APAR status
Closed as program error.
Error description
A WebSphere Application Server 8.5.5.19 instance has the interim fix for APAR IT32725 installed. A WebSphere MQ messaging provider JMS connection factory is defined within the application server, and is configured to a client channel definition table (CCDT) to connect to an MQ 9.1 LTS queue manager. The entry in the CCDT for the queue manager contains the following attribute: SSLCIPH(SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256) The WebSphere Application Server security configuration associated with the connection factory has been set up with the corresponding CipherSuite and protocol for this CipherSpec. However, when an enterprise application tries to use the connection factory to connect to the queue manager, an error occurs containing the following exception : JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2195' ('MQRC_UNEXPECTED_ERROR'). ... Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2195;AMQ9204: Connection to host 'hostname(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2195;AMQ9635: Channel '?' did not specify a valid CipherSpec. []],3=hostname(port),5=RemoteTCPConnection.parseCipherSpec] ...
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of: - WebSphere Application Server v8.5 who have: - JMS connection factories that are configured to use a client channel definition tables (CCDT) when creating connections to a MQ queue manager. - And a requirement for the CCDT entries used by the connection factories to utilise a later Cipher than that which the WebSphere MQ 7.1 resource adapter supports. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The WebSphere MQ 7.1 resource adapter contains a map of CipherSuites to CipherSpecs, which is used to map the CipherSuite as specified on the: com.ibm.mq.jms.MQConnectionFactory object with a corresponding CipherSpec which is intended to match that set on the MQ channel, when establishing a JMS Connection using CLIENT transport mode (TCP/IP). APAR IT32725 added some functionality to the WebSphere MQ resource adapter, to allow CipherSuites supported by both WebSphere Application Server v8.5 and newer queue managers to be used even if they were not in the map. However, this functionality did not work for JMS connection factories that had been configured to use a client channel definition table (CCDT). If an application was running inside of a WebSphere Application Server 8.5.5 system that had the fix for IT32725 installed, and used a connection factory that had been configured to use a CCDT to create a secure connection to a queue manager using a Cipher that was not in the map, the connection attempt would fail with the following exception: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2195' ('MQRC_UNEXPECTED_ERROR'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Re ason.java:204) ... 47 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2195;AMQ9204: Connection to host 'hostname(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2195;AMQ9635: Channel '?' did not specify a valid CipherSpec. []],3=hostname(port),5=RemoteTCPConnection.parseCipherSpec] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 2099) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 1348) ...
Problem conclusion
This APAR extends the fix for APAR IT32725 to allow JMS connection factories that use a client channel definition table (CCDT) to utilise CipherSuites supported by both WebSphere Application Server 8.5.5 and newer queue managers (such as SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256). Note that the MQConnectionFactory must be defined and utilised from the WebSphere Application Server JNDI. If your application programmatically defines its own com.ibm.mq.jms.MQConnectionFactory object instance, it will not make use of the WebSphere Application Server SSL configuration, and the connection attempt will fail.
Temporary fix
Comments
APAR Information
APAR number
IT36699
Reported component name
MQ WINDOWS V7
Reported component ID
5724H7220
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-04-26
Closed date
2021-10-29
Last modified date
2021-10-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ WINDOWS V7
Fixed component ID
5724H7220
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
Document Information
Modified date:
30 October 2021