IBM Support

IT35389: Exception reason code 2063 thrown when AMS Java clients access CA certificate chains within cryptographic hardware

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • An IBM MQ classes for JMS application has been configured to use
    Advanced Message Security (AMS) to get protected messages stored
    on a queue. The CA certificate chain required by the application
    to decrypt the message is stored in cryptographic hardware. When
    the application tries to get a protected message, the following
    exception is thrown:
    
    com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2002:
    Failed to get a message from destination '<queue_name>'.
    IBM MQ classes for JMS attempted to perform an MQGET; however
    IBM MQ reported an error.
    Use the linked exception to determine the cause of this error.
        at
    com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(
    Reason.java)
        at
    com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
    ason.java)
        at
    com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall
    Success(WMQMessageConsumer.java)
        at
    com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall
    Success(WMQMessageConsumer.java)
        at
    com.ibm.msg.client.wmq.internal.WMQConsumerShadow.getMsg(WMQCons
    umerShadow.java)
        at
    com.ibm.msg.client.wmq.internal.WMQSyncConsumerShadow.receiveInt
    ernal(WMQSyncConsumerShadow.java)
        at
    com.ibm.msg.client.wmq.internal.WMQConsumerShadow.receive(WMQCon
    sumerShadow.java)
        at
    com.ibm.msg.client.wmq.internal.WMQMessageConsumer.receive(WMQMe
    ssageConsumer.java)
        at
    com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receiveIn
    boundMessage(JmsMessageConsumerImpl.java)
        at
    com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receive(J
    msMessageConsumerImpl.java)
        at
    com.ibm.mq.jms.MQMessageConsumer.receive(MQMessageConsumer.java)
    	......
    Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call
    failed with compcode '2' ('MQCC_FAILED') reason '2063'
    ('MQRC_SECURITY_ERROR').
        at
    com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
    ason.java)
        ... 13 more
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This affects users of:
    
    - The IBM MQ classes for Java
    - The IBM MQ classes for JMS
    - The IBM MQ resource adapter
    
    who have applications that use Advanced Message Security (AMS),
    where the digital certificates required by AMS are stored in
    PKCS #11 cryptographic hardware.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    IBM MQ 9.2 provides the ability for Java clients which use
    Advanced Message Security (AMS) to access personal certificates
    and CA certificates stored in cryptographic hardware.
    
    When accessing a CA certificate chain stored in crytographic
    hardware, the Java AMS code would incorrectly attempt to access
    the certificate chain using the wrong keystore and generated an
    internal NullPointerException. This resulted in the application
    receiving an exception containing MQ reason code 2063
    (MQRC_SECURITY_ERROR).
    
    An IBM MQ Java trace collected at the time the exception
    containing MQ reason code 2063 occurred would contain entries
    similar to the ones shown below:
    
    c.i.m.ese.core.EseUser
           ----+----+----+----  d  getKeyStoreAccess() getter
    [Primary keystore: <keystore> secondary keystore: <keystore 2>]
    c.i.m.ese.prot.MessageProtectionBCImpl(MessageProtectionBCImpl)
           ----+----+----+-  X  unprotect(byte [
    ],SecurityPolicy,AMBIHeader,SmqiObject,EseUser)
    the keystore parameter must be non-null
    [java.lang.NullPointerException] at:
    
    java.security.cert.PKIXParameters.<init>(PKIXParameters.java:140
    )
    
    java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParam
    eters.java:125)
    
    com.ibm.mq.ese.prot.MessageProtectionBCImpl.constructPKIXBuilder
    Parameters(MessageProtectionBCImpl.java:1256)
    
    com.ibm.mq.ese.prot.MessageProtectionBCImpl.validateSignedData(M
    essageProtectionBCImpl.java:1140)
    
    com.ibm.mq.ese.prot.MessageProtectionBCImpl.getUnprotectedFromSi
    gned(MessageProtectionBCImpl.java:877)
    
    com.ibm.mq.ese.prot.MessageProtectionBCImpl.unprotect(MessagePro
    tectionBCImpl.java:734)
    
    com.ibm.mq.ese.prot.MessageProtectionWrapper.unprotect(MessagePr
    otectionWrapper.java:99)
    ........
    

Problem conclusion

  • To resolve this issue, the Java AMS code has been updated to use
    the correct keystore when accessing CA certificate chains stored
    in crytographic hardware.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.2 LTS   9.2.0.3
    v9.x CD    9.2.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT35389

  • Reported component name

    MQ BASE V9.2

  • Reported component ID

    5724H7281

  • Reported release

    920

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-12-30

  • Closed date

    2021-02-10

  • Last modified date

    2021-07-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    MQ BASE V9.2

  • Fixed component ID

    5724H7281

Applicable component levels

[{"Type":"MASTER","Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
02 July 2021