IBM Support

IT15978: AMQ9642 error reported during SSL/TLS two-way authentication

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • MQ v8 client fails with the following error  when default
certificate being set by the client.

AMQ9642: MESSAGE:
No SSL or TLS certificate for channel '<insert one>'.
EXPLANATION:
The channel '<insert one>' did not supply a certificate to use
during SSL or TLS handshaking, but a certificate is required by
the remote queue manager.
The remote host is '<insert two>'.
The channel did not start.

And the Queue Manager error log reports

AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL
handshake. The channel name is 'CHANNEL.NAME' (if '????' it is
 unknown at this stage in the SSL processing).

Local fix

  • If  " CertificateLabel=<certname> " is specified in ssl stanza
of mqclient.ini , then channel will use this certificate as
default.

Problem summary

  • ****************************************************************
USERS AFFECTED:
All users of MQ V8 and V9,using applications that connect to the
Queue Manager using default certificate .


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
When there is no  personal certificate in the client key store
with the label name of ibmwebspheremq<userid> ,the application
can be configure to connect to the Queue Manager using the
default certificate present in the keystore. This is possible
by setting  the environment variable AMQ_SSL_ALLOW_DEFAULT_CERT.

This variable was not honored by MQ v8. The client trace showed
that the variable was not checked even if it was set correctly
as an environment variable. Accordingly, applications which were
configured to use the default certificate failed to connect to
the queue manager, as the certificate was not used.

Problem conclusion

  • The MQ v8 client code has been modified to flow the default
certificate from the keystore (if one exists) to the queue
manager if AMQ_SSL_ALLOW_DEFAULT_CERT is set in the client's
environment.

If AMQ_SSL_ALLOW_DEFAULT_CERT is set and there is both default
cert and ibmwebpsheremq<userid> cert then,
ibmwebpsheremq<userid> will be used.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.7
v9.0 CD    9.0.2
v9.0 LTS   9.0.0.1

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT15978
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7251
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-07-01
    • 

  • Closed date
    2017-01-06
    • 

  • Last modified date
    2017-10-16
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ BASE MULTIP
    • 

  • Fixed component ID
    5724H7251
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 October 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback