APAR status
Closed as program error.
Error description
WebSphere Application Server V8.5.5 embeds the WebSphere MQ V7.1 resource adapter (MQ-RA), and uses it when communicating with a queue manager. If the communication occurs using a CLIENT transport (using TCP/IP), then the communication can be secured using a CipherSuite specified on the JMS ConnectionFactory, which is mapped to a CipherSpec by the MQ-RA which needs to match that defined on the MQ channel. The set of CipherSuites which is supported by the MQ-RA v7.1 is limited in scope, when compared to the CipherSpecs which are now supported by later queue manager versions. The WebSphere Application Server provides support for CipherSuites which can negotiate to the newer queue manager supported CipherSpecs, but the MQ-RA v7.1 will not permit their use. Specifying such a CipherSuite and protocol in the WebSphere Application Server security configuration results in an exception being thrown when the application attempts to connect to the queue manager using the configured JMS ConnectionFactory of the following form: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'myQMGR' with connection mode 'Client' and host name 'null'. Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException at com.ibm.msg.client.wmq.common.internal.Reason.createException at com.ibm.msg.client.wmq.internal.WMQConnection.getConnectOptions at com.ibm.msg.client.wmq.internal.WMQConnection.<init> at com.ibm.msg.client.wmq.internal.WMQXAConnection.<init> at com.ibm.msg.client.wmq.factories.WMQXAConnectionFactory.createV7 ProviderConnection at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProv iderConnection at com.ibm.msg.client.wmq.factories.WMQXAConnectionFactory.createPr oviderXAConnection at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createXACo nnectionInternal at com.ibm.mq.jms.MQXAConnectionFactory.createXAConnection at com.ibm.ejs.jms.JMSManagedConnection.createConnection at com.ibm.ejs.jms.JMSManagedConnection.<init> at com.ibm.ejs.jms.JMSManagedConnectionFactory.createUnifiedManaged Connection at com.ibm.ejs.jms.JMSManagedConnectionFactory.createManagedConnect ion at com.ibm.ejs.jms.WMQJMSRAManagedConnectionFactory.createManagedCo nnection at com.ibm.ejs.j2c.FreePool.createManagedConnectionWithMCWrapper at com.ibm.ejs.j2c.FreePool.createOrWaitForConnection at com.ibm.ejs.j2c.PoolManager.reserve at com.ibm.ejs.j2c.PoolManager.reserve at com.ibm.ejs.j2c.ConnectionManager.allocateMCWrapper at com.ibm.ejs.j2c.ConnectionManager.allocateConnection at com.ibm.ejs.jms.JMSConnectionFactoryHandle.createConnection at ejbs.myApplication Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE'). at com.ibm.msg.client.wmq.common.internal.Reason.createException ... 33 more
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of WebSphere Application Server v8.5 who have a requirement to utilise a later CipherSuite than that which the MQ 7.1 resource adapter supports. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The MQ resource adapter (MQ-RA) contains a map of CipherSuites to CipherSpecs, which is used to map the CipherSuite as specified on the: com.ibm.mq.jms.MQConnectionFactory object with a corresponding CipherSpec which is intended to match that set on the MQ channel, when establishing a JMS Connection using CLIENT transport mode (TCP/IP). If a CipherSuite had been specified on the MQConnectionFactory which was not contained within the map, the MQ classes for JMS would reject the connection attempt, with the exception message: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason 2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE'). This meant that the newer CipherSpecs which have been added to newer versions of the queue manager could not be used from the WebSphere Application Server v8.5 environment, which utilised the MQ-RA v7.1 to provide MQ connectivity.
Problem conclusion
As the MQ-RA v7.1 is to continue to be supported when used within the WebSphere Application Server v8.5 environment for the lifecycle of the WebSphere Application Server, the decision was taken to relax the checking of the specified CipherSuite within the MQ-RA v7.1, to allow CipherSuites supported by both the WebSphere Application Server v8.5 and newer queue managers to be used. For example, the following CipherSpec can be defined on the queue manager: Channel cipherSpec: 'ECDHE_ECDSA_AES_256_CBC_SHA384' With the code change associated with this APAR, the MQ-RA v7.1 can now establish a connection to the queue manager over this channel, by specifying in the WAS security configuration the following details: Security -> SSL certificate and key management -> SSL configurations -> [select configuration] -> Quality of protection (QoP) settings Protocol: 'TLSv1.2' Selected ciphers: 'SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' when using an compatible certificate. Any CipherSuite/CipherSpec combination which both the WebSphere Application Server (and JVM) and queue manager support can be utilised in this way. Note the following restrictions apply: The MQConnectionFactory must be defined and utilised from the WebSphere Application Server JNDI. If your application programmatically defines its own com.ibm.mq.jms.MQConnectionFactory object instance, it will not make use of the WebSphere Application Server SSL configuration, and the connection attempt will fail. This change only affects the MQ classes for JMS when running in the supported WebSphere Application Server v8.5 environment. The MQ classes for Java cannot make use of the newer CipherSuites. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT32725
Reported component name
WMQ WINDOWS V7
Reported component ID
5724H7220
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-05-01
Closed date
2020-08-05
Last modified date
2020-08-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ WINDOWS V7
Fixed component ID
5724H7220
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
12 August 2020