APAR status
Closed as program error.
Error description
When using the IBM MQ Java client (either the classes for JMS API or the classes for Java API), any exceptions that occurred while loading the Advanced Message Security (AMS) Java Interceptor code were ignored and were not propagated to applications. This meant that client side AMS Interception for Java application was disabled and applications could receive messages with encrypted payloads. If this occurred within an MQ classes for JMS application, for example, calling the getText() or toString() method on the JMS TextMessage object resulted in the following JMSException being thrown: JMSCMQ1049: The character set '1208(UTF-8) Unmappable Action: REPORT Unmappable Replacement: 63' cannot convert some or all of the string '[B@16d143b' [com.ibm.msg.client.jms.DetailedJMSException] sun.reflect.NativeConstructorAccessorImpl.newInstance0 sun.reflect.NativeConstructorAccessorImpl.newInstance sun.reflect.DelegatingConstructorAccessorImpl.newInstance java.lang.reflect.Constructor.newInstance com.ibm.msg.client.commonservices.j2se.NLSServices.createExcepti on com.ibm.msg.client.commonservices.nls.NLSServices.createExceptio n com.ibm.msg.client.wmq.common.internal.WMQUtils.computeTextFromB ytes com.ibm.msg.client.wmq.common.internal.WMQUtils.computeTextFromB yteBuffer com.ibm.msg.client.wmq.common.internal.messages.WMQTextMessage.g etText com.ibm.msg.client.jms.internal.JmsTextMessageImpl.getText com.ibm.msg.client.jms.internal.JmsTextMessageImpl.toString com.ibm.jms.JMSMessage.toString
Local fix
Ensure that the only version of the Bouncy Castle library available in the application environment is version 1.52, which is included alongside the IBM MQ V9 standalone Java client jar files and within the JCA Resource Adapter.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the: - IBM MQ V9 classes for Java - IBM MQ V9 classes for JMS - IBM MQ V9 JCA Resource Adapter - IBM MQ V9 OSGi bundles Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The IBM MQ V9 Java Message Queuing Interface (JMQI), which underpins the MQ classes for JMS and classes for Java APIs, will always attempt load the Advanced Message Security (AMS) Java Interceptor code when instantiated for client side message encrypted and decryption. Any exceptions that were caught during this operation were ignored and AMS Interception within the JMQI was disabled. This meant that message encryption and decryption could not take place. As a results, messages returned to applications would still have encrypted payloads. One scenario in which this problem has been observed was when an MQ classes for JMS application, using the MQ V9 Resource Adapter, was deployed into Oracle WebLogic application server. In this environment the issue was due to an incompatibility between different versions of the open source Bouncy Castle library. IBM MQ Advanced Message Security (AMS) implements Cryptographic Message Syntax (CMS), which is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. IBM MQ V9 AMS support in IBM MQ classes for Java and IBM MQ classes for JMS uses the Bouncy Castle V1.52 library to support CMS. Oracle WebLogic ships an earlier version of the Bouncy Castle library which is not compatible with the IBM MQ Java AMS Interceptor. Any exceptions thrown within the MQ Java client while loading the AMS Java Interceptor code were ignored and AMS Interception within the MQ Java client code was disabled. If a classes for JMS application, for example, then consumed a JMS TextMessage that was encrypted with AMS when it was put, the message payload would remain encrypted when it was returned to the application.
Problem conclusion
The IBM MQ V9 Java MQI (JMQI) has been updated such that any exceptions that occur while loading the Advanced Message Security (AMS) Java Interceptor are thrown to the application. This will highlight unexpected errors in the environment and avoid encrypted messages being returned to the application. If exceptions are now being thrown because the AMS Java Interceptor code cannot be loaded, but AMS function is not being used, the AMQ_DISABLE_CLIENT_AMS property can be used to avoid the JMQI attempting to load the AMS Java Interceptor code: http://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm. mq.sec.doc/q127080_.htm --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 CD 9.0.4 v9.0 LTS 9.0.0.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT17247
Reported component name
IBM MQ BASE M/P
Reported component ID
5724H7261
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-27
Closed date
2017-05-26
Last modified date
2017-05-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE M/P
Fixed component ID
5724H7261
Applicable component levels
R900 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
26 May 2017