IBM Support

IBM WebSphere MQ Java component fails with java.io.IOException: Invalid encoding: redundant leading 0s

Troubleshooting


Problem

A recent change in Java runtimes supported by IBM WebSphere MQ (both IBM and Oracle) to address a security vulnerability has the potential to break both product function and applications that use SSL/TLS or Advanced Message Security (AMS) if the truststore/keystore contains a certificate that contains a leading zero in the certificate serial number. Some examples of Java environments that may be configured to use keystores and therefore affected by this problem are (but not exclusively); - IBM Key Management (iKeyman) - IBM MQ Java/JMS client applications using SSL/TLS or AMS - IBM MQ Explorer - IBM MQ Managed File Transfer (MFT) - IBM MQ Telemetry Transport (MQTT) - IBM MQ Light (AMQP) - IBM MQ Web Console & REST API Action should be taken before upgrading Java runtimes to an affected version to prevent the possibility of an outage.

Symptom

A leading zero encoded in a X.509 certificate serial number now fails stricter checking under the newer levels of Java runtime maintenance, whilst the certificate encoding is tolerated by other tools, including older levels of Java.

Should any certificate in the keystore be affected, the newer Java runtime will be unable to open and access any certificates within the keystore.

Any MQ installation that uses certificate keystores and is about to upgrade to one of the Java runtime maintenance levels identified below, should check to see if the keystores contain affected certificates.

[{"Product":{"code":"SSYHRD","label":"IBM MQ"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"Java","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0;8.0;7.5;7.1","Edition":"All Editions","Line of Business":{"code":"LOB77","label":"Automation Platform"}},{"Product":{"code":"SSKM59","label":"IBM MQ for HPE NonStop"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}},{"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
28 April 2025

UID

swg22000235

Page Feedback