IBM Support

IC64358: WMQ V7.0.1: AMQ9716 ERROR OCCURS FOR SSL ENABLED CHANNELS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • After applying Refresh Pack for WebSphere MQ V7.0.1, the SSL
    enabled channels fail with error AMQ9716:
    Remote SSL certificate revocation status check failed for
    channel 'XXXXX'.
    
    GSKit trace reveals that it was unable to access the OCSP
    responder.
    

Local fix

  • Add the OCSPAuthentication=OPTIONAL parameter to the
    mqclient.ini.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All users of WMQ SSL/TLS enabled channels who set
    OCSPAuthentication to REQUIRED (or who are using the default
    OCSPAuthentication) and who use an HTTP proxy server to connect
    to the internet.
    
    Platforms affected:
    Windows,All Unix
    
    ****************************************************************
    PROBLEM SUMMARY:
    When the OCSPAuthentication is set to 'REQUIRED' and the OCSP
    responder returns an unknown revocation status for a particular
    certificate, WebSphere MQ rejects the connection and issues an
    error message of type AMQ9716.
    
    In this particular case, it was found that GSKit was unable to
    get the revocation status because it was unable to reach the
    OCSP responder. Analysis of the GSKit trace in the lab revealed
    that an attempt to connect to OCSP responder failed because the
    OCSP responder URL was unreachable.
    
    However, when the OCSP responder URL was entered in an internet
    browser, the connection was successful. A review of the browser
    settings revealed that an HTTP proxy server was being used to
    connect to the internet. GSKit had no knowledge of the HTTP
    proxy server settings due to which it failed to access the OCSP
    responder.
    
    GSKit has a feature which enables the users to set the HTTP
    proxy server which can be used by GSKit for OCSP checks.
    However, WebSphere MQ had not exposed this feature to users.
    

Problem conclusion

  • Users can now specify the hostname and the port number of the
    HTTP Proxy server which can be used by GSKit for OCSP checks. A
    new environment variable "MQSSLPROXY" and an INI file parameter
    "SSLHTTPProxyName" (under the SSL stanza) have been introduced
    using which the customers can now enable the GSKit OCSP proxy
    feature.
    
    Syntax for using these parameters is as follows:
    The users can set the environment variable MQSSLPROXY as follows
    On windows:
    set MQSSLPROXY=hostname(port)
    ex: set MQSSLPROXY=proxy.example.ibm.com(80)
    On Unix:
    export MQSSLPROXY="hostname(port)"
    ex: export MQSSLPROXY="proxy.example.ibm.com(80)"
    
    The parameter SSLHTTPProxyName can be set in the SSL stanza of
    the INI file (client or server) as follows:
    SSLHTTPProxyName=hostname(port)
    
    Example:
    # SSL stanza in queue manager's initialization file
    SSL:
       SSLHTTPProxyName=proxy.example.ibm.com(80)
    
    If port number is not specified, default http port 80 will be
    selected.
    
    The OCSP proxy can be enabled by setting either the MQSSLPROXY
    environment variable or the SSLHTTPProxyName parameter in the
    SSL stanza (in the client.ini, qm.ini or Windows registry). If
    both values are set, the MQSSLPROXY environment variable takes
    precedence.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v7.0
    Platform           Fix Pack 7.0.1.2
    --------           --------------------
    Windows            U200316
    AIX                U829807
    HP-UX (PA-RISC)    U829678
    HP-UX (Itanium)    U829681
    Solaris (SPARC)    U829806
    Solaris (x86-64)   U829680
    Linux (x86)        U829677
    Linux (x86-64)     U829676
    Linux (zSeries)    U829682
    Linux (Power)      U829679
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available, information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC64358

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-11-05

  • Closed date

    2010-02-07

  • Last modified date

    2010-03-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R701 PSY

       UP



Document information

More support for: WebSphere MQ
APAR / Maintenance

Software version: 7.0.1

Reference #: IC64358

Modified date: 12 March 2010


Translate this page: