APAR status
Closed as program error.
Error description
When attempting to make a secure connection to a queue manager from an application using the MQ classes for Java or the MQ classes for JMS, an Exception is thrown if there is no Certificate Revocation List (CRL) defined on a certificate in the certificate store being used to secure the connection. Previously no Exception was thrown by the MQ classes for Java or MQ classes for JMS. The exception is seen when using a non-IBM JRE, and occurred after migration from an Open LDAP based LDAP server to an Active Directory LDAP server. The stack trace of the Exception thrown is similar to the following: [14/06/15 12:03:42.531.00] 0001 [javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data 0 [14/06/15 12:03:42.531.00] 0001 ]; remaining name 'cn=hostname.com' [14/06/15 12:03:42.531.00] 0001 ] [java.security.cert.CertStoreException] at: [14/06/15 12:03:42.531.00] 0001 sun.security.provider.certpath.ldap.LDAPCertStore.getCRLs(Unknow n Source) [14/06/15 12:03:42.531.00] 0001 sun.security.provider.certpath.ldap.LDAPCertStore.engineGetCRLs( Unknown Source) [14/06/15 12:03:42.531.00] 0001 java.security.cert.CertStore.getCRLs(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.util.RemoteSSLCRLHelper.checkCRL(RemoteSS LCRLHelper.java:180) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect( RemoteTCPConnection.java:1387) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConne ction.java:860) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes sionFromNewConnection(RemoteConnectionSpecification.java:409) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes sion(RemoteConnectionSpecification.java:305) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(Remo teConnectionPool.java:146) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 1725) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 1294) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJ mqiImpl.java:376) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnecti on.java:342) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7Pr oviderConnection(WMQConnectionFactory.java:8476) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProv iderConnection(WMQConnectionFactory.java:7818) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createCon nection(JmsConnectionFactoryImpl.java:299) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConn ection(JmsConnectionFactoryImpl.java:236) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConn ectionFactory.java:6018) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnection Factory.java:6043) [14/06/15 12:03:42.531.00] 0001 JmsProducer.main(JmsProducer.java:119) [14/06/15 12:03:42.531.00] 0001 Object ClassLoader = null [14/06/15 12:03:42.531.00] 0001 CurrentThread ClassLoader = sun.misc.Launcher$AppClassLoader@73d16e93 [14/06/15 12:03:42.531.00] 0001 Cause: [14/06/15 12:03:42.531.00] 0001 [14/06/15 12:03:42.531.00] 0001 [[LDAP: error code 1 - 000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data 0 [14/06/15 12:03:42.531.00] 0001 ] [14/06/15 12:03:42.531.00] 0001 ] [javax.naming.NamingException] at: [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.ldap.LdapCtx.c_getAttributes(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Unk nown Source) [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttribute s(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttribute s(Unknown Source) [14/06/15 12:03:42.531.00] 0001 javax.naming.directory.InitialDirContext.getAttributes(Unknown Source) [14/06/15 12:03:42.531.00] 0001 sun.security.provider.certpath.ldap.LDAPCertStore$LDAPRequest.ge tValueMap(Unknown Source) [14/06/15 12:03:42.531.00] 0001 sun.security.provider.certpath.ldap.LDAPCertStore$LDAPRequest.ge tValues(Unknown Source) [14/06/15 12:03:42.531.00] 0001 sun.security.provider.certpath.ldap.LDAPCertStore.getCRLs(Unknow n Source) [14/06/15 12:03:42.531.00] 0001 sun.security.provider.certpath.ldap.LDAPCertStore.engineGetCRLs( Unknown Source) [14/06/15 12:03:42.531.00] 0001 java.security.cert.CertStore.getCRLs(Unknown Source) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.util.RemoteSSLCRLHelper.checkCRL(RemoteSS LCRLHelper.java:180) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect( RemoteTCPConnection.java:1387) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConne ction.java:860) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes sionFromNewConnection(RemoteConnectionSpecification.java:409) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes sion(RemoteConnectionSpecification.java:305) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(Remo teConnectionPool.java:146) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 1725) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 1294) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJ mqiImpl.java:376) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnecti on.java:342) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7Pr oviderConnection(WMQConnectionFactory.java:8476) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProv iderConnection(WMQConnectionFactory.java:7818) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createCon nection(JmsConnectionFactoryImpl.java:299) [14/06/15 12:03:42.531.00] 0001 com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConn ection(JmsConnectionFactoryImpl.java:236) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConn ectionFactory.java:6018) [14/06/15 12:03:42.531.00] 0001 com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnection Factory.java:6043) [14/06/15 12:03:42.531.00] 0001 JmsProducer.main(JmsProducer.java:119) [14/06/15 12:03:42.531.00] 0001 Object ClassLoader = null [14/06/15 12:03:42.531.00] 0001 CurrentThread ClassLoader = sun.misc.Launcher$AppClassLoader@73d16e93 [14/06/15 12:03:42.531.01] 0001 @10e31a9a c.i.m.j.remote.util.RemoteSSLCRLHelper ----+----+--- ! checkCRL(X509Certificate,Collection<?>)<throwIndex 2>, [14/06/15 12:03:42.531.01] 0001 [javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data 0 [14/06/15 12:03:42.531.01] 0001 ]; remaining name 'cn=r9vvd1m.hursley.ibm.com' [14/06/15 12:03:42.531.01] 0001 ] [java.security.cert.CertStoreException] [14/06/15 12:03:42.532.00] 0001 @10e31a9a c.i.m.j.remote.util.RemoteSSLCRLHelper ----+----+--- X checkCRL(X509Certificate,Collection<?>)<catchIndex 6>
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the MQ classes for Java or classes for JMS where all the following conditions apply: - the IBM MQ classes for Java or IBM MQ classes for JMS in use are at version 7.0.1, 7.1, 7.5 or 8 - the application runs using a non-IBM Java Runtime Environment (JRE). - the application uses secured connections to communicate with the queue manager. - the certificates used to secure the connections are stored in an Active Directory based LDAP server - one or more certificates in the certificate store do not have any Certificate Revocation Lists (CRLs) defined. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: When attempting to make a secure connection to a queue manager, the MQ classes for Java and MQ classes for JMS query each certificate in the specified certificate store to see if it has any Certificate Revocation Lists (CRLs) defined. If no CRL has been specified for a certificate, the Java Runtime Environment (JRE) will return an exception to the MQ classes for Java or MQ classes for JMS. The MQ classes for Java or classes for JMS will then handle this exception internally, and carry on processing the certificate. The MQ classes for Java and classes for JMS were expecting the exception returned by the JRE to be of type javax.naming.NameNotFoundException. However, if the MQ classes for Java or classes for JMS were running in a non-IBM JRE, and the certificates were stored in an Active Directory based LDAP server, a javax.naming.NamingException was returned instead. Because the MQ classes for Java and classes for JMS were not expecting this type of exception, the exception was thrown back to the application rather than being handled internally.
Problem conclusion
The MQ classes for Java and MQ classes for JMS have been updated so that any javax.naming.NamingExceptions thrown because there is no CRL defined on a certificate are handled internally, and are not thrown back to the application. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v7.0 7.0.1.14 v7.1 7.1.0.7 v7.5 7.5.0.6 v8.0 8.0.0.4 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT14282
Reported component name
WMQ WINDOWS V7
Reported component ID
5724H7220
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-03-11
Closed date
2016-08-22
Last modified date
2016-08-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ WINDOWS V7
Fixed component ID
5724H7220
Applicable component levels
R710 PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
Document Information
Modified date:
09 March 2021