IBM Support

IT15978: AMQ9642 error reported during SSL/TLS two-way authentication

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • MQ v8 client fails with the following error  when default
    certificate being set by the client.
    
    AMQ9642: MESSAGE:
    No SSL or TLS certificate for channel '<insert one>'.
    EXPLANATION:
    The channel '<insert one>' did not supply a certificate to use
    during SSL or TLS handshaking, but a certificate is required by
    the remote queue manager.
    The remote host is '<insert two>'.
    The channel did not start.
    
    And the Queue Manager error log reports
    
    AMQ9637: Channel is lacking a certificate.
    
    EXPLANATION:
    The channel is lacking a certificate to use for the SSL
    handshake. The channel name is 'CHANNEL.NAME' (if '????' it is
     unknown at this stage in the SSL processing).
    

Local fix

  • If  " CertificateLabel=<certname> " is specified in ssl stanza
    of mqclient.ini , then channel will use this certificate as
    default.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All users of MQ V8 and V9,using applications that connect to the
    Queue Manager using default certificate .
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When there is no  personal certificate in the client key store
    with the label name of ibmwebspheremq<userid> ,the application
    can be configure to connect to the Queue Manager using the
    default certificate present in the keystore. This is possible
    by setting  the environment variable AMQ_SSL_ALLOW_DEFAULT_CERT.
    
    This variable was not honored by MQ v8. The client trace showed
    that the variable was not checked even if it was set correctly
    as an environment variable. Accordingly, applications which were
    configured to use the default certificate failed to connect to
    the queue manager, as the certificate was not used.
    

Problem conclusion

  • The MQ v8 client code has been modified to flow the default
    certificate from the keystore (if one exists) to the queue
    manager if AMQ_SSL_ALLOW_DEFAULT_CERT is set in the client's
    environment.
    
    If AMQ_SSL_ALLOW_DEFAULT_CERT is set and there is both default
    cert and ibmwebpsheremq<userid> cert then,
    ibmwebpsheremq<userid> will be used.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.7
    v9.0 CD    9.0.2
    v9.0 LTS   9.0.0.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT15978

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-01

  • Closed date

    2017-01-06

  • Last modified date

    2017-10-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7251

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
16 October 2017