Troubleshooting
Problem
Using a self-signed certificate which is correctly added to the jks trust store in the WebSphere Application Server as a trusted signer, your Websphere MQ channel will not start and the errors CWPK10022E and AMQ2397 are written to the WebSphere Application Server logs
Symptom
You will see the following error in the WebSphere Application Server systemerr logs when the client tries to validate the signer certificate:
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:282)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:301)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:323)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:84)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:173)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:795)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:709)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:664)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:160)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:550)
at com.ibm.mq.MQSPIQueueManager.<init>(MQSPIQueueManager.java:62)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2427)
at com.ibm.mq.jms.MQConnection.createQMXA(MQConnection.java:1806)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:105)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:66)
at com.ibm.mq.jms.MQXAQueueConnection.<init>(MQXAQueueConnection.java:59)
at com.ibm.mq.jms.MQXAQueueConnectionFactory.createXAQueueConnection(MQXAQueueConnectionFactory.java:82)
at com.ibm.ejs.jms.JMSManagedQueueConnection.createConnection(JMSManagedQueueConnection.java:123)
at com.ibm.ejs.jms.JMSManagedConnection.<init>(JMSManagedConnection.java:315)
at com.ibm.ejs.jms.JMSManagedQueueConnection.<init>(JMSManagedQueueConnection.java:71)
at com.ibm.ejs.jms.WSJMSManagedQueueConnectionFactory.createManagedConnection(WSJMSManagedQueueConnectionFactory.java:96)
at com.ibm.ejs.jms.JMSManagedConnectionFactory.createManagedConnection(JMSManagedConnectionFactory.java:627)
at com.ibm.ejs.j2c.FreePool.createManagedConnectionWithMCWrapper(FreePool.java:1895)
at com.ibm.ejs.j2c.FreePool.createOrWaitForConnection(FreePool.java:1570)
at com.ibm.ejs.j2c.PoolManager.reserve(PoolManager.java:2338)
at com.ibm.ejs.j2c.ConnectionManager.allocateMCWrapper(ConnectionManager.java:915)
at com.ibm.ejs.j2c.ConnectionManager.allocateConnection(ConnectionManager.java:605)
at com.ibm.ejs.jms.JMSQueueConnectionFactoryHandle.createQueueConnection(JMSQueueConnectionFactoryHandle.java:84)
at com.ibm.ejs.jms.listener.MDBListenerImpl.createResources(MDBListenerImpl.java:419)
at com.ibm.ejs.jms.listener.MDBListenerImpl.internalStart(MDBListenerImpl.java:734)
at com.ibm.ejs.jms.listener.MDBListenerImpl.start(MDBListenerImpl.java:657)
at com.ibm.ejs.jms.listener.MDBListenerManagerImpl.start(MDBListenerManagerImpl.java:652)
at com.ibm.ejs.jms.listener.MsgListenerPort.add(MsgListenerPort.java:227)
at com.ibm.ejs.jms.listener.MDBListenerManagerImpl.startApplicationMDBs(MDBListenerManagerImpl.java:894)
at com.ibm.ejs.jms.listener.MDBListenerManagerImpl.stateChanged(MDBListenerManagerImpl.java:852)
at com.ibm.ws.runtime.component.MessageListenerImpl.stateChanged(MessageListenerImpl.java:188)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.stateChanged(ApplicationMgrImpl.java:1226)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectEvent(DeployedApplicationImpl.java:1121)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.setState(DeployedApplicationImpl.java:235)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.setState(DeployedApplicationImpl.java:230)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:829)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:921)
at com.ibm.ws.runtime.component.ApplicationMgrImpl$AppInitializer.run(ApplicationMgrImpl.java:2124)
at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:342)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1473)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: End user tried to act as a CA
at com.ibm.jsse2.n.a(n.java:17)
at com.ibm.jsse2.jc.a(jc.java:541)
at com.ibm.jsse2.db.a(db.java:403)
at com.ibm.jsse2.db.a(db.java:278)
at com.ibm.jsse2.eb.a(eb.java:137)
at com.ibm.jsse2.eb.a(eb.java:157)
at com.ibm.jsse2.db.m(db.java:243)
at com.ibm.jsse2.db.a(db.java:280)
at com.ibm.jsse2.jc.a(jc.java:104)
at com.ibm.jsse2.jc.g(jc.java:470)
at com.ibm.jsse2.jc.a(jc.java:284)
at com.ibm.jsse2.jc.startHandshake(jc.java:172)
at com.ibm.mq.SSLHelper.configureSSLSocket(SSLHelper.java:768)
at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:154)
at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:2288)
at com.ibm.mq.MQv6InternalCommunications$1.run(MQv6InternalCommunications.java:166)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.MQv6InternalCommunications.initialize(MQv6InternalCommunications.java:163)
at com.ibm.mq.MQv6InternalCommunications.<init>(MQv6InternalCommunications.java:111)
at com.ibm.mq.MQSESSIONClient.MQCONNX(MQSESSIONClient.java:1408)
at com.ibm.mq.MQSESSIONClient.spiConnect(MQSESSIONClient.java:4555)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:246)
... 44 more
Caused by: com.ibm.jsse2.util.h: End user tried to act as a CA
at com.ibm.jsse2.util.g.a(g.java:3)
at com.ibm.jsse2.util.g.a(g.java:87)
at com.ibm.jsse2.util.g.b(g.java:103)
at com.ibm.jsse2.util.e.a(e.java:8)
at com.ibm.jsse2.yb.checkServerTrusted(yb.java:18)
at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:256)
at com.ibm.jsse2.hb.checkServerTrusted(hb.java:11)
at com.ibm.jsse2.eb.a(eb.java:222)
... 61 more
An SSL trace on the WebSphere Application Server reveals that it is connecting to the MQ Server which is sending both it's personal certificate and its signer certificate to the client.
The WebSphere Application Server then looks in its trust store for the signer certificate.
If the signer certificate is found, but does not contain the x509 certificate extension that is required for signer certificates by the Java Secure Socket Extension 2 (JSSE2) provider the validation code from the JSSE2 provider returns the error above.
JSSE2 is the default SSL provider included with WebSphere Application Server 6.1, and enforces the requirement for the CA extension to be present on CA certificates.
Resolving The Problem
If any client connecting to MQ is using the JSSE2 provider, it requires that all trusted signer certificates have the critical x509 certificate extension called "Basic Constraints" that identifies the certificate as a "CA" certificate.
If this critical extension is missing from the signer certificate in the trust store, the provider returns an error that the certificate is not trusted and determines that it is a personal certificate that tried to act as a signer because it was found in the trust store. If the critical basic constraint certificate extension is missing, it is not considered to be a signer certificate using this provider.
To resolve the problem, since you can not alter an existing certificate, you must recreate the self-signed certificate with the x509 extension "CA" and import it into the client trust store.
When creating a self-signed certificate as the personal certificate for your queue manager, ensure that you pass the option to add the certificate extension when using IBM's Global Security Kit (GSKit).
This must be accomplished using the gsk7cmd or gsk7capicmd command line tools, the ikeyman gui does not provide a means for adding certificate extensions.
The command will look similar to the following:
gsk7capimd -cert -create -dn "CN=IBM client test,O=IBM,C=US,OU=MQ Support,ST=North Carolina"-db /var/mqm/qmgrs/TSTQMGR/ssl/key.kdb -type cms -label ibmwebspheremqqmgr -ca true -pw xxxxxx
On Windows platforms where the gsk7cmd and gsk7capicmd gskit commands are not available, you use the runmqckm command which is a wrapper for the gskit executables and provides a command line interface for windows.
The command would look like the following:
runmqckm -cert -create -dn "CN=IBM client test,O=IBM,C=US,OU=MQ Support,ST=North Carolina"-db /var/mqm/qmgrs/TSTQMGR/ssl/key.kdb -type cms -label ibmwebspheremqqmgr -ca true -pw xxxxxx
Once this certificate has been imported, restart the client application and test the connection.
Once you extract the signer certificate from the self signed certificate in the keystore, the certificate extension will look like the following:
Now that the critical x509 certificate extension is present in the signer certificate and imported into the WebSphere Application Servers jks keystore, the provider on the client will find the required extension, will validate that the certificate is in fact a signer certificate, and the connection will proceed.
Since this may be the default provider for many clients, it is best practice to ensure that all signer certificates contain this critical x509 certificate extension.
Product Synonym
WMQ MQ
Was this topic helpful?
Document Information
Modified date:
22 June 2018
UID
swg21426286