IBM Support

IT05501: MQ EXPLORER V8.0: FIPS REQUIRED MODE SETTING IS NOT HONORED WHEN USING A CCDT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When attempting to connect WebSphere MQ Explorer to a remote
    queue manager via a SSL configuration using a Channel
    Definition table (AMQCLCHL.TAB) file;
    If FIPS Required is set to Yes in the MQ Explorer preferences,
    MQ Explorer fails to connect and a dialog is displayed showing:
    
    An unexpected error (2393) has occurred. (AMQ4999)
    Severity: 10 (Warning)
    Explanation: An unlisted error has occurred in the system while
    retrieving PCF data.
    Response: Try the operation again. If the error persists,
    examine the problem determination information to see if any
    details have been recorded.
    
    2393 = MQRC_SSL_INITIALIZATION_ERROR
    This error occurs after connecting to the same queue manager
    with a direct connection configuration in the same MQ Explorer
    session.
    

Local fix

  • In MQ Explorer preferences, set the SSL Option: FIPS Required =
    No, or only use one conection method (direct or via CCDT) but
    do not try to use both for the same queue manager.
    
    This problem only occurs with MQ Explorer v8.0, v8.0.0.1;
    previous versions of MQ Explorer do not have this problem.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the IBM MQ Explorer version 8, who
    wish to connect to a remote queue manager using a client channel
    definition table (CCDT) while MQ Explorer is configured to run
    with the "SSL FIPS required" preference set to "Yes".
    
    
    Platforms affected:
    Windows, Linux on x86-64, Linux on x86
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When the "SSL FIPS required" property is set to "Yes" in the MQ
    Explorer preference pages, this property should apply to all
    remote queue manager connections. Due to an omission in the
    object definitions, this update was not correctly applied to
    CCDT connections. This was true for both existing CCDT
    connections, and CCDT connections created after setting the "SSL
    FIPS required" property to "Yes".
    
    Due to this omission, the appropriate FIPS parameters were not
    passed to the underlying MQ libraries, and so were not used
    during the connection attempt. This would in turn cause a JSSE
    error (2393) to be reported, if an existing FIPS-compliant
    connection was already established by MQ Explorer to another
    queue manager. The same error is also reported when attempting
    to create a FIPS-compliant connection to another queue manager
    after creating a non-FIPS connection using a CCDT.
    

Problem conclusion

  • The IBM MQ Explorer has been updated such that the "SSL FIPS
    required" is honored when creating a connection to a remote
    queue manager using a CCDT, and the appropriate FIPS parameters
    are passed to the underlying libraries.
    
    Additionally, the "SSL reset count" and "Peer name" properties
    can now be configured for CCDT connections, using the connection
    details settings in the same manner as for direct client
    connections, so that these parameters are also passed to the
    underlying MQ libraries.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.3
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT05501

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-11-11

  • Closed date

    2015-02-22

  • Last modified date

    2015-02-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7251

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
22 February 2015