APAR status
Closed as program error.
Error description
After enabling the wmqJmsClient-2.0 and transportSecurity-1.0 features in WebSphere Liberty application server and deploying the MQ Resource Adapter an attempt to create a TLS client connection to an IBM MQ queue manager fails. The following exception is reported in the messages.log file: [5/4/18 13:48:21:228 UTC] 0000003e SystemOut O handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN= Internal Root CA, O=My Corporation, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error The WebSphere Liberty trace shows that the configured default Keystore and Truststore locations (as per the server.xml file) are being ignored and the JVM default cacerts file is being used to find certificates enchanged during the TLS handshake.
Local fix
Use the javax.net.ssl Java system properties to override the default keystore and truststore used by the WebSphere Liberty server JVM. For example: -Djavax.net.ssl.trustStore=/localTrustStore.jks -Djavax.net.ssl.trustStorePassword=TrustStorePassword -Djavax.net.ssl.keyStore=/localKeyStore.jks -Djavax.net.ssl.keyStorePassword=KeyStorePassword These must be specified in the jvm.options file for the server.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the: - IBM MQ JCA resource adapter who have JMS applications running inside WebSphere Liberty application server and are using the transportSecurity-1.0 feature to create TLS connections from JMS applications to MQ queue managers. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: When the ssl-1.0 WebSphere Liberty feature was used, the IBM MQ JCA resource adapter (MQ RA) would use the Liberty server defined default SSL configuration after APAR IT16056. This was because the Liberty server created an SSLContext from the default SSL configuration, and made that SSLContext the server default by calling the SSLContext.setDefault() Java API. This made the default SSLContext of the Liberty server the default SSLContext for the process. Therefore, when the MQ-RA obtained an SSLSocketFactory object (used when creating secure TCP/IP connections to queue managers) from the default SSLContext, the JSSE provider used the expected certificate stores for the secure socket handshake procedure. WebSphere Liberty added a new security feature named "transportSecurity-1.0" that superseded the ssl-1.0 feature and changes the behaviour previously described such that the default SSLContext is not set from the server's default SSL configuration. When the transportSecurity-1.0 feature is enabled, the Liberty server created a custom SSL Socket factory that used the Java security property ssl.SocketFactory.provider. A call to SSLContext.getDefault() returns the default context SSLContext of the Java Secure Socket Extension (JSSE) provider. A call to SSLSocketFactory.getDefault() returns an SSLSocketFactory that is based on the Liberty server custom socket factory provider that uses the Liberty SSLContext. Because of this change in behaviour between the ssl-1.0 and transportSecurity-1.0 Liberty server features, the MQ RA did not use the expected certificate stores during the secure socket handshaking. As such, certificate chains could not be validated and the connection fails with the exceptions noted in this APAR.
Problem conclusion
The MQ JCA Resource Adapter has been updated to call SSLSocketFactory.getDefault() when running in a Liberty server environment with the wmqJmsClient-2.0 feature enabled in order to obtain a socket factory instance to use when creating secure TCP/IP sockets to queue managers. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 LTS 9.0.0.6 v9.1 LTS 9.1.0.1 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT25529
Reported component name
IBM MQ BASE M/P
Reported component ID
5724H7261
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-07-03
Closed date
2018-07-17
Last modified date
2018-08-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE M/P
Fixed component ID
5724H7261
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
29 August 2018