IBM Support

IT40433: MQ FIPS enabled connections fail to connect with MQRC 2538 aftera WAS 8.5 JRE update

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The JRE for WebSphere Application Server 8.5 was upgraded
between versions:

  7.1.4.35 to 7.1.4.75

Following the upgrade, when the application server was restarted
and an application attempted to connect to the queue manager
using the MQ classes for Java, specifying the following
properties and values in the Hashtable used on the
MQQueueManager constructor:

  MQConstants.SSL_FIPS_REQUIRED_PROPERTY = true
  MQConstants.PORT_PROPERTY = <QUEUE MANAGER PORT NUMBER>
  MQConstants.HOST_NAME_PROPERTY = <QUEUE MANAGER HOST NAME>
  MQConstants.CHANNEL_PROPERTY = <QUEUE MANAGER CHANNEL NAME>
  MQConstants.SSL_CIPHER_SUITE_PROPERTY =
"SSL_RSA_WITH_3DES_EDE_CBC_SHA"
  MQConstants.TRANSPORT_PROPERTY =
MQConstants.TRANSPORT_MQSERIES_CLIENT

then the connection request failed to be established, with the
following exception being reported back to the application:

com.ibm.mq.jmqi.JmqiException: CC=2;RC=2538;AMQ9204: Connection
to host 'myhost.mydomain:1414' rejected.
[1=java.lang.NumberFormatException[For input string:
"20201001--155"],3=myhost.mydomain:1414,4=TCP,5=Socket.connect]
        at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLoc
alAddress(RemoteTCPConnection.java:996)
        at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(
RemoteTCPConnection.java:1267)
        at
com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConne
ction.java:739)
        at
com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes
sionFromNewConnection(RemoteConnectionSpecification.java:358)
        at
com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes
sion(RemoteConnectionSpecification.java:267)
        at
com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(Remo
teConnectionPool.java:162)
        at
com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
1710)
        at
com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
1348)
        at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924)
        at
com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.
java:221)
        at
com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedCon
nection(MQClientManagedConnectionFactoryJ11.java:553)
        at
com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConn
ection(MQClientManagedConnectionFactoryJ11.java:593)
        at
com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnectio
n.java:96)
        at
com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimple
ConnectionManager.java:198)
        at
com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueu
eManagerFactory.java:893)
        at
com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.j
ava:780)
        at
com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueMa
nagerFactory.java:729)
        at
com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManag
erFactory.java:177)
        at
com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:753)
        ... ... ...
Caused by: java.lang.NumberFormatException: For input string:
"20201001--155"
        at
java.lang.NumberFormatException.forInputString(NumberFormatExcep
tion.java:77)
        at java.lang.Integer.parseInt(Integer.java:504)
        at java.lang.Integer.parseInt(Integer.java:539)
        at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.chooseSocketFact
ory(RemoteTCPConnection.java:2246)
        at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure
(RemoteTCPConnection.java:1950)
        at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLoc
alAddress(RemoteTCPConnection.java:860)
        ... 23 more

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the WebSphere MQ resource adapter
v7.1 embedded within WebSphere Application Server 8.5, who have
systems that meet the requirements shown below:


(1) The FIPS enablement flag on the connection request needs to
have been configured.
For example:
For the MQ classes for Java, using the com.ibm.mq.MQQueueManager
constructor properties Hashtable containing the entry:
  MQConstants.SSL_FIPS_REQUIRED_PROPERTY = true

For the MQ classes for JMS, using the MQConnectionFactory setter
method:
  com.ibm.mq.jms.MQConnectionFactory.setSSLFipsRequired( true )
or setting the corresponding object property:
  SSLFIPSREQUIRED = YES


(2) Not using a TLS v1.2 CipherSuite (the WebSphere MQ Resource
Adapter v7.1 does not provide support for newer TLS protocols
than 1.2)


(3) Using an IBM JRE which is at the following versions or
newer:
        Java 7.0.10.60
        Java 7.1.4.60
        Java 8.0.5.40


(4) A custom socket factory has not been provided to the MQ
classes for Java/JMS, for example by using the method:

&#09;com.ibm.mq.jms.MQConnectionFactory.setSSLSocketFactory(java
.lang.Object sf)



Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
If all of the conditions listed above are met, then an attempt
to establish a connection to MQ from either the MQ classes for
Java or JMS APIs would fail with exception containing the root
cause:

Caused by: java.lang.NumberFormatException: For input string:
"20210407--269"
at
java.lang.NumberFormatException.forInputString(NumberFormatExcep
tion.java:76)
at java.lang.Integer.parseInt(Integer.java:592)
at java.lang.Integer.parseInt(Integer.java:627)
at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.chooseSocketFact
ory(RemoteTCPConnection.java:2246)
at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure
(RemoteTCPConnection.java:1950)
at
com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLoc
alAddress(RemoteTCPConnection.java:860)
... 15 more


Note that the input string reported will change depending on the
version of the JRE being used.


When the MQ classes for Java/JMS had been been configured to
make a FIPS compliant connection using an older TLS protocol
(TLS 1.1 and earlier), the WebSphere MQ Resource Adapter v7.1
was required to set a JVM System Property, which varied
depending on the version of the IBM Java JSSE FIPS provider
which was present in the current Java runtime.

To do this, the WebSphere MQ Resource Adapter v7.1 was checking
the implementation version number of the IBM JSSE FIPS provider,
the format for which changed in the IBM JRE versions:

        Java 7.0.10.60
        Java 7.1.4.60
        Java 8.0.5.40

Consequently the parsing of the version information would fail,
resulting in the connection attempt failing.

This issue only affects the WebSphere MQ Resource Adapter v7.1.

    



Problem conclusion


    

  • The WebSphere MQ Resource Adapter v7.1 has been updated such
that it will be able to process the newer JRE style version
information contained within the IBM JSSE FIPS provider package.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT40433
    • 

  • Reported component name
    MQ WINDOWS V7
    • 

  • Reported component ID
    5724H7220
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-03-29
    • 

  • Closed date
    2022-05-11
    • 

  • Last modified date
    2022-05-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ WINDOWS V7
    • 

  • Fixed component ID
    5724H7220
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback