Troubleshooting
Problem
This document is intended to help diagnose IBM MQ Java™ or JMS SSL setup errors.
It lists most of the common configuration errors that can cause an SSL or TLS connection from a Java/JMS client to a queue manager to fail, and gives the course of action to resolve the problem.
In each case the error can be diagnosed by a combination of the error seen in the client log - either a console output, trace file or SystemOut.log file - and the queue manager's error logs.
.
The document is quite long, so the easiest way to find the potential error is to search for one of the errors seen in this list, then filter this list using the error from the opposite end of the channel.
.
All cases here assume that 2-way authentication is being attempted (SSLCAUTH set to REQUIRED on the queue manager's SVRCONN channel). This is the default, and the errors are very similar for 1-way authentication (SSLCAUTH set to OPTIONAL).
It lists most of the common configuration errors that can cause an SSL or TLS connection from a Java/JMS client to a queue manager to fail, and gives the course of action to resolve the problem.
In each case the error can be diagnosed by a combination of the error seen in the client log - either a console output, trace file or SystemOut.log file - and the queue manager's error logs.
.
The document is quite long, so the easiest way to find the potential error is to search for one of the errors seen in this list, then filter this list using the error from the opposite end of the channel.
.
All cases here assume that 2-way authentication is being attempted (SSLCAUTH set to REQUIRED on the queue manager's SVRCONN channel). This is the default, and the errors are very similar for 1-way authentication (SSLCAUTH set to OPTIONAL).
Symptom
- Instructions on collecting documentation
- Cause 1: Client missing personal certificate
- Cause 2: Missing server personal certificate
- Cause 3: Missing server signer on client
- Cause 4: Missing client signer on server
- Cause 5: Cipher spec mismatch
- Cause 6: No cipher enabled on client
- Cause 7: No cipher enabled on queue manager's server connection channel
- Cause 8 Using non-FIPS cipher, FIPS enabled on client (not on server)
- Cause 9: Using non_FIPS cipher, FIPS enabled on server (not on client)
- Cause 10: Using FIPS cipher, FIPS not enabled on client
- Cause 11: Using non_FIPS cipher, FIPS enabled at both ends
- Cause 12: Value of SSLPEER on client does not match personal certificate
- Cause 13: Value of SSLPEER on server does not match personal certificate
- Cause 14: Listener not running on server
- Cause 15: Can not find client keystore
- Cause 16: Client keystore password incorrect
- Cause 17: Can not find client truststore
- Cause 18: Client truststore password incorrect
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008MzAAI","label":"Security"}],"ARM Case Number":"TS014395210","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Product":{"code":"SSKM59","label":"IBM MQ for HPE NonStop"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}},{"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
28 April 2025
UID
swg21614686
Manage My Notification Subscriptions