APAR status
Closed as program error.
Error description
An IBM MQ classes for JMS application has been configured to use Advanced Message Security (AMS) to get protected messages stored on a queue. The CA certificate chain required by the application to decrypt the message is stored in cryptographic hardware. When the application tries to get a protected message, the following exception is thrown: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2002: Failed to get a message from destination '<queue_name>'. IBM MQ classes for JMS attempted to perform an MQGET; however IBM MQ reported an error. Use the linked exception to determine the cause of this error. at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException( Reason.java) at com.ibm.msg.client.wmq.common.internal.Reason.createException(Re ason.java) at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall Success(WMQMessageConsumer.java) at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCall Success(WMQMessageConsumer.java) at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.getMsg(WMQCons umerShadow.java) at com.ibm.msg.client.wmq.internal.WMQSyncConsumerShadow.receiveInt ernal(WMQSyncConsumerShadow.java) at com.ibm.msg.client.wmq.internal.WMQConsumerShadow.receive(WMQCon sumerShadow.java) at com.ibm.msg.client.wmq.internal.WMQMessageConsumer.receive(WMQMe ssageConsumer.java) at com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receiveIn boundMessage(JmsMessageConsumerImpl.java) at com.ibm.msg.client.jms.internal.JmsMessageConsumerImpl.receive(J msMessageConsumerImpl.java) at com.ibm.mq.jms.MQMessageConsumer.receive(MQMessageConsumer.java) ...... Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2063' ('MQRC_SECURITY_ERROR'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Re ason.java) ... 13 more
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This affects users of: - The IBM MQ classes for Java - The IBM MQ classes for JMS - The IBM MQ resource adapter who have applications that use Advanced Message Security (AMS), where the digital certificates required by AMS are stored in PKCS #11 cryptographic hardware. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: IBM MQ 9.2 provides the ability for Java clients which use Advanced Message Security (AMS) to access personal certificates and CA certificates stored in cryptographic hardware. When accessing a CA certificate chain stored in crytographic hardware, the Java AMS code would incorrectly attempt to access the certificate chain using the wrong keystore and generated an internal NullPointerException. This resulted in the application receiving an exception containing MQ reason code 2063 (MQRC_SECURITY_ERROR). An IBM MQ Java trace collected at the time the exception containing MQ reason code 2063 occurred would contain entries similar to the ones shown below: c.i.m.ese.core.EseUser ----+----+----+---- d getKeyStoreAccess() getter [Primary keystore: <keystore> secondary keystore: <keystore 2>] c.i.m.ese.prot.MessageProtectionBCImpl(MessageProtectionBCImpl) ----+----+----+- X unprotect(byte [ ],SecurityPolicy,AMBIHeader,SmqiObject,EseUser) the keystore parameter must be non-null [java.lang.NullPointerException] at: java.security.cert.PKIXParameters.<init>(PKIXParameters.java:140 ) java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParam eters.java:125) com.ibm.mq.ese.prot.MessageProtectionBCImpl.constructPKIXBuilder Parameters(MessageProtectionBCImpl.java:1256) com.ibm.mq.ese.prot.MessageProtectionBCImpl.validateSignedData(M essageProtectionBCImpl.java:1140) com.ibm.mq.ese.prot.MessageProtectionBCImpl.getUnprotectedFromSi gned(MessageProtectionBCImpl.java:877) com.ibm.mq.ese.prot.MessageProtectionBCImpl.unprotect(MessagePro tectionBCImpl.java:734) com.ibm.mq.ese.prot.MessageProtectionWrapper.unprotect(MessagePr otectionWrapper.java:99) ........
Problem conclusion
To resolve this issue, the Java AMS code has been updated to use the correct keystore when accessing CA certificate chains stored in crytographic hardware. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.3 v9.x CD 9.2.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT35389
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-12-30
Closed date
2021-02-10
Last modified date
2021-07-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Document Information
Modified date:
02 July 2021