IBM Support

IT36636: MQ AMQP or MQ Telemetry channel fails to start if the queue manager attribute SSLCRLNL contains an OSCP AUTHINFO object

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • An authentication information (AUTHINFO) object has been defined
    on a queue manager that has its AUTHTYPE attribute set to OSCP.
    The queue manager's SSLCRLNL attribute has been set to a value
    that includes this AUTHINFO object.
    
    When the either the AMQP or MQ Telemetry services associated
    with this queue manager start up, they reports the following
    error to their log file:
    
    AMQXR2014E: The following error occurred during the starting of
    an MQXR channel, channelName = '<channel name>' :
    com.ibm.mq.communications.UnexpectedExceptionException:
    AMQCO1001E: service unexpectedly caught communications
    exception=com.ibm.mq.headers.pcf.PCFException: MQJE001:
    Completion Code '2', Reason '3015'.(Exception).
    Caused by: com.ibm.mq.headers.pcf.PCFException: MQJE001:
    Completion Code '2', Reason '3015'.
    

Local fix

  • Remove any AUTHINFO of AUTHTYPE(OCSP) configured in the queue
    manager.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of:
    
    - The IBM MQ AMQP service.
    - The IBM MQ Telemetry service
    
    who have configured the queue manager associated with the
    services to validate certificates using OSCP.
    
    
    Platforms affected:
    Windows, AIX, Linux on x86-64, Linux on Power, Linux on zSeries
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When an MQ AQMP or MQ Telemetry channel started up, it would:
    
    - Read the queue manager's SSLCRLNL attribute to determine which
    authentication information (AUTHINFO) objects to use to perform
    TLS certificate checking.
    - Issue a PCF request for each AUTHINFO object, specifying the
    command MQCMD_INQUIRE_AUTH_INFO and the parameters:
    
    - MQCA_AUTH_INFO_NAME: <authentication information object>
    - MQIACF_AUTH_INFO_ATTRS: { MQCA_AUTH_INFO_CONN_NAME }
    
    If the AUTHINFO object was configured to validate certificates
    using Online Certificate Status Protocol (OSCP), rather than a
    certificate revocation list (CRL) stored on an LDAP server (ie,
    the AUTHTYPE attribute of the AUTHINFO object was set to OSCP
    rather than CRLLDAP), then the PCF request would fail with
    reason code 3015 as MQCA_AUTH_INFO_CONN_NAME was not a valid
    attribute to inquire for OSCP AUTHINFO objects.
    
    As a result, the MQ AMQP or MQ Telemetry channel would fail to
    start and the following error message would be written to either
    the AMQP service log file (amqp_<number>.log) or the MQ
    Telemetry service log file (mqxr_<number>.log):
    
    AMQXR2014E: The following error occurred during the starting of
    an MQXR channel, channelName = '<channel name>' :
      com.ibm.mq.communications.UnexpectedExceptionException:
    AMQCO1001E: service unexpectedly caught communications
    exception=
      com.ibm.mq.headers.pcf.PCFException: MQJE001: Completion Code
    '2', Reason '3015'.(Exception).
      Caused by: com.ibm.mq.headers.pcf.PCFException: MQJE001:
    Completion Code '2', Reason '3015'.
    

Problem conclusion

  • The MQ AMQP and MQ Telemetry services have been changed to pass
    in the following parameters on the PCF request containing the
    command that it sends to its associated queue manager when
    inquiring details about the authentication information
    (AUTHINFO) objects mentioned in the queue manager's SSLCRLNL
    attribute:
    
    - MQCA_AUTH_INFO_NAME
    - MQIACF_AUTH_INFO_ATTRS { MQCA_AUTH_INFO_OCSP_URL,
    MQIA_AUTH_INFO_TYPE, MQCA_AUTH_INFO_CONN_NAME }
    
    This ensures that the services have access to both OCSP and CRL
    information which should be used to check whether certificates
    are valid.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.2 LTS   9.2.0.4
    v9.x CD    9.2.4
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT36636

  • Reported component name

    MQ BASE V9.2

  • Reported component ID

    5724H7281

  • Reported release

    921

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-04-20

  • Closed date

    2021-08-27

  • Last modified date

    2021-10-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    MQ BASE V9.2

  • Fixed component ID

    5724H7281

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"921"}]

Document Information

Modified date:
13 October 2021