IBM Support

IT19456: Update JRE in IBM MQ V9 to 8.0.4.1 IV93420 IV94326 and property com.ibm.security.EnforceStrictDER set to false

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Update the JRE within IBM MQ 9.0 to JRE version:
    
      8.0.4.1
    
    with the addition of the JRE APARs:
    
      IV93420 + IV94326
    
    and the following configuration property and value defined:
    
      com.ibm.security.EnforceStrictDER=false
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    The JRE which is embedded into IBM MQ is used
    to run the following Java components of the product:
    
      IBM MQ Managed File Transfer
      IBM MQ Explorer
      IBM MQ Extended Reach (MQXR) service
      IBM MQ Advanced Message Queuing Protocol (AMQP)
    
    
    Platforms affected:
    AIX, Linux on Power, Solaris x86-64, Windows, Solaris SPARC,
    Linux on zSeries, Linux on x86-64, Linux on x86, Linux on S390
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    This APAR updates the Java Runtime Environment (JRE) supplied
    with IBM MQ 9. See below for platforms updated and to which
    version.
    

Problem conclusion

  • This APAR updates the JRE updates for the following platforms
    for IBM MQ 9.0 to Java version 8.0.4.1 plus IV93420 and IV94326:
    
      AIX
      Linux (x86-64)
      Linux (PPC64LE)
      zLinux (s390x)
      Windows (64-bit)
    
    Java APAR IV94326 resolves an issue where an error message is
    reported when using certificates that contain DER encodings
    which are not encoded in the shortest form possible.
    
      http://www.ibm.com/support/docview.wss?uid=swg1IV94326
    
    The APAR updates the JRE to recognise the system property:
    
      com.ibm.security.EnforceStrictDER
    
    which can be set to disable some of these strict DER encoding
    checks.  The above APAR documents that the stricter checking is
    performed by default, and an exception is thrown unless this
    system property's value is set to false.
    
    The JRE shipped by this MQ APAR reverses the default behaviour
    for the stricter checking enforced by APAR IV94326, by
    configuring the property in the following way:
    
      com.ibm.security.EnforceStrictDER=false
    
    by default for applications using this JRE.  The result of this
    JRE configuration update is that exceptions are not seen when
    using certificates which contain DER encodings that are not
    encoded in the shortest form possible.
    
    If stricter checking is desired in your environment, then the
    JRE system property:
    
       com.ibm.security.EnforceStrictDER
    
    must be set to the value 'true' in your environment, for example
    by using the JRE argument:
    
      -Dcom.ibm.security.EnforceStrictDER=true
    
    
    The following Technote describes how to set this property in
    your environment in more detail:
    
      http://www.ibm.com/support/docview.wss?uid=swg22000235
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.0 CD    9.0.3
    v9.0 LTS   9.0.0.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT19456

  • Reported component name

    IBM MQ BASE M/P

  • Reported component ID

    5724H7261

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-27

  • Closed date

    2017-05-02

  • Last modified date

    2017-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE M/P

  • Fixed component ID

    5724H7261

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
01 June 2017