IBM Support

IT25529: MQ Resource Adapter deployed in Liberty receives a certificate chain error when creating a TLS connection

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • After enabling the wmqJmsClient-2.0 and transportSecurity-1.0
    features in WebSphere Liberty application server and deploying
    the MQ Resource Adapter an attempt to create a TLS client
    connection to an IBM MQ queue manager fails.
    
    The following exception is reported in the messages.log file:
    
    [5/4/18 13:48:21:228 UTC] 0000003e SystemOut O
    handling exception: javax.net.ssl.SSLHandshakeException:
    com.ibm.jsse2.util.h: PKIX path building failed:
    
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.;
    internal cause is:
    
     java.security.cert.CertPathValidatorException: The certificate
    issued by CN= Internal Root CA, O=My Corporation, C=US is not
    trusted; internal cause is:
    
     java.security.cert.CertPathValidatorException: Certificate
    chaining error
    
    The WebSphere Liberty trace shows that the configured default
    Keystore and
    Truststore locations (as per the server.xml file) are being
    ignored and the JVM default cacerts file is being used to find
    certificates enchanged during the TLS handshake.
    

Local fix

  • Use the javax.net.ssl Java system properties to override the
    default keystore and truststore used by the WebSphere Liberty
    server JVM.  For example:
    
    -Djavax.net.ssl.trustStore=/localTrustStore.jks
    -Djavax.net.ssl.trustStorePassword=TrustStorePassword
    -Djavax.net.ssl.keyStore=/localKeyStore.jks
    -Djavax.net.ssl.keyStorePassword=KeyStorePassword
    
    These must be specified in the jvm.options file for the server.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the:
    
      - IBM MQ JCA resource adapter
    
    who have JMS applications running inside WebSphere Liberty
    application server and are using the transportSecurity-1.0
    feature to create TLS connections from JMS applications to MQ
    queue managers.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When the ssl-1.0 WebSphere Liberty feature was used, the IBM MQ
    JCA resource adapter (MQ RA) would use the Liberty server
    defined default SSL configuration after APAR IT16056.  This was
    because the Liberty server created an SSLContext from the
    default SSL configuration, and made that SSLContext the server
    default by calling the SSLContext.setDefault() Java API. This
    made the default SSLContext of the Liberty server the default
    SSLContext for the process.  Therefore, when the MQ-RA obtained
    an SSLSocketFactory object (used when creating secure TCP/IP
    connections to queue managers) from the default SSLContext, the
    JSSE provider used the expected certificate stores for the
    secure socket handshake procedure.
    
    WebSphere Liberty added a new security feature named
    "transportSecurity-1.0" that superseded the ssl-1.0 feature and
    changes the behaviour previously described such that the default
    SSLContext is not set from the server's default SSL
    configuration.  When the transportSecurity-1.0 feature is
    enabled, the Liberty server created a custom SSL Socket factory
    that used the Java security property ssl.SocketFactory.provider.
    
    A call to SSLContext.getDefault() returns the default context
    SSLContext of the Java Secure Socket Extension (JSSE) provider.
    A call to SSLSocketFactory.getDefault() returns an
    SSLSocketFactory that is based on the Liberty server custom
    socket factory provider that uses the Liberty SSLContext.
    
    Because of this change in behaviour between the ssl-1.0 and
    transportSecurity-1.0 Liberty server features, the MQ RA did not
    use the expected certificate stores during the secure socket
    handshaking.  As such, certificate chains could not be validated
    and the connection fails with the exceptions noted in this APAR.
    

Problem conclusion

  • The MQ JCA Resource Adapter has been updated to call
    SSLSocketFactory.getDefault() when running in a Liberty server
    environment with the wmqJmsClient-2.0 feature enabled in order
    to obtain a socket factory instance to use when creating secure
    TCP/IP sockets to queue managers.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.0 LTS   9.0.0.6
    v9.1 LTS   9.1.0.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT25529

  • Reported component name

    IBM MQ BASE M/P

  • Reported component ID

    5724H7261

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-07-03

  • Closed date

    2018-07-17

  • Last modified date

    2018-08-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE M/P

  • Fixed component ID

    5724H7261

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
29 August 2018