IBM Support

IT32725: Add ability to use newer CipherSuites with the MQ-RA 7.1 for usewithin the WAS 8.5 environment

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • WebSphere Application Server V8.5.5 embeds the WebSphere MQ V7.1
resource adapter (MQ-RA), and uses it when communicating with a
queue manager.

If the communication occurs using a CLIENT transport (using
TCP/IP), then the communication can be secured using a
CipherSuite specified on the JMS ConnectionFactory, which is
mapped to a CipherSpec by the MQ-RA which needs to match that
defined on the MQ channel.

The set of CipherSuites which is supported by the MQ-RA v7.1 is
limited in scope, when compared to the CipherSpecs which are now
supported by later queue manager versions.  The WebSphere
Application Server provides support for CipherSuites which can
negotiate to the newer queue manager supported CipherSpecs, but
the MQ-RA v7.1 will not permit their use.

Specifying such a CipherSuite and protocol in the WebSphere
Application Server security configuration results in an
exception being thrown when the application attempts to connect
to the queue manager using the configured JMS ConnectionFactory
of the following form:

com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed
to connect to queue manager 'myQMGR' with connection mode
'Client' and host name 'null'.  Check the queue manager is
started and if running in client mode, check there is a listener
running. Please see the linked exception for more information.
   at
com.ibm.msg.client.wmq.common.internal.Reason.reasonToException
   at
com.ibm.msg.client.wmq.common.internal.Reason.createException
   at
com.ibm.msg.client.wmq.internal.WMQConnection.getConnectOptions
   at com.ibm.msg.client.wmq.internal.WMQConnection.<init>
   at com.ibm.msg.client.wmq.internal.WMQXAConnection.<init>
   at
com.ibm.msg.client.wmq.factories.WMQXAConnectionFactory.createV7
ProviderConnection
   at
com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProv
iderConnection
   at
com.ibm.msg.client.wmq.factories.WMQXAConnectionFactory.createPr
oviderXAConnection
   at
com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createXACo
nnectionInternal
   at com.ibm.mq.jms.MQXAConnectionFactory.createXAConnection
   at com.ibm.ejs.jms.JMSManagedConnection.createConnection
   at com.ibm.ejs.jms.JMSManagedConnection.<init>
   at
com.ibm.ejs.jms.JMSManagedConnectionFactory.createUnifiedManaged
Connection
   at
com.ibm.ejs.jms.JMSManagedConnectionFactory.createManagedConnect
ion
   at
com.ibm.ejs.jms.WMQJMSRAManagedConnectionFactory.createManagedCo
nnection
   at
com.ibm.ejs.j2c.FreePool.createManagedConnectionWithMCWrapper
   at com.ibm.ejs.j2c.FreePool.createOrWaitForConnection
   at com.ibm.ejs.j2c.PoolManager.reserve
   at com.ibm.ejs.j2c.PoolManager.reserve
   at com.ibm.ejs.j2c.ConnectionManager.allocateMCWrapper
   at com.ibm.ejs.j2c.ConnectionManager.allocateConnection
   at
com.ibm.ejs.jms.JMSConnectionFactoryHandle.createConnection
   at ejbs.myApplication
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call
failed with compcode '2' ('MQCC_FAILED') reason '2400'
('MQRC_UNSUPPORTED_CIPHER_SUITE').
   at
com.ibm.msg.client.wmq.common.internal.Reason.createException
   ... 33 more

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of WebSphere Application Server v8.5
who have a requirement to utilise a later CipherSuite than that
which the MQ 7.1 resource adapter supports.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
The MQ resource adapter (MQ-RA) contains a map of CipherSuites
to CipherSpecs, which is used to map the CipherSuite as
specified on the:

  com.ibm.mq.jms.MQConnectionFactory

object with a corresponding CipherSpec which is intended to
match that set on the MQ channel, when establishing a JMS
Connection using CLIENT transport mode (TCP/IP).


If a CipherSuite had been specified on the MQConnectionFactory
which was not contained within the map, the MQ classes for JMS
would reject the connection attempt, with the exception message:

com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed
with compcode '2' ('MQCC_FAILED') reason 2400'
('MQRC_UNSUPPORTED_CIPHER_SUITE').


This meant that the newer CipherSpecs which have been added to
newer versions of the queue manager could not be used from the
WebSphere Application Server v8.5 environment, which utilised
the MQ-RA v7.1 to provide MQ connectivity.

    



Problem conclusion


    

  • As the MQ-RA v7.1 is to continue to be supported when used
within the WebSphere Application Server v8.5 environment for the
lifecycle of the WebSphere Application Server, the decision was
taken to relax the checking of the specified CipherSuite within
the MQ-RA v7.1, to allow CipherSuites supported by both the
WebSphere Application Server v8.5 and newer queue managers to be
used.

For example, the following CipherSpec can be defined on the
queue manager:

  Channel cipherSpec:   'ECDHE_ECDSA_AES_256_CBC_SHA384'


With the code change associated with this APAR, the MQ-RA v7.1
can now establish a connection to the queue manager over this
channel, by specifying in the WAS security configuration the
following details:

Security -> SSL certificate and key management -> SSL
configurations ->
    [select configuration] -> Quality of protection (QoP)
settings

  Protocol:  'TLSv1.2'
  Selected ciphers:  'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384'

when using an compatible certificate.

Any CipherSuite/CipherSpec combination which both the WebSphere
Application Server (and JVM) and queue manager support can be
utilised in this way.

Note the following restrictions apply:

The MQConnectionFactory must be defined and utilised from the
WebSphere Application Server JNDI.  If your application
programmatically defines its own
com.ibm.mq.jms.MQConnectionFactory object instance, it will not
make use of the WebSphere Application Server SSL configuration,
and the connection attempt will fail.

This change only affects the MQ classes for JMS when running in
the supported WebSphere Application Server v8.5 environment.
The MQ classes for Java cannot make use of the newer
CipherSuites.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT32725
    • 

  • Reported component name
    WMQ WINDOWS V7
    • 

  • Reported component ID
    5724H7220
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-05-01
    • 

  • Closed date
    2020-08-05
    • 

  • Last modified date
    2020-08-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ WINDOWS V7
    • 

  • Fixed component ID
    5724H7220
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 August 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback