APAR status
Closed as program error.
Error description
A local queue Q1 on a queue manager has been configured with an Advanced Message Security (AMS) "Confidentiality" policy, so that the messages on the queue are encrypted and can only be viewed by the user "Bob". "Bob" installs the IBM MQ Explorer on a Windows system, and configures it to remotely administer the queue manager. "Bob" also sets up the IBM MQ Explorer with an AMS keystore.conf configuration file containing details of the JKS keystore containing their certificate. After starting the user interface and connecting to the queue manager, "Bob" right clicks on the entry for the local queue Q1 in the Queues panel, and selects "Browse messages..." from the pop-up menu. The MQ Explorer displays a dialog containing the message: Browse operation in progress and then becomes unresponsive before eventually displaying a dialog containing the warning shown below: ---------------------------------------------------------------- IBM MQ is not responding. Do you want to continue waiting? (AMQ4181) Severity: 10 (Warning) Explanation: IBM MQ does not appear to be responding. This could be because of a heavily loaded remote system, or a slow network connection. However there could have been a system failure. Choosing not to continue could leave MQ Explorer in an unknown state, so you should restart it. Response: If you choose not to continue waiting, restart MQ Explorer, if the problem persists check for problem determination information. ---------------------------------------------------------------- A trace of IBM MQ Explorer collected when the issue occurs contains a number of instances of the following entry: Exception thrown java.lang.NoClassDefFoundError: org.bouncycastle.crypto.engines.AESFastEngine
Local fix
N/A
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of the IBM MQ Explorer who want to administer queues that have been protected with an Advanced Message Security (AMS) "Confidentiality" policy. Platforms affected: Windows, Linux on x86-64 **************************************************************** PROBLEM DESCRIPTION: The IBM MQ Advanced Message Security (AMS) functionality provides three qualities of protection: - Integrity: Here, messages are signed, which gives assurances on who created them and that they have not been altered or tampered with. - Privacy: This ensures that message data is only visible to the intended recipients (via digital signing and encryption) - Confidentiality: This protection level means that messages put to the queue must be encrypted. For more information on these, see the Qualities of protection available with AMS topic in the MQ sections of IBM Documentation. The URI for this topic in the MQ 9.3 section of the IBM Documentation site is https://www.ibm.com/docs/en/ibm-mq/9.3?topic=security-qualities- protection-available-ams The code used to run the IBM MQ Explorer exists in multiple OSGi bundles. The way that OSGi works is that each bundle contains a MANIFEST.MF file which lists: - The Java packages contained within the bundle that it exports and makes available to other bundles. - The Java packages that need to be imported from other bundles in the current environment. The code that provides the AMS functionality for the user interface can be found in the bundle: "com.ibm.mq.osgi.allclient_<version number>.jar" and the third party Bouncy Castle libraries that the functionality requires is in the bundle: "com.ibm.mq.osgi.allclientprereqs_<version number>.jar" Now, when the MQ Explorer tried to access a queue that was protected using a "Confidentiality" policy, it needed to call methods on classes contained within the following packages provided by the third party Bouncy Castle library: - org.bouncycastle.crypto.engines - org.bouncycastle.crypto.modes - org.bouncycastle.crypto.paddings - org.bouncycastle.crypto.params Although these packages were in the OSGi bundle: "com.ibm.mq.osgi.allclientprereqs_<version number>.jar" loaded by the MQ Explorer, they were not explicitly exported in the bundle's MANIFEST.MF file and so the AMS code within the bundle: "com.ibm.mq.osgi.allclient_<version number>.jar" which processed the "Confidentiality" policy was unable to load them. As a result, the MQ Explorer wrote the message: Exception thrown java.lang.NoClassDefFoundError: org.bouncycastle.crypto.engines.AESFastEngine to its trace file (if trace was enabled) and was unable to perform any operations related to the messages on queues protected with this type of policy. NOTE: Although the issue here is specific to the MQ Explorer, it is possible that the exception mentioned above would also be seen in other OSGi environments that are using the bundles: "com.ibm.mq.osgi.allclient_<version number>.jar" "com.ibm.mq.osgi.allclientprereqs_<version number>.jar"
Problem conclusion
Two changes have been made to resolve this issue: 1) Firstly, the MANIFEST.MF file for the OSGi bundle: "com.ibm.mq.osgi.allclientprereqs_<version number>.jar" has been updated so that it exports the packages: - org.bouncycastle.crypto.engines - org.bouncycastle.crypto.modes - org.bouncycastle.crypto.paddings - org.bouncycastle.crypto.params provided by the third party Bouncy Castle library. 2) In addition to this, the MANIFEST.MF file for the OSGi bundle: "com.ibm.mq.osgi.allclient_<version number>.jar" has been changed to import the four packages mentioned above. This allows the AMS code within the bundle to be able to access the classes that are needed when the MQ Explorer is used to put messages to, get messages from or browse messages on, a queue protected by a "Confidentiality" policy. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.x CD 9.3.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT43543
Reported component name
MQ BASE V9.3
Reported component ID
5724H7291
Reported release
932
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-04-12
Closed date
2023-05-11
Last modified date
2023-11-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.3
Fixed component ID
5724H7291
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"932","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 November 2023