APAR status
Closed as program error.
Error description
After upgrading WAS to 9.0.5.20, 9.0.5.21, or 8.5.5.26, customers using SSL configurations with names ending in DefaultSSLSettings, such as MQDefaultSSLSettings, experienced communication issues with MQ. This is due to a code change that treats MQDefaultSSLSettings as a WAS legacy alias, causing the SSL configuration to default to CellDefaultSSLSettings or NodeDefaultSSLSettings instead of using the configured MQDefaultSSLSettings. In most cases, the communication errors are logged in the WAS SystemOut.log file, with entries such as: CWWMQ0087W: The SSL settings that will be used by a WebSphere MQ messaging provider connection factory to connect to WebSphere MQ specify multiple cipher suites. AMQ9204: Connection to host 'IBMDEV(1422)' rejected and AMQ9641: Remote CipherSpec error for channel 'IBMDES.SVR.SVLCONN' to host Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE'). Some customers also noticed the following errors in the MQ Qmgr error logs. AMQ9631E The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel <insert_3>. AMQ9636: SSL distinguished name does not match peer name, channel 'IBM.WAS.SVLLab'. MQ on Z customers may notice error codes CSQX631E and CSQX636E in the MQ Qmgr. In the trace file : ---------- [10/10/24 18:48:17:595 SGT] 00000001 SSLConfigMana > getGlobalProperty Entry com.ibm.websphere.ssl.fallback.for.nonexistent.alias false [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper > getProperties Entry MQDefaultSSLSettings {com.ibm.ssl.endPointName=CLIENT_TO_WEBSPHERE_MQ, com.ibm.ssl.direction=outbound} <null> [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper 3 Checking legacyAlias for [MQDefaultSSLSettings] [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper 3 legacy alias is true for alias[DefaultSSLSettings] [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper 3 Handling sslAliasName [MQDefaultSSLSettings] as null. This is going to use the current default SSL settings. ... [10/10/24 18:49:32:102 SGT] 0000008b ManagementSco < getConfigAndCertAliasesFromGroups (found from outbound scope) -> CellDefaultSSLSettings Exit [10/10/24 18:49:32:102 SGT] 0000008b JSSEHelper 3 configAlias: CellDefaultSSLSettings, certAlias: null [10/10/24 18:49:32:102 SGT] 0000008b SSLConfigMana > getProperties Entry CellDefaultSSLSettings ---------- CellDefaultSSLSettings in use instead of expected MQDefaultSSLSettings
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server with a custom SSL configuration * * alias name * * that includes 'DefaultSSLCSettings' * **************************************************************** * PROBLEM DESCRIPTION: WebSphere incorrectly handles custom * * SSL configurations with alias names * * that * * include 'DefaultSSLSettings' * * The likely result is TLS handshake * * failures. * **************************************************************** * RECOMMENDATION: * **************************************************************** Following the WebSphere upgrade that includes PH58869 or PH61808,custom SSL configurations with alias names that include 'DefaultSSLSettings' (e.g., 'MQDefaultSSLSettings') are incorrectly treated by WebSphere as default keystores, such as 'CellDefaultSSLSettings' or 'NodeDefaultSSLSettings'."
Problem conclusion
The bug has been fixed. The fix for this APAR is targeted for inclusion in fix pack 9.0.5.22 and 8.5.5.27. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
As a workaround, create a new custom SSL configuration with a unique name that does not include 'DefaultSSLSettings'. Ensure i has the same configuration properties as the original, and use this new configuration in place of the one that is not functioning correctly. Reference: "SSLConfigCommands command group for the AdminTask object" https://www.ibm.com/docs/en/was-nd/8.5.5?topic=tool- sslconfigcommands-command-group-admintask- object#rxml_atsslconfig__cmd9 https://www.ibm.com/docs/en/was-nd/9.0.5?topic=tool- sslconfigcommands-command-group-admintask-object
Comments
APAR Information
APAR number
PH63778
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-10-18
Closed date
2024-11-01
Last modified date
2024-11-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
07 November 2024