IBM Support

IT36699: Extend the fix for IT32725 so that it also works for connection factories that use CCDTs

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A WebSphere Application Server 8.5.5.19 instance has the interim
fix for APAR IT32725 installed.

A WebSphere MQ messaging provider JMS connection factory is
defined within the application server, and is configured to a
client channel definition table (CCDT) to connect to an MQ 9.1
LTS queue manager. The entry in the CCDT for the queue manager
contains the following attribute:

SSLCIPH(SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256)

The WebSphere Application Server security configuration
associated with the connection factory has been set up with the
corresponding CipherSuite and protocol for this CipherSpec.
However, when an enterprise application tries to use the
connection factory to connect to the queue manager, an error
occurs containing the following exception
:
JMSCMQ0001: WebSphere MQ call failed with compcode '2'
('MQCC_FAILED') reason '2195' ('MQRC_UNEXPECTED_ERROR').
...
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2195;AMQ9204:
Connection to host 'hostname(port)' rejected.
[1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2195;AMQ9635: Channel
'?' did not specify a valid CipherSpec.
[]],3=hostname(port),5=RemoteTCPConnection.parseCipherSpec]
...

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of:

- WebSphere Application Server v8.5

who have:

- JMS connection factories that are configured to use a client
channel definition tables (CCDT) when creating connections to a
MQ queue manager.
- And a requirement for the CCDT entries used by the connection
factories to utilise a later Cipher than that which the
WebSphere MQ 7.1 resource adapter supports.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
The WebSphere MQ 7.1 resource adapter contains a map of
CipherSuites to CipherSpecs, which is used to map the
CipherSuite as specified on the:

  com.ibm.mq.jms.MQConnectionFactory

object with a corresponding CipherSpec which is intended to
match that set on the MQ channel, when establishing a JMS
Connection using CLIENT transport mode (TCP/IP).

APAR IT32725 added some functionality to the WebSphere MQ
resource adapter, to allow CipherSuites supported by both
WebSphere Application Server v8.5 and newer queue managers to be
used even if they were not in the map. However, this
functionality did not work for JMS connection factories that had
been configured to use a client channel definition table (CCDT).

If an application was running inside of a WebSphere Application
Server 8.5.5 system that had the fix for IT32725 installed, and
used a connection factory that had been configured to use a CCDT
to create a secure connection to a queue manager using a Cipher
that was not in the map, the connection attempt would fail with
the following exception:

JMSCMQ0001: WebSphere MQ call failed with compcode '2'
('MQCC_FAILED') reason '2195' ('MQRC_UNEXPECTED_ERROR').
  at
com.ibm.msg.client.wmq.common.internal.Reason.createException(Re
ason.java:204)
  ... 47 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2195;AMQ9204:
Connection to host 'hostname(port)' rejected.
[1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2195;AMQ9635: Channel
'?' did not specify a valid CipherSpec.
[]],3=hostname(port),5=RemoteTCPConnection.parseCipherSpec]
  at
com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
2099)
  at
com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
1348)
...

    



Problem conclusion


    

  • This APAR extends the fix for APAR IT32725 to allow JMS
connection factories that use a client channel definition table
(CCDT) to utilise CipherSuites supported by both WebSphere
Application Server 8.5.5 and newer queue managers (such as
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256).

Note that the MQConnectionFactory must be defined and utilised
from the WebSphere Application Server JNDI.  If your application
programmatically defines its own
com.ibm.mq.jms.MQConnectionFactory object instance, it will not
make use of the WebSphere Application Server SSL configuration,
and the connection attempt will fail.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT36699
    • 

  • Reported component name
    MQ WINDOWS V7
    • 

  • Reported component ID
    5724H7220
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-04-26
    • 

  • Closed date
    2021-10-29
    • 

  • Last modified date
    2021-10-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ WINDOWS V7
    • 

  • Fixed component ID
    5724H7220
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback