IBM Support

IT21589: MQ-Java/JMS v7.5/v8 classes are unable to consume AMS secured messages created with MQ v9.0 client code

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A message is generated and put to an AMS enabled queue using a
    C-application which utilises the IBM MQ v9.0 client libraries.
    
    An attempt is then made to consume the message using a WebSphere
    MQ classes for Java application which is using the WebSphere MQ
    v7.5 client libraries (.jar files).  The 'get' fails with an
    exception of the following form:
    
    com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason
    '2063'.
            at
    com.ibm.mq.MQDestination.getInt(MQDestination.java:659)
            at com.ibm.mq.MQDestination.get(MQDestination.java:456)
            at MyApplication.getMessage(MyApplication.java:109)
            at MyApplication.main(MyApplication.java:45)
    
    and the message buffer is populated with encrypted data, rather
    than the decrypted message data which was expected.
    
    
    In addition to the above exception being output, a pair of log
    messages are also output to the log file (mqjms0.log by default)
    which reads:
    
    ----------------------------------------------------------------
    ----
    August 7, 2017 3:31:00 PM BST[main]
    com.ibm.mq.ese.intercept.JmqiGetInterceptorImpl
    The IBM WebSphere MQ Advanced Message Security Java interceptor
    failed to unprotect the received message.
    An error occurred when the IBM WebSphere MQ Advanced Message
    Security Java interceptor was unprotecting the received message.
    See subsequent messages in the exception for more details about
    the cause of the error
    ----------------------------------------------------------------
    ----
    August 7, 2017 3:31:00 PM BST[main]
    com.ibm.mq.ese.service.EseMQServiceImpl
    The IBM WebSphere MQ Advanced Message Security interceptor has
    put a defective message on error handling queue
    'SYSTEM.PROTECTION.ERROR.QUEUE                   '.
    
    EXPLANATION:
    This is an informational message that indicates the IBM
    WebSphere MQ Advanced Message Security put a message it could
    not interpret on the specified error handling queue.
    
    ACTION:
    Make sure only valid messages are put onto queues protected by
    IBM WebSphere MQ Advanced Message Security.
    ----------------------------------------------------------------
    ----
    

Local fix

  • none available - fix required
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of the WebSphere MQ classes for Java/JMS v7.5 or v8.0 who
    are consuming messages from AMS protected queues, where the
    messages put to those queues were secured using an MQ v9.0
    client.
    
    Users of the IBM MQ classes for Java/JMS v9.0 to consume the
    same messages are not affected but this issue.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When a message is protected using the IBM MQ Advanced Message
    Security (AMS) function, a 'PDMQ' header is added to the message
    which the IBM MQ client libraries use to decrypt the messages at
    the message endpoints.
    
    In order to accommodate AMS enhancements at MQ v9.0, the 'PDMQ'
    header was extended in size.  This change was intended to be
    backward compatible with older clients, as the header defines
    its length and the location where the encrypted payload data
    starts.
    
    The IBM MQ classes for Java/JMS were updated during the
    development of MQ v9.0 to use these values.  However older
    levels of code (WebSphere MQ classes for Java/JMS v7.5 and v8.0)
    used fixed values for the header length and data offset
    location, instead of the header defined length value.
    
    As a consequence, when a message was generated and protected
    using a MQ v9.0 client, and then consumed using the WebSphere MQ
    classes for Java/JMS v7.5 or v8.0, a incorrect data byte offset
    was used when getting the the encrypted bytes to send to the
    decryption libraries, which subsequently failed to decrypt the
    data.
    
    The exception thrown by the WebSphere MQ classes for Java
    libraries was of the form:
    
    com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason
    '2063'.
            at
    com.ibm.mq.MQDestination.getInt(MQDestination.java:659)
            at com.ibm.mq.MQDestination.get(MQDestination.java:456)
            at MyApplication.MyMethod(MyApplication.java:106)
    
    with no linked exception, and the message would be moved to to
    the queue:
    
        SYSTEM.PROTECTION.ERROR.QUEUE
    
    
    In addition, two messages were output to the 'mqjms0.log' log
    file as seen in the above description which stated that message
    decryption had failed, and that the message was moved to the
    queue 'SYSTEM.PROTECTION.ERROR.QUEUE'.
    

Problem conclusion

  • The WebSphere MQ classes for Java/JMS v7.5/v8.0 have been
    updated to use the message data offset value as stated within
    the PDMQ header, which ensures that the correct encrypted data
    is used by during the decryption process.
    
    the v9.0 code change associated with this APAR provides no
    external behavioural change (this problem does not affect the
    IBM MQ v9.0 classes for Java/JMS).  Instead, it enhances some of
    the internal diagnostics which are output to trace when trace is
    enabled.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.5       7.5.0.9
    v8.0       8.0.0.9
    v9.0 CD    9.0.5
    v9.0 LTS   9.0.0.3
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT21589

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7241

  • Reported release

    750

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-07-25

  • Closed date

    2017-11-21

  • Last modified date

    2017-11-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7241

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCPQ63","label":"APAR \/ Maintenance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
21 November 2017