IBM Support

IT33590: Resource adapter deployed into embedded WebSphere Liberty started via Liberty SPIs cannot make secure connections to MQ.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The IBM MQ V9.1 resource adapter is deployed into z/OS Connect
    EE. A one-way MQ Service Provider service is then defined, and
    configured to create a secure connection to a queue manager.
    
    When the service is run, the following exception is reported in
    the z/OS Connect EE's messages.log file:
    
    javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX
    path building failed:
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.;
    internal cause is:
    	java.security.cert.CertPathValidatorException: The
    certificate issued by CN=<CN>, OU=<OU>, O=<Organization> is not
    trusted; internal cause is:
    	java.security.cert.CertPathValidatorException: Certificate
    chaining error
    
    
    A WebSphere Liberty trace from the z/OS Connect EE server
    collected at the time of the error shows the following exception
    being generated:
    
    com.ibm.msg.client.jms.DetailedJMSException: MQJCA1011: Failed
    to allocate a JMS connection.
    An internal error caused an attempt to allocate a connection to
    fail.
    See the linked exception for details of the failure.
      at
    com.ibm.mq.connector.services.JCAExceptionBuilder.buildException
    (JCAExceptionBuilder.java:184)
      at
    com.ibm.mq.connector.services.JCAExceptionBuilder.buildException
    (JCAExceptionBuilder.java:135)
      at
    com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createManage
    dJMSConnection(ConnectionFactoryImpl.java:402)
      at
    com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec
    tionInternal(ConnectionFactoryImpl.java:252)
      at
    com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec
    tion(ConnectionFactoryImpl.java:225)
      at
    com.ibm.mq.connector.outbound.ConnectionFactoryImpl.createConnec
    tion(ConnectionFactoryImpl.java:201)
      at
    com.ibm.zosconnect.service.mq.MQServiceInvocation.createConnecti
    on(Unknown Source)
      at
    com.ibm.zosconnect.service.mq.OneWayMQServiceInvocation.createJM
    SObjects(Unknown Source)
    :    :    :    :    :    :    :    :
    Caused by:
    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed
    to connect to queue manager 'QMGR' with connection mode 'Client'
    and host name '<hostname>(<port>)'.
    Check the queue manager is started and if running in client
    mode, check there is a listener running. Please see the linked
     exception for more information.
    :    :    :    :    :    :    :    :
    Caused by:
    com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with
    compcode '2' ('MQCC_FAILED') reason '2397'('MQRC_JSSE_ERROR').
      at
    com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
    ason.java:203)
      ... 35 more
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection
    to host '<hostname>(<port>)' rejected.
    [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL
    handshake failed.
    [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.h:
    PKIX path building failed:
    java.security.cert.CertPathBuilderException:PKIXCertPathBuilderI
    mpl could not build a valid CertPath.;
    internal cause is:
    java.security.cert.CertPathValidatorException: The certificate
    issued by CN=<CN>, OU=<OU>, O=<Organization> is not trusted;
    internal cause is:
    java.security.cert.CertPathValidatorException: Certificate
    chaining error],3=<hostname>/<ip address>(<hostname>),
    4=SSLSocket.startHandshake,5=default]],3=<hostname>(<port>),5=Re
    moteTCPConnection.protocolConnect]
    :    :    :    :    :    :    :    :
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the IBM MQ resource adapter, who
    have deployed it into a WebSphere Liberty server that is started
    via the WebSphere Liberty System Programming Interfaces (SPI),
    such as z/OS Connect EE.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The MQ resource adapter contains some logic to detect if it is
    running inside of WebSphere Liberty. If it finds that it has
    been deployed into this environment, the MQ resource adapter
    calls the method:
    
    java.net.ssl.SSLSocketFactory.getDefault()
    
    to obtain a socket factory instance provided by the application
    server. This allows the IBM MQ resource adapter to make use of
    the WebSphere Liberty keystores and truststores when creating
    secure connections to a queue manager.
    
    Prior to the fix for APAR IT29252, this logic would check for
    the presence of some internal classes provided by the WebSphere
    Liberty wmqJmsClient-1.1 and wmqJmsClient-2.0 features. If the
    MQ resource adapter had been deployed inside a WebSphere Liberty
    server that had the jca-1.7 feature enabled (sometimes referred
    to as "Generic JCA"), though, the internal classes were not
    present. This meant that the MQ resource adapter failed to
    detect that it was running in a WebSphere Liberty server and so
    would not call:
    
    java.net.ssl.SSLSocketFactory.getDefault()
    
    
    APAR IT29252 modified the logic, so that the MQ resource adapter
    would now look for a Java system property set by WebSphere
    Liberty, instead of the internal classes provided by the
    wmqJmsClient-1.1 and wmqJmsClient-2.0 features.  If the MQ
    resource adapter found that the property had been set, then it
    would call:
    
    java.net.ssl.SSLSocketFactory.getDefault()
    
    to get the WebSphere Liberty socket factory.
    
    
    However, the Java system property was not available in WebSphere
    Liberty servers that were started by the WebSphere Liberty
    System Programming Interfaces (SPI), such as z/OS Connect EE.
    This meant that the MQ resource adapter was unable to detect
    that it had been deployed into a WebSphere Liberty server which
    was started in this way. As a result, it used a socket factory
    instance provided by the Java Runtime Environment when creating
    secure connections to a queue manager, rather than the socket
    factory provided by the WebSphere Liberty server.
    

Problem conclusion

  • The IBM MQ resource adapter has been updated so that if it
    detects:
    
    - Either the presence of the internal classes provided by the
    wmqJmsClient-1.1 and wmqJmsClient-2.0 features
    - Or a Java system property set by WebSphere Liberty
    
    then it determines that it is running inside of WebSphere
    Liberty and so calls:
    
    java.net.ssl.SSLSocketFactory.getDefault()
    
    to get the WebSphere Liberty socket factory. It will then use
    this socket factory, and the WebSphere Liberty keystores and
    truststores associated with it, when creating secure connections
    to a queue manager.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.1 LTS   9.1.0.7
    v9.2 LTS   9.2.0.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT33590

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7271

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-17

  • Closed date

    2020-08-11

  • Last modified date

    2020-08-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7271

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
12 August 2020