IBM Support

IC64358: WMQ V7.0.1: AMQ9716 ERROR OCCURS FOR SSL ENABLED CHANNELS

Fixes are available

WebSphere MQ V7.0 Fix Pack 7.0.1.2
WebSphere MQ V7.0.1 for i5/OS Fix Pack 7.0.1.2

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After applying Refresh Pack for WebSphere MQ V7.0.1, the SSL
enabled channels fail with error AMQ9716:
Remote SSL certificate revocation status check failed for
channel 'XXXXX'.

GSKit trace reveals that it was unable to access the OCSP
responder.

Local fix

  • Add the OCSPAuthentication=OPTIONAL parameter to the
mqclient.ini.

Problem summary

  • ****************************************************************
USERS AFFECTED:
All users of WMQ SSL/TLS enabled channels who set
OCSPAuthentication to REQUIRED (or who are using the default
OCSPAuthentication) and who use an HTTP proxy server to connect
to the internet.

Platforms affected:
Windows,All Unix

****************************************************************
PROBLEM SUMMARY:
When the OCSPAuthentication is set to 'REQUIRED' and the OCSP
responder returns an unknown revocation status for a particular
certificate, WebSphere MQ rejects the connection and issues an
error message of type AMQ9716.

In this particular case, it was found that GSKit was unable to
get the revocation status because it was unable to reach the
OCSP responder. Analysis of the GSKit trace in the lab revealed
that an attempt to connect to OCSP responder failed because the
OCSP responder URL was unreachable.

However, when the OCSP responder URL was entered in an internet
browser, the connection was successful. A review of the browser
settings revealed that an HTTP proxy server was being used to
connect to the internet. GSKit had no knowledge of the HTTP
proxy server settings due to which it failed to access the OCSP
responder.

GSKit has a feature which enables the users to set the HTTP
proxy server which can be used by GSKit for OCSP checks.
However, WebSphere MQ had not exposed this feature to users.

Problem conclusion

  • Users can now specify the hostname and the port number of the
HTTP Proxy server which can be used by GSKit for OCSP checks. A
new environment variable "MQSSLPROXY" and an INI file parameter
"SSLHTTPProxyName" (under the SSL stanza) have been introduced
using which the customers can now enable the GSKit OCSP proxy
feature.

Syntax for using these parameters is as follows:
The users can set the environment variable MQSSLPROXY as follows
On windows:
set MQSSLPROXY=hostname(port)
ex: set MQSSLPROXY=proxy.example.ibm.com(80)
On Unix:
export MQSSLPROXY="hostname(port)"
ex: export MQSSLPROXY="proxy.example.ibm.com(80)"

The parameter SSLHTTPProxyName can be set in the SSL stanza of
the INI file (client or server) as follows:
SSLHTTPProxyName=hostname(port)

Example:
# SSL stanza in queue manager's initialization file
SSL:
   SSLHTTPProxyName=proxy.example.ibm.com(80)

If port number is not specified, default http port 80 will be
selected.

The OCSP proxy can be enabled by setting either the MQSSLPROXY
environment variable or the SSLHTTPProxyName parameter in the
SSL stanza (in the client.ini, qm.ini or Windows registry). If
both values are set, the MQSSLPROXY environment variable takes
precedence.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

                   v7.0
Platform           Fix Pack 7.0.1.2
--------           --------------------
Windows            U200316
AIX                U829807
HP-UX (PA-RISC)    U829678
HP-UX (Itanium)    U829681
Solaris (SPARC)    U829806
Solaris (x86-64)   U829680
Linux (x86)        U829677
Linux (x86-64)     U829676
Linux (zSeries)    U829682
Linux (Power)      U829679

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available, information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IC64358
    • 

  • Reported component name
    WMQ WINDOWS V7
    • 

  • Reported component ID
    5724H7220
    • 

  • Reported release
    701
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2009-11-05
    • 

  • Closed date
    2010-02-07
    • 

  • Last modified date
    2010-03-12
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ WINDOWS V7
    • 

  • Fixed component ID
    5724H7220
    • 



Applicable component levels


    

  • R701  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback