APAR status
Closed as program error.
Error description
An authentication information (AUTHINFO) object has been defined on a queue manager that has its AUTHTYPE attribute set to OSCP. The queue manager's SSLCRLNL attribute has been set to a value that includes this AUTHINFO object. When the either the AMQP or MQ Telemetry services associated with this queue manager start up, they reports the following error to their log file: AMQXR2014E: The following error occurred during the starting of an MQXR channel, channelName = '<channel name>' : com.ibm.mq.communications.UnexpectedExceptionException: AMQCO1001E: service unexpectedly caught communications exception=com.ibm.mq.headers.pcf.PCFException: MQJE001: Completion Code '2', Reason '3015'.(Exception). Caused by: com.ibm.mq.headers.pcf.PCFException: MQJE001: Completion Code '2', Reason '3015'.
Local fix
Remove any AUTHINFO of AUTHTYPE(OCSP) configured in the queue manager.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of: - The IBM MQ AMQP service. - The IBM MQ Telemetry service who have configured the queue manager associated with the services to validate certificates using OSCP. Platforms affected: Windows, AIX, Linux on x86-64, Linux on Power, Linux on zSeries **************************************************************** PROBLEM DESCRIPTION: When an MQ AQMP or MQ Telemetry channel started up, it would: - Read the queue manager's SSLCRLNL attribute to determine which authentication information (AUTHINFO) objects to use to perform TLS certificate checking. - Issue a PCF request for each AUTHINFO object, specifying the command MQCMD_INQUIRE_AUTH_INFO and the parameters: - MQCA_AUTH_INFO_NAME: <authentication information object> - MQIACF_AUTH_INFO_ATTRS: { MQCA_AUTH_INFO_CONN_NAME } If the AUTHINFO object was configured to validate certificates using Online Certificate Status Protocol (OSCP), rather than a certificate revocation list (CRL) stored on an LDAP server (ie, the AUTHTYPE attribute of the AUTHINFO object was set to OSCP rather than CRLLDAP), then the PCF request would fail with reason code 3015 as MQCA_AUTH_INFO_CONN_NAME was not a valid attribute to inquire for OSCP AUTHINFO objects. As a result, the MQ AMQP or MQ Telemetry channel would fail to start and the following error message would be written to either the AMQP service log file (amqp_<number>.log) or the MQ Telemetry service log file (mqxr_<number>.log): AMQXR2014E: The following error occurred during the starting of an MQXR channel, channelName = '<channel name>' : com.ibm.mq.communications.UnexpectedExceptionException: AMQCO1001E: service unexpectedly caught communications exception= com.ibm.mq.headers.pcf.PCFException: MQJE001: Completion Code '2', Reason '3015'.(Exception). Caused by: com.ibm.mq.headers.pcf.PCFException: MQJE001: Completion Code '2', Reason '3015'.
Problem conclusion
The MQ AMQP and MQ Telemetry services have been changed to pass in the following parameters on the PCF request containing the command that it sends to its associated queue manager when inquiring details about the authentication information (AUTHINFO) objects mentioned in the queue manager's SSLCRLNL attribute: - MQCA_AUTH_INFO_NAME - MQIACF_AUTH_INFO_ATTRS { MQCA_AUTH_INFO_OCSP_URL, MQIA_AUTH_INFO_TYPE, MQCA_AUTH_INFO_CONN_NAME } This ensures that the services have access to both OCSP and CRL information which should be used to check whether certificates are valid. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.4 v9.x CD 9.2.4 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT36636
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
921
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-04-20
Closed date
2021-08-27
Last modified date
2021-10-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"921"}]
Document Information
Modified date:
13 October 2021