APAR status
Closed as program error.
Error description
A message is generated and put to an AMS enabled queue using a C-application which utilises the IBM MQ v9.0 client libraries. An attempt is then made to consume the message using a WebSphere MQ classes for Java application which is using the WebSphere MQ v7.5 client libraries (.jar files). The 'get' fails with an exception of the following form: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2063'. at com.ibm.mq.MQDestination.getInt(MQDestination.java:659) at com.ibm.mq.MQDestination.get(MQDestination.java:456) at MyApplication.getMessage(MyApplication.java:109) at MyApplication.main(MyApplication.java:45) and the message buffer is populated with encrypted data, rather than the decrypted message data which was expected. In addition to the above exception being output, a pair of log messages are also output to the log file (mqjms0.log by default) which reads: ---------------------------------------------------------------- ---- August 7, 2017 3:31:00 PM BST[main] com.ibm.mq.ese.intercept.JmqiGetInterceptorImpl The IBM WebSphere MQ Advanced Message Security Java interceptor failed to unprotect the received message. An error occurred when the IBM WebSphere MQ Advanced Message Security Java interceptor was unprotecting the received message. See subsequent messages in the exception for more details about the cause of the error ---------------------------------------------------------------- ---- August 7, 2017 3:31:00 PM BST[main] com.ibm.mq.ese.service.EseMQServiceImpl The IBM WebSphere MQ Advanced Message Security interceptor has put a defective message on error handling queue 'SYSTEM.PROTECTION.ERROR.QUEUE '. EXPLANATION: This is an informational message that indicates the IBM WebSphere MQ Advanced Message Security put a message it could not interpret on the specified error handling queue. ACTION: Make sure only valid messages are put onto queues protected by IBM WebSphere MQ Advanced Message Security. ---------------------------------------------------------------- ----
Local fix
none available - fix required
Problem summary
**************************************************************** USERS AFFECTED: Users of the WebSphere MQ classes for Java/JMS v7.5 or v8.0 who are consuming messages from AMS protected queues, where the messages put to those queues were secured using an MQ v9.0 client. Users of the IBM MQ classes for Java/JMS v9.0 to consume the same messages are not affected but this issue. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: When a message is protected using the IBM MQ Advanced Message Security (AMS) function, a 'PDMQ' header is added to the message which the IBM MQ client libraries use to decrypt the messages at the message endpoints. In order to accommodate AMS enhancements at MQ v9.0, the 'PDMQ' header was extended in size. This change was intended to be backward compatible with older clients, as the header defines its length and the location where the encrypted payload data starts. The IBM MQ classes for Java/JMS were updated during the development of MQ v9.0 to use these values. However older levels of code (WebSphere MQ classes for Java/JMS v7.5 and v8.0) used fixed values for the header length and data offset location, instead of the header defined length value. As a consequence, when a message was generated and protected using a MQ v9.0 client, and then consumed using the WebSphere MQ classes for Java/JMS v7.5 or v8.0, a incorrect data byte offset was used when getting the the encrypted bytes to send to the decryption libraries, which subsequently failed to decrypt the data. The exception thrown by the WebSphere MQ classes for Java libraries was of the form: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2063'. at com.ibm.mq.MQDestination.getInt(MQDestination.java:659) at com.ibm.mq.MQDestination.get(MQDestination.java:456) at MyApplication.MyMethod(MyApplication.java:106) with no linked exception, and the message would be moved to to the queue: SYSTEM.PROTECTION.ERROR.QUEUE In addition, two messages were output to the 'mqjms0.log' log file as seen in the above description which stated that message decryption had failed, and that the message was moved to the queue 'SYSTEM.PROTECTION.ERROR.QUEUE'.
Problem conclusion
The WebSphere MQ classes for Java/JMS v7.5/v8.0 have been updated to use the message data offset value as stated within the PDMQ header, which ensures that the correct encrypted data is used by during the decryption process. the v9.0 code change associated with this APAR provides no external behavioural change (this problem does not affect the IBM MQ v9.0 classes for Java/JMS). Instead, it enhances some of the internal diagnostics which are output to trace when trace is enabled. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v7.5 7.5.0.9 v8.0 8.0.0.9 v9.0 CD 9.0.5 v9.0 LTS 9.0.0.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT21589
Reported component name
WMQ BASE MULTIP
Reported component ID
5724H7241
Reported release
750
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-07-25
Closed date
2017-11-21
Last modified date
2017-11-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ BASE MULTIP
Fixed component ID
5724H7241
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023