IBM Support

PH63778: WHEN MQDEFAULTSSLSETTINGS IS CONFIGURED, SSLCONFIGURATION USES CELLDEFAULTSSLSETTINGS INSTEAD OF EXPECTED MQDEFAULTSSLSETTINGS.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • After upgrading WAS to 9.0.5.20, 9.0.5.21, or 8.5.5.26,
    customers using SSL configurations with names ending in
    DefaultSSLSettings, such as MQDefaultSSLSettings, experienced
    communication issues with MQ. This is due to a code change that
    treats MQDefaultSSLSettings as a WAS legacy alias, causing the
    SSL configuration to default to CellDefaultSSLSettings or
    NodeDefaultSSLSettings instead of using the configured
    MQDefaultSSLSettings.
    In most cases, the communication errors are logged in the WAS
    SystemOut.log file, with entries such as:
    
    CWWMQ0087W: The SSL settings that will be used by a WebSphere MQ
    
    messaging provider connection factory to connect to WebSphere MQ
    
    specify multiple cipher suites.
    
    
    AMQ9204: Connection to host 'IBMDEV(1422)' rejected and
    AMQ9641: Remote CipherSpec error for channel
    'IBMDES.SVR.SVLCONN' to host
    Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call
    failed with compcode '2' ('MQCC_FAILED') reason '2400'
    ('MQRC_UNSUPPORTED_CIPHER_SUITE').
    
    Some customers also noticed the following errors in the MQ Qmgr
    error logs.
    
    AMQ9631E
    The CipherSpec negotiated during the SSL handshake does not
    match the required CipherSpec for channel <insert_3>.
    
    AMQ9636: SSL distinguished name does not match peer name,
    channel  'IBM.WAS.SVLLab'.
    
    MQ on Z customers may notice error codes CSQX631E and CSQX636E
    in the MQ Qmgr.
    
    
    
    In the trace file :
    ----------
    [10/10/24 18:48:17:595 SGT] 00000001 SSLConfigMana >
    getGlobalProperty Entry
    
    com.ibm.websphere.ssl.fallback.for.nonexistent.alias
          false
    [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper    >
    getProperties Entry
                                  MQDefaultSSLSettings
    
    {com.ibm.ssl.endPointName=CLIENT_TO_WEBSPHERE_MQ,
    com.ibm.ssl.direction=outbound}
    <null>
    [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper    3   Checking
    legacyAlias for [MQDefaultSSLSettings]
    [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper    3   legacy
    alias is true for alias[DefaultSSLSettings]
    [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper    3   Handling
    sslAliasName [MQDefaultSSLSettings] as null. This is going to
    use the current default SSL settings.
    ...
    [10/10/24 18:49:32:102 SGT] 0000008b ManagementSco <
    getConfigAndCertAliasesFromGroups (found from outbound scope) ->
    
    
    CellDefaultSSLSettings Exit
    [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper    3
    configAlias: CellDefaultSSLSettings, certAlias: null
    [10/10/24 18:49:32:102 SGT] 0000008b SSLConfigMana >
    getProperties Entry
                                  CellDefaultSSLSettings
    ----------
    
    CellDefaultSSLSettings in use instead of expected
    MQDefaultSSLSettings
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server with a custom SSL configuration      *
    *                  alias name                                  *
    *                  that includes 'DefaultSSLCSettings'         *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere incorrectly handles custom    *
    *                      SSL configurations with alias names     *
    *                      that                                    *
    *                      include 'DefaultSSLSettings'            *
    *                      The likely result is TLS handshake      *
    *                      failures.                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Following the WebSphere upgrade that includes PH58869 or
    PH61808,custom SSL configurations with alias names that include
    'DefaultSSLSettings' (e.g., 'MQDefaultSSLSettings') are
    incorrectly
    treated by WebSphere as default keystores, such as
    'CellDefaultSSLSettings' or 'NodeDefaultSSLSettings'."
    

Problem conclusion

  • The bug has been fixed.
    
    The fix for this APAR is targeted for inclusion in fix pack
    9.0.5.22 and 8.5.5.27. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

  • As a workaround, create a new custom SSL configuration with a
    unique name that does not include 'DefaultSSLSettings'. Ensure i
    has the same configuration properties as the original, and use
    this new configuration in place of the one that is not
    functioning correctly.
    
    Reference: "SSLConfigCommands command group for the AdminTask
    object"
    https://www.ibm.com/docs/en/was-nd/8.5.5?topic=tool-
    sslconfigcommands-command-group-admintask-
    object#rxml_atsslconfig__cmd9
    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=tool-
    sslconfigcommands-command-group-admintask-object
    

Comments

APAR Information

  • APAR number

    PH63778

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2024-10-18

  • Closed date

    2024-11-01

  • Last modified date

    2024-11-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Document Information

Modified date:
07 November 2024