APAR status
Closed as program error.
Error description
When attempting to make an SSL-secured connection from the IBM MQ explorer to a remote queue manager using a cipher suite which is FIPS certified, the connection attempt works as expected if FIPS is not enabled, but fails if FIPS is enabled on the explorer and the queue manager, for some versions of the explorer. No errors are output on the failed connection at either the queue manager or explorer, but an explorer trace shows errors like: 16:18:43.470 43 MQEX.CORE -----{ DmCoreException.constructor(String, Throwable, String, int, int, int)(Could not establish a connection to the queue manager - reason 2059. (AMQ4059),java.lang.IllegalArgumentException: Only TLS protocol can be enabled in FIPS mode,AMQ4059,50013,2,0)()
Local fix
Disabling FIPS causes the connection to succeed. The FIPS-enabled ciphers can still be used to connect.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of specific versions of the IBM MQ Explorer attempting to make remote connections to queue managers using FIPS-certified cipher suites to secure those connections, with FIPS enabled in the explorer and queue manager. The affected versions are: 9.0.0.8 and later 9.0 LTS versions 9.1.0.4 and later 9.1 LTS versions 9.1.4 and later 9.1 CD versions All 9.2 LTS and CD versions The affected versions are all those which ship an IBM JRE of version 8.0.5.40 or later. Platforms affected: Windows, Linux on x86-64 **************************************************************** PROBLEM DESCRIPTION: When attempting to make an SSL-secured connection from the IBM MQ explorer to a remote queue manager using a cipher suite which is FIPS certified, the connection attempt worked as expected if FIPS was not enabled, but failed if FIPS was enabled on the explorer and the queue manager. No errors or related messages were output to either the queue manager error logs or the explorer, and no FDCs or other indications of the root cause were output when the connection attempt was unsuccessful. A trace of the explorer covering the failing connection attempt contained errors like: 16:18:43.470 43 MQEX.CORE -----{ DmCoreException.constructor(String, Throwable, String, int, int, int)(Could not establish a connection to the queue manager - reason 2059. (AMQ4059),java.lang.IllegalArgumentException: Only TLS protocol can be enabled in FIPS mode,AMQ4059,50013,2,0)() 16:18:43.502 43 Message = An unexpected error (50015) has occurred. (AMQ4999), ***** = AMQ4999, reason = 50015, comp = 2, severity = 20 16:18:43.502 43 MQEX.CORE --------} DmCoreException.constructor(Trace, String, String, int, int, int)() rc=0 16:18:43.502 43 MQEX.CORE -------} DmQueueManager.createException(Trace, int, int, int)(com.ibm.mq.explorer.core.internal.base.DmCoreException: An unexpected error (50015) has occurred. (AMQ4999))() rc=0
Problem conclusion
SSL-secured connection attempts from the explorer to remote queue managers are now successful, regardless of whether FIPS is enabled, as long as the SSL certificate handshake and other authentication steps are successful. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 LTS 9.0.0.13 v9.1 LTS 9.1.0.11 v9.2 LTS 9.2.0.6 v9.x CD 9.3.0.0 The latest available MQ maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT33130
Reported component name
IBM MQ MFT V9.0
Reported component ID
5724H7262
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-06-09
Closed date
2022-01-18
Last modified date
2022-04-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ MFT V9.0
Fixed component ID
5724H7262
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
Document Information
Modified date:
14 April 2022