IBM Support

IT20715: IBM MQ JCA Resource Adapter throws error: MQJCA1028: Re-authentication is not supported

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When using the IBM MQ JCA Resource Adapter for outbound
    messaging within a WebSphere Liberty application server
    environment, the following exception is thrown when an
    application creates a JMS Connection and an attempt is made to
    reuse one from the application server's connection pool:
    
    J2CA0021E: An exception occurred while trying to get a
    Connection from the Managed Connection resource jms/myCF :
    com.ibm.mq.connector.DetailedSecurityException: MQJCA1028:
    Re-authentication is not supported.,
    error code: MQJCA1028 The application server attempted to
    re-authenticate a JMS connection, but the IBM MQ resource
    adapter does not support re-authentication. In the supplied
    ra.xml file, the property called reauthentication-support has
    the value false. Make sure that you have not changed the value
    of this property. If the property still has the value false,
    then this error is an application server error.
    	at
    com.ibm.mq.connector.services.JCAExceptionBuilder.buildException
    (JCAExceptionBuilder.java:194)
    	at
    com.ibm.mq.connector.services.JCAExceptionBuilder.buildException
    (JCAExceptionBuilder.java:111)
    	at
    com.ibm.mq.connector.outbound.ManagedQueueConnectionImpl.getConn
    ection(ManagedQueueConnectionImpl.java:140)
    	at
    com.ibm.ejs.j2c.MCWrapper.getConnection(MCWrapper.java:2148)
    	at
    com.ibm.ejs.j2c.ConnectionManager.allocateConnection(ConnectionM
    anager.java:361)
    	at
    com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createManage
    dJMSConnection(ConnectionFactoryImpl.java:307)
    	at
    com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec
    tionInternal(ConnectionFactoryImpl.java:250)
    	at
    com.ibm.mq.connector.outbound.QueueConnectionFactoryImpl.createQ
    ueueConnection(QueueConnectionFactoryImpl.java:187)
    	at
    com.ibm.mq.connector.outbound.QueueConnectionFactoryImpl.createC
    onnection(QueueConnectionFactoryImpl.java:150)
    	at
    com.ibm.mq.connector.outbound.QueueConnectionFactoryImpl.createC
    onnection(QueueConnectionFactoryImpl.java:122)
    	...
    
    This error is written to the WebSphere Liberty messages.log
    file.
    

Local fix

  • Configure the application deployed to the application server to
    use application-managed authentication instead of
    container-managed authentication.
    
    Alternatively, use container-managed authentication but pass
    null for the username and password parameters when creating a
    JMS Connection or Context object from a JMS Connection Factory.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the IBM MQ V9 JCA Resource Adapter
    who have JMS applications that perform outbound messaging in
    non-WebSphere Application Server JEE application server
    environments.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When using the IBM MQ JCA Resource Adapter (MQ-RA) for outbound
    messaging, a JEE application server will invoke the method:
    
      matchManagedConnections(java.util.Set,
    javax.security.auth.Subject,
    javax.resource.spi.ConnectionRequestInfo)
    
    on the javax.resource.spi.ManagedConnectionFactory (provided by
    the MQ-RA) for the MQ-RA to attempt to match a ManagedConnection
    instance from the Set, in order to service a connection request
    from an application, such as Servlet.
    
    The MQ-RA iterated over the ManagedConnection objects in the Set
    and compared the ConnectionRequestInfo object passed into the
    matchManagedConnections method with the one cached on the
    ManagedConnection when it was created.  If the two were equal,
    then the ManagedConnection object would be returned.  The
    Subject (security context) would not be compared in this case.
    
    The JEE application server would then call the method:
    
      getConnection(javax.security.auth.Subject,
    javax.resource.spi.ConnectionRequestInfo)
    
    on the chosen ManagedConnection object in order to establish an
    application-level connection handle.
    
    The MQ-RA does not support re-authentication (as outlined in
    Section 9.1.9 of the JavaEE Connector Architecture
    Specification).  As such, the getConnection method on the
    ManagedConnection throws a javax.resource.spi.SecurityException
    in the case where the Subject passed into the getConnection
    method call was not equal to the one associated with the
    ManagedConnection instance when it was created.
    
    Because the matchManagedConnections method in the
    ManagedConnection class did not consider the Subject in its
    matching algorithm if a suitably matching ConnectionRequestInfo
    was found, then this method could have returned a
    ManagedConnection object with a different Subject compared to
    the one passed in on the matchManagedConnections and subsequent
    getConnection method calls.  When this occurred, the exception:
    
      com.ibm.mq.connector.DetailedSecurityException: MQJCA1028:
    Re-authentication is not supported.
    
    was thrown by the MQ-RA to the application server.
    

Problem conclusion

  • The method:
    
      matchManagedConnections(java.util.Set,
    javax.security.auth.Subject,
    javax.resource.spi.ConnectionRequestInfo)
    
    within the ManagedConnection object, provided by the IBM MQ JCA
    Resource Adapter (MQ-RA), has been updated such that both the
    Subject and the ConnectionRequestInfo objects passed into the
    method call must be equal to those associated with a
    ManagedConnection from the Set in order for that for that
    ManagedConnection to be returned.
    
    
    Re-authentication remains unsupported in the MQ-RA.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.0 CD    9.0.4
    v9.0 LTS   9.0.0.3
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT20715

  • Reported component name

    IBM MQ BASE M/P

  • Reported component ID

    5724H7261

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-05-23

  • Closed date

    2017-08-24

  • Last modified date

    2017-09-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE M/P

  • Fixed component ID

    5724H7261

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
19 September 2017