IBM Support

IT39745: IBM MQ Java client using SSLPEER receiving a certificate with SERIALNUMBER in the DN reports MQRC_SSL_PEER_NAME_ERROR (2399)

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If an IBM MQ Java Client is using a client connection channel
    with a SSLPEER defined and receives a certificate with a
    SERIALNUMBER then it will throw an exception stack like below
    even if the SSLPEER is configured correctly:
    
    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ2020: Failed
    to connect to queue manager '<QMGR> with connection mode
    'Client', see linked exception for more information.
    Check the queue manager is started and if running in client
    mode, check there is a listener running. Please see the linked
    exception for more information.
    ...
    Caused by: com.ibm.mq.MQException:
        JMSCMQ0001: IBM MQ call failed with compcode '2'
    ('MQCC_FAILED') reason '2399' ('MQRC_SSL_PEER_NAME_ERROR').
    ...
    Caused by: com.ibm.mq.jmqi.JmqiException:
        CC=2;RC=2399;AMQ9204: Connection to host <HOST> rejected.
    [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2399;AMQ9640: SSL
    invalid peer name, channel '<CHANNEL>, attribute 'SERIALNUMBER
    (x2)'. [3=<CHANNEL> ,5=SERIALNUMBER (x2)]],3=<HOST>)
    ,5=RemotePeerName.setValue]
    ...
    Caused by: com.ibm.mq.jmqi.JmqiException:
        CC=2;RC=2399;AMQ9640: SSL invalid peer name, channel
    '<CHANNEL>', attribute 'SERIALNUMBER (x2)'. [3=<CHANNEL>
    ,5=SERIALNUMBER (x2)]
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of:
    
    - The IBM MQ classes for Java
    - The IBM MQ classes for JMS
    
    who have applications that specify an SSL Peer Name when
    connecting to a queue manager using an SSL/TLS connection
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    An SSL Certificate contains a serial number unique to that
    certificate. It can also contain what is referred to as a
    Distinguished Name (DN) that can also contain a separate serial
    number, which can be set to almost anything and so may not
    always be unique.
    
    The MQ classes for Java and classes for JMS extract the
    Certificate serial number and the DN from the queue manager's
    certificate, and combine them together to create an SSL Peer
    Name. This is then compared to the SSL Peer Name filter
    specified by the application. If the SSL Peer Name of the queue
    manager matches the SSL Peer Name filter, then the application
    will connect to the queue manager.
    
    The code within the MQ classes for Java and classes for JMS
    which was building the queue manager's SSL Peer Name was not
    expecting the DN serial number attribute to be there. When it
    found it, it threw an exception containing MQ reason code 2399
    (MQRC_SSL_PEER_NAME_ERROR). An example of this exception is
    shown below:
    
    com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ2020: Failed
    to connect to queue manager '<QMGR> with connection mode
    'Client', see linked exception for more information.
    Check the queue manager is started and if running in client
    mode, check there is a listener running. Please see the linked
    exception for more information.
    ...
    Caused by: com.ibm.mq.MQException:
        JMSCMQ0001: IBM MQ call failed with compcode '2'
    ('MQCC_FAILED') reason '2399' ('MQRC_SSL_PEER_NAME_ERROR').
    ...
    Caused by: com.ibm.mq.jmqi.JmqiException:
        CC=2;RC=2399;AMQ9204: Connection to host <HOST> rejected.
    [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2399;AMQ9640: SSL
    invalid peer name, channel '<CHANNEL>, attribute 'SERIALNUMBER
    (x2)'. [3=<CHANNEL> ,5=SERIALNUMBER (x2)]],3=<HOST>)
    ,5=RemotePeerName.setValue]
    ...
    Caused by: com.ibm.mq.jmqi.JmqiException:
        CC=2;RC=2399;AMQ9640: SSL invalid peer name, channel
    '<CHANNEL>', attribute 'SERIALNUMBER (x2)'. [3=<CHANNEL>
    ,5=SERIALNUMBER (x2)]
    

Problem conclusion

  • The MQ classes for Java and classes for JMS now support the use
    of SSL Peer Names where the DN in the queue manager's
    certificate contains a serial number. Note, however, that it is
    not possible to include this serial number in the SSL Peer Name
    filter specified by the application. SSL Peer Name filtering is
    only possible on the Certificate serial number.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.2 LTS   9.2.0.6
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT39745

  • Reported component name

    MQ BASE V9.2

  • Reported component ID

    5724H7281

  • Reported release

    920

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-01-25

  • Closed date

    2022-05-04

  • Last modified date

    2022-05-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    MQ BASE V9.2

  • Fixed component ID

    5724H7281

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920"}]

Document Information

Modified date:
05 May 2022