Fixes are available
APAR status
Closed as program error.
Error description
After applying Refresh Pack for WebSphere MQ V7.0.1, the SSL enabled channels fail with error AMQ9716: Remote SSL certificate revocation status check failed for channel 'XXXXX'. GSKit trace reveals that it was unable to access the OCSP responder.
Local fix
Add the OCSPAuthentication=OPTIONAL parameter to the mqclient.ini.
Problem summary
**************************************************************** USERS AFFECTED: All users of WMQ SSL/TLS enabled channels who set OCSPAuthentication to REQUIRED (or who are using the default OCSPAuthentication) and who use an HTTP proxy server to connect to the internet. Platforms affected: Windows,All Unix **************************************************************** PROBLEM SUMMARY: When the OCSPAuthentication is set to 'REQUIRED' and the OCSP responder returns an unknown revocation status for a particular certificate, WebSphere MQ rejects the connection and issues an error message of type AMQ9716. In this particular case, it was found that GSKit was unable to get the revocation status because it was unable to reach the OCSP responder. Analysis of the GSKit trace in the lab revealed that an attempt to connect to OCSP responder failed because the OCSP responder URL was unreachable. However, when the OCSP responder URL was entered in an internet browser, the connection was successful. A review of the browser settings revealed that an HTTP proxy server was being used to connect to the internet. GSKit had no knowledge of the HTTP proxy server settings due to which it failed to access the OCSP responder. GSKit has a feature which enables the users to set the HTTP proxy server which can be used by GSKit for OCSP checks. However, WebSphere MQ had not exposed this feature to users.
Problem conclusion
Users can now specify the hostname and the port number of the HTTP Proxy server which can be used by GSKit for OCSP checks. A new environment variable "MQSSLPROXY" and an INI file parameter "SSLHTTPProxyName" (under the SSL stanza) have been introduced using which the customers can now enable the GSKit OCSP proxy feature. Syntax for using these parameters is as follows: The users can set the environment variable MQSSLPROXY as follows On windows: set MQSSLPROXY=hostname(port) ex: set MQSSLPROXY=proxy.example.ibm.com(80) On Unix: export MQSSLPROXY="hostname(port)" ex: export MQSSLPROXY="proxy.example.ibm.com(80)" The parameter SSLHTTPProxyName can be set in the SSL stanza of the INI file (client or server) as follows: SSLHTTPProxyName=hostname(port) Example: # SSL stanza in queue manager's initialization file SSL: SSLHTTPProxyName=proxy.example.ibm.com(80) If port number is not specified, default http port 80 will be selected. The OCSP proxy can be enabled by setting either the MQSSLPROXY environment variable or the SSLHTTPProxyName parameter in the SSL stanza (in the client.ini, qm.ini or Windows registry). If both values are set, the MQSSLPROXY environment variable takes precedence. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: v7.0 Platform Fix Pack 7.0.1.2 -------- -------------------- Windows U200316 AIX U829807 HP-UX (PA-RISC) U829678 HP-UX (Itanium) U829681 Solaris (SPARC) U829806 Solaris (x86-64) U829680 Linux (x86) U829677 Linux (x86-64) U829676 Linux (zSeries) U829682 Linux (Power) U829679 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available, information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IC64358
Reported component name
WMQ WINDOWS V7
Reported component ID
5724H7220
Reported release
701
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-11-05
Closed date
2010-02-07
Last modified date
2010-03-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ WINDOWS V7
Fixed component ID
5724H7220
Applicable component levels
R701 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023