSphere MQ V7 installation.
    
    attempting to secure connections to a queue manager using
    certificates with a Distinguished Name containing attributes
    from the list above.
    
    Platforms affected:
    All Distributed (iSeries, all Unix and Windows) +Java +Java zOS
    ****************************************************************
    PROBLEM SUMMARY:
    From WebSphere MQ version 7.1, the number of distinguished name
    attributes that could be specified in certificates being used to
    secure channel connections was increased. The WebSphere MQ
    classes for Java and JMS clients did not recognise these new
    attributes correctly, so any attempt to use certificates with
    these attributes caused the error seen above.
    

Problem conclusion

  • All distinguished name attributes referred to above can now be
    specified in certificates used to secure connections from
    WebSphere MQ Java and JMS clients to queue managers.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v7.1
    Platform           Fix Pack 7.1.0.3
    --------           --------------------
    Windows            7.1.0.3
    AIX                7.1.0.3
    HP-UX (Itanium)    7.1.0.3
    Solaris (SPARC)    7.1.0.3
    Solaris (x86-64)   7.1.0.3
    iSeries            7.1.0.3
    Linux (x86)        7.1.0.3
    Linux (x86-64)     7.1.0.3
    Linux (zSeries)    7.1.0.3
    Linux (Power)      7.1.0.3
    zOS                7.1.0.3
    
    Platform           v7.5
    --------           --------------------
    Multiplatforms     7.5.0.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC83494

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-05-15

  • Closed date

    2012-10-19

  • Last modified date

    2014-02-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R710 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]

Document Information

Modified date:
20 September 2021