IBM Support

IT14332: AMQ9845, UNABLE TO ADD A CERTIFICATE TO THE MQ APPLIANCE QUEUE MANAGER'S KEY DATABASE.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Using the MQ Appliance WebUI(browser) File Management window, a
    signer
    certificate was uploaded to the MQ Appliance public certificate
    directory, mqpubcert.
    
    On the MQ Appliance, changed mode to the MQ command line
    interface(mqcli) and attempted to put the signer certificate
    into the queue manager's key database using the "addcert"
    command.  The command failed with error code AMQ9845, unable to
    access file, even though the certificate can be listed in the
    mqpubcert directory.
    
    M2000(mqcli)# addcert -m QMName -file signer_cert_name.pem
    -label Signer_Cert
    5724-H72 (C) Copyright IBM Corp. 1994, 2015.
    
    AMQ9845: Unable to access file
    'mqpubcert://signer_cert_name.pem'
    
    M2000(mqcli)# exit
    M2000# config
    Global configuration mode
    
    M2000(config)# dir mqpubcert:
    File Name                       Last Modified
    ---------                          -------------
    signer_cert_name.pem   Mar 3, 2016 10:04:02 AM
     Size
     ----
     1436
    
    NOTE:
    The failure will occur regardless of the Operating System where
    the WebUI is used to upload the certificate.
    The failure also occurs when a certificate is uploaded using
    the configuration mode (config) "copy" command.
    

Local fix

  • To work around this problem, make sure the certificate to be
    uploaded is on an Operating System where the group permissions
    can be modified(eg. Linux and Unix systems).  Modify the file
    permissions to give the "user" read/write privileges and the
    "group" read privileges.  Then use the copy command to upload
    the certificate to the MQ Appliance.  For example:
    
    chmod u=rw,g=r cert_file_name or chmod 640 cert_file_name
    
    M2000# copy sftp://user@hostname///home/user/certificate.pem
    mqpubcert:///certificate.pem
    Password: ********
    File copy success
    
    This procedure is documented in the MQ Appliance IBM Knowledge
    Center article "Uploading certificates to the appliance"
    
    http://www.ibm.com/support/knowledgecenter/SS5K6E_1.0.0/com.ibm.
    mqa.doc/security/se00044_.htm?lang=en
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users who are trying to apply certificates to
    the queue manager's key database on the IBM MQ Appliance
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    An error in the MQ Appliance file copy routines caused files
    uploaded using the steps above to be assigned incorrect
    ownership, which meant that the MQ certificate management
    commands did not have authority to work with the copied files.
    

Problem conclusion

  • The MQ appliance certificate handling routines have been updated
    such that the MQ certificate management commands have
    appropriate authority to work with uploaded certificate files.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.5
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT14332

  • Reported component name

    IBM MQ APPL M20

  • Reported component ID

    5725S1400

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-15

  • Closed date

    2016-11-24

  • Last modified date

    2016-11-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ APPL M20

  • Fixed component ID

    5725S1400

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
24 November 2016