IT43170: DOC UPDATE:SSL TRUSTSTORE SECURITY IDENTITY OF KAFKA POLICY SHOULD BE OF TYPE TRUSTSTORE

APAR status

• Closed as documentation error.

Error description

• If the SSL truststore security identity of the Kafka Policy is
  set with a value other than of type truststore then deployment
  of the Kafka node fails with BIP4087E error message.
  BIP4087E: ( BKR12_VAULT.default ) Unable to locate the
  credential associated with security identity
  'truststore'::'truststorePass'.
  
  But the documentation does not clearly mention that the
  mqsisetdbparms command should be executed with --resource
  truststore::<security identity> option.
  

Local fix

Problem summary

• ****************************************************************
  
  USERS AFFECTED:
  All users of IBM App Connect Enterprise V12.0 and V13.0 using
  the Kafka Nodes with SSL.
  
  
  Platforms affected:
  AIX, LinuxZ64, LinuxX64, LinuxPPCLE64, WinX64
  
  ****************************************************************
  
  PROBLEM DESCRIPTION:
  If the SSL truststore security identity for the Kafka Policy is
  configured with a value that is not of type truststore, the
  deployment of the Kafka node will fail with the following error
  message:
  
  BIP4087E: ( BKR.default ) Unable to locate the
  credential associated with security identity
  truststore::truststorePass.
  
  However, the documentation does not
  clearly state that the mqsisetdbparms command must be executed
  using the truststore::<security_identity> option.
  

Problem conclusion

• https://www.ibm.com/docs/en/app-connect/13.0.x?topic=commands-mq
  
  sisetdbparms-command documentation page will be updated with
  following details.
  
  Use the mqsisetdbparms command in the
  following format to create the security identities required for
  accessing the SSL keystore, key and truststore specified in the
  Kafka policy file.
  
  SSL keystore security identity
  :
  mqsisetdbparms integrationNodeName -n
  keystore::KafkaKeystoreSecID -u ignore -p password
  
  SSL key
  security identity :
  mqsisetdbparms integrationNodeName -n
  keystorekey::KafkaKeySecID -u ignore -p password
  
  SSL truststore
  security identity :
  mqsisetdbparms integrationNodeName -n
  truststore::KafkaTruststoreSecID -u ignore -p
  password
  
  
  https://www.ibm.com/docs/en/app-connect/13.0.x?topic=
  properties-kafka-policy documentation page will also be updated
  with following details.
  
  
  sslKeystoreSecurityIdentity :
  This
  property specifies the security identity to be used for
  accessing the keystore. This value is used only if the SSL
  keystore location property has been specified.
  
  Use
  mqsisetdbparms or mqsicredentials command to create the keystore
  
  type security identity. For example:
  mqsisetdbparms
  integrationNodeName -n keystore::KafkaKeystoreSecID -u ignore -p
  
  password
  
  sslKeySecurityIdentity :
  This property specifies the
  security identity to be used for accessing the key within the
  keystore. If this value is not specified, the security identity
  that is used for accessing the keystore is used.
  
  Use
  mqsisetdbparms or mqsicredentials command to create the
  keystorekey type security identity. For example:
  mqsisetdbparms
  integrationNodeName -n keystorekey::KafkaKeySecID -u ignore -p
  password
  
  sslTruststoreSecurityIdentity :
  This property
  specifies the security identity to be used for accessing the
  truststore. This value is used only if the SSL truststore
  location has been specified.
  
  Use mqsisetdbparms or
  mqsicredentials command to create the truststore type security
  identity. For example:
  mqsisetdbparms integrationNodeName -n
  truststore::KafkaTruststoreSecID -u ignore -p password
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels