APAR status
Closed as program error.
Error description
An MQ classes for JMS client application attempts to connect to a queue manager using compatibility mode to flow a username and password. The javax.jms.ConnectionFactory.createConnection(String, String) method call fails with a JMSException, wrapping both a com.ibm.mq.jmqi.JmqiException with MQ reason code MQRC_CONNECTION_BROKEN and a java.net.SocketException. An FFDC with probe id RM756099 is generated by a queue manager channel process reporting a zero length password. An example of the header in the generated FFDC is as follows: LVLS :- 9.1.0.0 Product Long Name :- IBM MQ for Windows (x64 platform) Vendor :- IBM O/S Registered :- 1 (amqxcs2.dll) Data Path :- C:\IBM\MQ Installation Path :- C:\IBM\MQ Installation Name :- Installation1 (1) License Type :- Production Probe Id :- RM756099 Application Name :- MQM Component :- rriMQIServerCall SCCS Info :- ...ot1\p910_P\src\com.ibm.mq.common\base\src\cmqxrsrv.c, Line Number :- 1634 Build Date :- Jul 5 2018 Build Level :- p910-L180705 Build Type :- IKAP - (Production) UserID :- TESTUSER Process Path :- C:\IBM\MQ\bin64 Process Name :- amqrmppa.exe Arguments :- -m TESTQM Addressing mode :- 64-bit Thread :- 00000003 RemoteResponder (7520) Session :- 00000000 QueueManager :- TESTQM UserApp :- FALSE Last ObjectName :- Major Errorcode :- rrcE_PROTOCOL_ERROR Minor Errorcode :- OK Probe Type :- MSGAMQ9504 Probe Severity :- 2 Probe Description :- AMQ9504E: A protocol error was detected for channel 'RemotePassword length zero'. FDCSequenceNumber :- 0 Arith1 :- 1300 514 Comment1 :- RemotePassword length zero MQM Function Stack ccxResponder rrxResponder ccxReceiveThreadFn cciProcessOne cciProcessUserData cciProcessAsyncRcv rriServerAsyncRcv rriMQIServerReceive rriMQIServerCall xcsFFST
Local fix
Enable MQCSP authentication mode as per the following MQ Knowledge Center page: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com. ibm.mq.sec.doc/q118680_.htm Alternatively, if password checking is not needed because connection authentication is disabled for example, ensure that a password is not passed by the application into the MQ classes for JMS.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects MQ classes for JMS applications that connect to a queue manager using connection authentication "compatibility mode" and each character in the password that is provided by the application is encoded using more than one byte. Platforms affected: Windows, Solaris x86-64, Solaris SPARC, Linux on zSeries, Linux on x86-64, Linux on S390, Linux on x86, IBM iSeries, Linux on Power, HP-UX OpenVMS, HP-UX PA-RISC, HP-UX Itanium, AIX **************************************************************** PROBLEM DESCRIPTION: When an MQ classes for JMS application connects to a queue manager over a client (TCP/IP) connection, the MQ transmission segments are typically encoded in the queue manager's CCSID. This includes the user identifier and any password value supplied by the application. In the case where (the default) connection authentication compatibility mode is used, as described in the following Knowledge Center page: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com. ibm.mq.sec.doc/q118680_.htm the queue manager channel process will attempt to create an MQCSP structure. The MQCSP will contain the user credentials flowed stored in the MQCD from the client-connection channel that can then be used during authentication processing. In order to create the MQCSP the channel process attempted to calculate how many password bytes needed to be copied from the twelve byte RemotePassword field in the MQCD. It did this by inspecting each byte in turn and incrementing a counter if the byte being verified represented a graphical character (via the use of the isgraph function) and was not a null or space byte. The verification could have resulted in an incorrect password length being calculated if a variable or multi-byte encoding was used and there were characters that were encoded using more than one byte. In the case where all characters in the password required more than one byte to be encoded in the queue manager's CCSID, the password length could be calculated as zero length resulting in a FFDC being generated and the connection to the JMS client application being terminated.
Problem conclusion
The MQ channel process code has been updated to copy all bytes from the MQCD's RemotePassword field into the MQCSP up until the first space or null character. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.1 CD 9.1.2 v9.1 LTS 9.1.0.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT27733
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7271
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-01-11
Closed date
2019-01-25
Last modified date
2019-01-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7271
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
25 January 2019