APAR status
Closed as program error.
Error description
If an IBM MQ Java Client is using a client connection channel with a SSLPEER defined and receives a certificate with a SERIALNUMBER then it will throw an exception stack like below even if the SSLPEER is configured correctly: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ2020: Failed to connect to queue manager '<QMGR> with connection mode 'Client', see linked exception for more information. Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. ... Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2399' ('MQRC_SSL_PEER_NAME_ERROR'). ... Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9204: Connection to host <HOST> rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2399;AMQ9640: SSL invalid peer name, channel '<CHANNEL>, attribute 'SERIALNUMBER (x2)'. [3=<CHANNEL> ,5=SERIALNUMBER (x2)]],3=<HOST>) ,5=RemotePeerName.setValue] ... Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9640: SSL invalid peer name, channel '<CHANNEL>', attribute 'SERIALNUMBER (x2)'. [3=<CHANNEL> ,5=SERIALNUMBER (x2)]
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of: - The IBM MQ classes for Java - The IBM MQ classes for JMS who have applications that specify an SSL Peer Name when connecting to a queue manager using an SSL/TLS connection Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: An SSL Certificate contains a serial number unique to that certificate. It can also contain what is referred to as a Distinguished Name (DN) that can also contain a separate serial number, which can be set to almost anything and so may not always be unique. The MQ classes for Java and classes for JMS extract the Certificate serial number and the DN from the queue manager's certificate, and combine them together to create an SSL Peer Name. This is then compared to the SSL Peer Name filter specified by the application. If the SSL Peer Name of the queue manager matches the SSL Peer Name filter, then the application will connect to the queue manager. The code within the MQ classes for Java and classes for JMS which was building the queue manager's SSL Peer Name was not expecting the DN serial number attribute to be there. When it found it, it threw an exception containing MQ reason code 2399 (MQRC_SSL_PEER_NAME_ERROR). An example of this exception is shown below: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ2020: Failed to connect to queue manager '<QMGR> with connection mode 'Client', see linked exception for more information. Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. ... Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2399' ('MQRC_SSL_PEER_NAME_ERROR'). ... Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9204: Connection to host <HOST> rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2399;AMQ9640: SSL invalid peer name, channel '<CHANNEL>, attribute 'SERIALNUMBER (x2)'. [3=<CHANNEL> ,5=SERIALNUMBER (x2)]],3=<HOST>) ,5=RemotePeerName.setValue] ... Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9640: SSL invalid peer name, channel '<CHANNEL>', attribute 'SERIALNUMBER (x2)'. [3=<CHANNEL> ,5=SERIALNUMBER (x2)]
Problem conclusion
The MQ classes for Java and classes for JMS now support the use of SSL Peer Names where the DN in the queue manager's certificate contains a serial number. Note, however, that it is not possible to include this serial number in the SSL Peer Name filter specified by the application. SSL Peer Name filtering is only possible on the Certificate serial number. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.6 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT39745
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-01-25
Closed date
2022-05-04
Last modified date
2022-05-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920"}]
Document Information
Modified date:
05 May 2022