APAR status
Closed as program error.
Error description
The IBM MQ V9.1 resource adapter is deployed into z/OS Connect EE. A one-way MQ Service Provider service is then defined, and configured to create a secure connection to a queue manager. When the service is run, the following exception is reported in the z/OS Connect EE's messages.log file: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=<CN>, OU=<OU>, O=<Organization> is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error A WebSphere Liberty trace from the z/OS Connect EE server collected at the time of the error shows the following exception being generated: com.ibm.msg.client.jms.DetailedJMSException: MQJCA1011: Failed to allocate a JMS connection. An internal error caused an attempt to allocate a connection to fail. See the linked exception for details of the failure. at com.ibm.mq.connector.services.JCAExceptionBuilder.buildException (JCAExceptionBuilder.java:184) at com.ibm.mq.connector.services.JCAExceptionBuilder.buildException (JCAExceptionBuilder.java:135) at com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createManage dJMSConnection(ConnectionFactoryImpl.java:402) at com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec tionInternal(ConnectionFactoryImpl.java:252) at com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec tion(ConnectionFactoryImpl.java:225) at com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec tion(ConnectionFactoryImpl.java:201) at com.ibm.zosconnect.service.mq.MQServiceInvocation.createConnecti on(Unknown Source) at com.ibm.zosconnect.service.mq.OneWayMQServiceInvocation.createJM SObjects(Unknown Source) : : : : : : : : Caused by: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QMGR' with connection mode 'Client' and host name '<hostname>(<port>)'. Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. : : : : : : : : Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397'('MQRC_JSSE_ERROR'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Re ason.java:203) ... 35 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '<hostname>(<port>)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException:PKIXCertPathBuilderI mpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=<CN>, OU=<OU>, O=<Organization> is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error],3=<hostname>/<ip address>(<hostname>), 4=SSLSocket.startHandshake,5=default]],3=<hostname>(<port>),5=Re moteTCPConnection.protocolConnect] : : : : : : : :
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the IBM MQ resource adapter, who have deployed it into a WebSphere Liberty server that is started via the WebSphere Liberty System Programming Interfaces (SPI), such as z/OS Connect EE. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The MQ resource adapter contains some logic to detect if it is running inside of WebSphere Liberty. If it finds that it has been deployed into this environment, the MQ resource adapter calls the method: java.net.ssl.SSLSocketFactory.getDefault() to obtain a socket factory instance provided by the application server. This allows the IBM MQ resource adapter to make use of the WebSphere Liberty keystores and truststores when creating secure connections to a queue manager. Prior to the fix for APAR IT29252, this logic would check for the presence of some internal classes provided by the WebSphere Liberty wmqJmsClient-1.1 and wmqJmsClient-2.0 features. If the MQ resource adapter had been deployed inside a WebSphere Liberty server that had the jca-1.7 feature enabled (sometimes referred to as "Generic JCA"), though, the internal classes were not present. This meant that the MQ resource adapter failed to detect that it was running in a WebSphere Liberty server and so would not call: java.net.ssl.SSLSocketFactory.getDefault() APAR IT29252 modified the logic, so that the MQ resource adapter would now look for a Java system property set by WebSphere Liberty, instead of the internal classes provided by the wmqJmsClient-1.1 and wmqJmsClient-2.0 features. If the MQ resource adapter found that the property had been set, then it would call: java.net.ssl.SSLSocketFactory.getDefault() to get the WebSphere Liberty socket factory. However, the Java system property was not available in WebSphere Liberty servers that were started by the WebSphere Liberty System Programming Interfaces (SPI), such as z/OS Connect EE. This meant that the MQ resource adapter was unable to detect that it had been deployed into a WebSphere Liberty server which was started in this way. As a result, it used a socket factory instance provided by the Java Runtime Environment when creating secure connections to a queue manager, rather than the socket factory provided by the WebSphere Liberty server.
Problem conclusion
The IBM MQ resource adapter has been updated so that if it detects: - Either the presence of the internal classes provided by the wmqJmsClient-1.1 and wmqJmsClient-2.0 features - Or a Java system property set by WebSphere Liberty then it determines that it is running inside of WebSphere Liberty and so calls: java.net.ssl.SSLSocketFactory.getDefault() to get the WebSphere Liberty socket factory. It will then use this socket factory, and the WebSphere Liberty keystores and truststores associated with it, when creating secure connections to a queue manager. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.1 LTS 9.1.0.7 v9.2 LTS 9.2.0.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT33590
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7271
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-07-17
Closed date
2020-08-11
Last modified date
2020-08-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7271
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
12 August 2020