IBM Support

IT29252: Resource adapter deployed into WebSphere Liberty via the jca-1.7feature cannot use dynamic outbound configurations.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The IBM MQ V9.1 resource adapter is deployed into a WebSphere
    Liberty application server that has the following features
    enabled:
    
    - jca-1.7
    - jms-2.0
    - transportSecurity-1.0
    
    An application running inside the application server then tries
    to create a secure TLS connection to a queue manager. The
    attempt fails with the following exception reported in the
    application server's messages.log file:
    
    handling exception: javax.net.ssl.SSLHandshakeException:
    com.ibm.jsse2.util.h: PKIX path building failed:
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.;
    internal cause is:
    java.security.cert.CertPathValidatorException: The certificate
    issued by CN= Internal Root CA, O=My Corporation, C=US is not
    trusted; internal cause is:
     java.security.cert.CertPathValidatorException: Certificate
    chaining error
    
    A WebSphere Liberty trace collected at the time of the error
    shows that the configured default Keystore and Truststore
    locations (specified in the application server's server.xml
    file) are being ignored and the default cacerts file for the
    Java Runtime Environment (JRE) is being used to find
    certificates exchanged during the TLS handshake.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the IBM MQ resource adapter who have
    deployed it into a WebSphere Liberty application server that has
    the following features enabled:
    
    - jca-1.7
    - jms-2.0
    - transportSecurity-1.0
    
    and are using activation specifications and/or JMS applications
    that create secure TLS connections to IBM MQ queue managers.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    APAR IT25529 modified the IBM MQ resource adapter so that if it
    was deployed into a WebSphere Liberty application server that
    had:
    
    - Either the wmqJmsClient-1.1 or wmqJmsClient-2.0 feature
    enabled.
    - And the transportSecurity-1.0 feature enabled.
    
    then it would call the method:
    
    SSLSocketFactory.getDefault()
    
    to obtain a socket factory instance provided by the application
    server. This allowed the IBM MQ resource adapter to make use of
    Liberty-specific functionality provided by the
    transportSecurity-1.0 feature (such as dynamic outbound
    configurations) when creating secure connections to an IBM MQ
    queue manager.
    
    In order to detect that it was running inside of a WebSphere
    Liberty application server, the IBM MQ resource adapter checked
    for the presence of some internal classes provided by the
    wmqJmsClient-1.1 and wmqJmsClient-2.0 features.
    
    This meant that if the IBM MQ resource adapter was deployed into
    a WebSphere Liberty application server that had the jca-1.7
    feature enabled, and not the wmqJmsClient-1.1 or
    wmqJmsClient-2.0 features, it was unable to detect that it was
    running inside of WebSphere Liberty. As a result, it used a
    socket factory instance provided by the Java Runtime Environment
    when creating secure connections to a queue manager, which
    prevented it from using the Liberty-specific functionality
    provided by the transportSecurity-1.0 feature.
    

Problem conclusion

  • The IBM MQ resource adapter has been updated to check for a Java
    system property set by WebSphere Liberty, rather than looking
    for the presence of internal classes, when determining what
    socket factory to use when creating secure connections. This
    means that if the IBM MQ resource adapter is deployed into a
    WebSphere Liberty application server that has:
    
    - Either the jca-1.7, wmqJmsClient-1.1 or wmqJmsClient-2.0
    features enabled.
    - And the transportSecurity-1.0 feature enabled.
    
    then it will use a socket factory provided by the application
    server, and so can use the functionality provided by the
    transportSecurity-1.0 feature.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.1 LTS   9.1.0.4
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT29252

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7271

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-05-23

  • Closed date

    2019-08-09

  • Last modified date

    2019-08-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7271

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
09 August 2019