IBM Support

IT16056: JMS applications using the MQ V8 JCA resource adapter running inLiberty cannot establish secure TLS connections

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using the IBM MQ V8 JCA Resource Adapter (RA), an attempt
    to establish a secure TLS client connection to an IBM MQ queue
    manager from a classes for JMS application running inside
    WebSphere Liberty fails.  The following exception is reported:
    
    [ERROR   ] J2CA8802E: The message endpoint activation failed for
    resource adapter wmqJms due to exception:
    com.ibm.mq.connector.DetailedResourceAdapterInternalException:
    MQJCA1011: Failed to allocate a JMS connection., error code:
    MQJCA1011 An internal error caused an attempt to allocate a
    connection to fail. See the linked exception for details of the
    failure.
    	at
    com.ibm.mq.connector.services.JCAExceptionBuilder.buildException
    (JCAExceptionBuilder.java:174)
    	at
    com.ibm.mq.connector.services.JCAExceptionBuilder.buildException
    (JCAExceptionBuilder.java:135)
    	at
    com.ibm.mq.connector.inbound.ConnectionHandler.allocateConnectio
    n(ConnectionHandler.java:393)
    	at
    com.ibm.mq.connector.inbound.MessageEndpointDeployment.acquireCo
    nnection(MessageEndpointDeployment.java:288)
    	at
    com.ibm.mq.connector.inbound.MessageEndpointDeployment.<init>(Me
    ssageEndpointDeployment.java:228)
    	at
    com.ibm.mq.connector.ResourceAdapterImpl.endpointActivation(Reso
    urceAdapterImpl.java:531)
    	at
    com.ibm.ws.jca.service.EndpointActivationService.activateEndpoin
    t(EndpointActivationService.java:508)
    	Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ
    call failed with compcode '2' ('MQCC_FAILED') reason '2397'
    ('MQRC_JSSE_ERROR').
    	at
    com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
    ason.java:203)
    	... 13 more
    Caused by (repeated) ... : com.ibm.mq.jmqi.JmqiException:
    CC=2;RC=2397;AMQ9204: Connection to host 'localhost(8484)'
    rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771:
    SSL handshake failed.
    [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.j:
    PKIX path building failed:
    java.security.cert.CertPathBuilderException: unable to find
    valid certification path to requested
    target],3=localhost/127.0.0.1:8484
    (localhost),4=SSLSocket.startHandshake,5=default]],3=localhost(8
    484),5=RemoteTCPConnection.protocolConnect]
    	at
    com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
    2282)
    	at
    com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
    1294)
    	at
    com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJ
    mqiImpl.java:376)
    	at
    com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
    	at
    com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnecti
    on.java:345)
    	... 12 more
    Caused by: javax.net.ssl.SSLHandshakeException:
    com.ibm.jsse2.util.j: PKIX path building failed:
    java.security.cert.CertPathBuilderException: unable to find
    valid certification path to requested target
    	at com.ibm.jsse2.j.a(j.java:7)
    ...
    	at com.ibm.jsse2.qc.startHandshake(qc.java:828)
    	at
    com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPC
    onnection.java:1298)
    	at
    com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPC
    onnection.java:1290)
    
    
    This issue occurs regardless of the version of WebSphereLiberty
    in use.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the:
    
      - IBM MQ V8 JCA Resource Adapter
      - IBM MQ V9 JCA Resource Adapter
    
      who have JMS applications running inside WebSphere Liberty
    application server and are attempting to create secure TLS
    connections to MQ queue managers.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When using the IBM MQ JCA Resource Adapter (RA) within WebSphere
    Liberty, the expectation is that secure TLS connections to a
    queue manager established by the IBM MQ RA (via a JMS Connection
    Factory retrieved via the JNDI store or Activation
    Specification) will use the key and trust certificate stores
    defined within the SSL default Liberty server configuration
    (sslDefault element in the Liberty server.xml file).
    
    However, the JKS key and trust stores defined within the
    sslDefault XML configuration element were not used.  The default
    certificate store (the cacerts file from the JRE) was being used
    and if this did not contain the required certificates for the
    secure socket handshaking to succeed, the connection would fail
    with the exception:
    
      java.security.cert.CertPathBuilderException:
        PKIXCertPathBuilderImpl could not build a valid CertPath.
    
    The root cause of the issue was because the IBM MQ RA was
    creating its own SSLContext object with a call to
    SSLContext.getInstance(String) and initialising it with the JRE
    default key and trust certificate stores.  An SSLSocketFactory
    was created from this SSLContext object which, in turn, was used
    to created a secure socket to an MQ queue manager.
    
    The IBM MQ RA was not using the the default SSLContext object
    created by the Liberty server from the sslDefult configuration
    element, which is defined by the administrator in the server.xml
    file  and initialised with the user defined key and trust
    certificate store locations.
    

Problem conclusion

  • This APAR updates the IBM MQ JCA Resource Adapter (RA) such that
    when it is used within WebSphere Liberty, the SSLContext object
    created by the Liberty runtime, which is based off the
    sslDefault configuration element within the server.xml file, is
    used by Activation Specifications and JMS Connection Factories
    retrieved from JNDI when an attempt is made to establish a
    secure connection to an MQ queue manager.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.6
    v9.0 CD    9.0.2
    v9.0 LTS   9.0.0.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT16056

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-25

  • Closed date

    2016-10-28

  • Last modified date

    2018-03-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7251

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
19 March 2018