IBM Support

IT43543: MQ EXPLORER IS UNABLE TO PUT, GET, OR BROWSE MESSAGES ON A QUEUE PROTECTED BY AN AMS CONFIDENTIALITY POLICY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A local queue Q1 on a queue manager has been configured with an
Advanced Message Security (AMS) "Confidentiality" policy, so
that the messages on the queue are encrypted and can only be
viewed by the user "Bob".

"Bob" installs the IBM MQ Explorer on a Windows system, and
configures it to remotely administer the queue manager. "Bob"
also sets up the IBM MQ Explorer with an AMS keystore.conf
configuration file containing details of the JKS keystore
containing their certificate.

After starting the user interface and connecting to the queue
manager, "Bob" right clicks on the entry for the local queue Q1
in the Queues panel, and selects "Browse messages..." from the
pop-up menu. The MQ Explorer displays a dialog containing the
message:

Browse operation in progress

and then becomes unresponsive before eventually displaying a
dialog containing the warning shown below:

----------------------------------------------------------------
  IBM MQ is not responding. Do you want to continue waiting?
  (AMQ4181)

  Severity: 10 (Warning)

  Explanation: IBM MQ does not appear to be responding. This
  could be because of a heavily loaded remote system, or a slow
  network connection. However there could have been a system
  failure. Choosing not to continue could leave MQ Explorer in
  an unknown state, so you should restart it.

  Response: If you choose not to continue waiting, restart MQ
  Explorer, if the problem persists check for problem
  determination information.
----------------------------------------------------------------


A trace of IBM MQ Explorer collected when the issue occurs
contains a number of instances of the following entry:

Exception thrown java.lang.NoClassDefFoundError:
org.bouncycastle.crypto.engines.AESFastEngine

Local fix

  • N/A

Problem summary

  • ****************************************************************
USERS AFFECTED:
This issue affects users of the IBM MQ Explorer who want to
administer queues that have been protected with an Advanced
Message Security (AMS) "Confidentiality" policy.


Platforms affected:
Windows, Linux on x86-64

****************************************************************
PROBLEM DESCRIPTION:
The IBM MQ Advanced Message Security (AMS) functionality
provides three qualities of protection:

- Integrity: Here, messages are signed, which gives assurances
on who created them and that they have not been altered or
tampered with.
- Privacy: This ensures that message data is only visible to the
intended recipients (via digital signing and encryption)
- Confidentiality: This protection level means that messages put
to the queue must be encrypted.

For more information on these, see the Qualities of protection
available with AMS topic in the MQ sections of IBM
Documentation. The URI for this topic in the MQ 9.3 section of
the IBM Documentation site is
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=security-qualities-
protection-available-ams


The code used to run the IBM MQ Explorer exists in multiple OSGi
bundles. The way that OSGi works is that each bundle contains a
MANIFEST.MF file which lists:

- The Java packages contained within the bundle that it exports
and makes available to other bundles.
- The Java packages that need to be imported from other bundles
in the current environment.

The code that provides the AMS functionality for the user
interface can be found in the bundle:

"com.ibm.mq.osgi.allclient_<version number>.jar"

and the third party Bouncy Castle libraries that the
functionality requires is in the bundle:

"com.ibm.mq.osgi.allclientprereqs_<version number>.jar"


Now, when the MQ Explorer tried to access a queue that was
protected using a "Confidentiality" policy, it needed to call
methods on classes contained within the following packages
provided by the third party Bouncy Castle library:

- org.bouncycastle.crypto.engines
- org.bouncycastle.crypto.modes
- org.bouncycastle.crypto.paddings
- org.bouncycastle.crypto.params

Although these packages were in the OSGi bundle:

"com.ibm.mq.osgi.allclientprereqs_<version number>.jar"

loaded by the MQ Explorer, they were not explicitly exported in
the bundle's MANIFEST.MF file and so the AMS code within the
bundle:

"com.ibm.mq.osgi.allclient_<version number>.jar"

which processed the "Confidentiality" policy was unable to load
them. As a result, the MQ Explorer wrote the message:

Exception thrown java.lang.NoClassDefFoundError:
org.bouncycastle.crypto.engines.AESFastEngine

to its trace file (if trace was enabled) and was unable to
perform any operations related to the messages on queues
protected with this type of policy.

NOTE: Although the issue here is specific to the MQ Explorer, it
is possible that the exception mentioned above would also be
seen in other OSGi environments that are using the bundles:

"com.ibm.mq.osgi.allclient_<version number>.jar"
"com.ibm.mq.osgi.allclientprereqs_<version number>.jar"

Problem conclusion

  • Two changes have been made to resolve this issue:

1) Firstly, the MANIFEST.MF file for the OSGi bundle:

"com.ibm.mq.osgi.allclientprereqs_<version number>.jar"

has been updated so that it exports the packages:

- org.bouncycastle.crypto.engines
- org.bouncycastle.crypto.modes
- org.bouncycastle.crypto.paddings
- org.bouncycastle.crypto.params

provided by the third party Bouncy Castle library.

2) In addition to this, the MANIFEST.MF file for the OSGi
bundle:

"com.ibm.mq.osgi.allclient_<version number>.jar"

has been changed to import the four packages mentioned above.
This allows the AMS code within the bundle to be able to access
the classes that are needed when the MQ Explorer is used to put
messages to, get messages from or browse messages on, a queue
protected by a "Confidentiality" policy.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.x CD    9.3.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT43543
    • 

  • Reported component name
    MQ BASE V9.3
    • 

  • Reported component ID
    5724H7291
    • 

  • Reported release
    932
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-04-12
    • 

  • Closed date
    2023-05-11
    • 

  • Last modified date
    2023-11-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ BASE V9.3
    • 

  • Fixed component ID
    5724H7291
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"932","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 November 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback