IBM Support

IC96853: MQ V7.X MESSAGE AMQ9654 CONCERNING INVALID CERTIFICATES CAN BE CONFUSING, REQUIRING AN UPDATE TO MESSAGE TEXT AND EXPLANATION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The error message reported by AMQ9654 is confusing and does
    not reflect the SSL error.
    
    Currently, the error message text written to the queue manager
    error log is:
    
    AMQ9654:An invalid SSL certificate was received from the
    remote system.
    EXPLANATION:
    An SSL certificate received from the remote system was not
    corrupt but failed validation checks on something other than its
    ASN fields and date. It is possible that the certificate Subject
    DN is more than 1024 characters long or contains unsupported
    duplicate attribute values. The channel is ''; in some cases its
    name cannot be determined and so is shown as '????'. The channel
    did not start.
    ACTION:
    Ensure that the remote system has a valid SSL certificate.
    Restart the channel.
    
    Message AMQ9654 needs to better reflect why the precise error is
    generated and include all reasons for a missing certificate.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users who encounter the AMQ9654 error.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM SUMMARY:
    The error message reported by AMQ9654 is confusing and does
    not reflect the proper SSL error. The message and explanation
    field needs to be updated to reflect more reasons why this error
    can be generated.
    

Problem conclusion

  • The error returned from the AMQ.SSL.TRC reports:
    
    8(ssl_rc) - GSK_ERROR_CERT_VALIDATION i.e. Certificate
    validation error
    
    In this case it means the certificate could not be validated
    because the certificate chain could not be built as there is
    no certificate in the key database.
    
    Message AMQ9654 needs to better reflect why the precise error is
    generated and include all reasons for a missing a certificate.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.1       7.1.0.5
    v7.5       7.5.0.4
    v7.0       7.0.1.12
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC96853

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7241

  • Reported release

    750

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-10-11

  • Closed date

    2013-11-29

  • Last modified date

    2013-11-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7241

Applicable component levels

  • R750 PSY

       UP



Document information

More support for: WebSphere MQ
APAR / Maintenance

Software version: 7.5

Reference #: IC96853

Modified date: 29 November 2013