IBM Support

IT14282: NAMINGEXCEPTION THROWN WHEN USING NON-IBM JRE AND ACTIVEDIRECTORY LDAP SERVER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When attempting to make a secure connection to a queue manager
    from an application using the MQ classes for Java or the MQ
    classes for JMS, an Exception is thrown if there is no
    Certificate Revocation List (CRL) defined on a certificate in
    the certificate store being used to secure the connection.
    Previously no Exception was thrown by the MQ classes for Java or
    MQ classes for JMS.
    
    The exception is seen when using a non-IBM JRE, and occurred
    after migration from an Open LDAP based LDAP server to an Active
    Directory LDAP server.
    
    The stack trace of the Exception thrown is similar to the
    following:
    
    [14/06/15 12:03:42.531.00]  0001 [javax.naming.NamingException:
    [LDAP: error code 1 - 000020D6: SvcErr: DSID-0310081B, problem
    5012 (DIR_ERROR), data 0
    [14/06/15 12:03:42.531.00]  0001  ]; remaining name
    'cn=hostname.com'
    [14/06/15 12:03:42.531.00]  0001 ]
    [java.security.cert.CertStoreException] at:
    [14/06/15 12:03:42.531.00]  0001
    sun.security.provider.certpath.ldap.LDAPCertStore.getCRLs(Unknow
    n Source)
    [14/06/15 12:03:42.531.00]  0001
    sun.security.provider.certpath.ldap.LDAPCertStore.engineGetCRLs(
    Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    java.security.cert.CertStore.getCRLs(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.util.RemoteSSLCRLHelper.checkCRL(RemoteSS
    LCRLHelper.java:180)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(
    RemoteTCPConnection.java:1387)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConne
    ction.java:860)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes
    sionFromNewConnection(RemoteConnectionSpecification.java:409)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes
    sion(RemoteConnectionSpecification.java:305)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(Remo
    teConnectionPool.java:146)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
    1725)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
    1294)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJ
    mqiImpl.java:376)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnecti
    on.java:342)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7Pr
    oviderConnection(WMQConnectionFactory.java:8476)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProv
    iderConnection(WMQConnectionFactory.java:7818)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createCon
    nection(JmsConnectionFactoryImpl.java:299)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConn
    ection(JmsConnectionFactoryImpl.java:236)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConn
    ectionFactory.java:6018)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnection
    Factory.java:6043)
    [14/06/15 12:03:42.531.00]  0001
    JmsProducer.main(JmsProducer.java:119)
    [14/06/15 12:03:42.531.00]  0001 Object ClassLoader = null
    [14/06/15 12:03:42.531.00]  0001 CurrentThread ClassLoader =
    sun.misc.Launcher$AppClassLoader@73d16e93
    [14/06/15 12:03:42.531.00]  0001  Cause:
    [14/06/15 12:03:42.531.00]  0001
    [14/06/15 12:03:42.531.00]  0001 [[LDAP: error code 1 -
    000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data
    0
    [14/06/15 12:03:42.531.00]  0001  ]
    [14/06/15 12:03:42.531.00]  0001 ]
    [javax.naming.NamingException] at:
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.ldap.LdapCtx.c_getAttributes(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Unk
    nown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttribute
    s(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttribute
    s(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    javax.naming.directory.InitialDirContext.getAttributes(Unknown
    Source)
    [14/06/15 12:03:42.531.00]  0001
    sun.security.provider.certpath.ldap.LDAPCertStore$LDAPRequest.ge
    tValueMap(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    sun.security.provider.certpath.ldap.LDAPCertStore$LDAPRequest.ge
    tValues(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    sun.security.provider.certpath.ldap.LDAPCertStore.getCRLs(Unknow
    n Source)
    [14/06/15 12:03:42.531.00]  0001
    sun.security.provider.certpath.ldap.LDAPCertStore.engineGetCRLs(
    Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    java.security.cert.CertStore.getCRLs(Unknown Source)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.util.RemoteSSLCRLHelper.checkCRL(RemoteSS
    LCRLHelper.java:180)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(
    RemoteTCPConnection.java:1387)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConne
    ction.java:860)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes
    sionFromNewConnection(RemoteConnectionSpecification.java:409)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSes
    sion(RemoteConnectionSpecification.java:305)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(Remo
    teConnectionPool.java:146)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
    1725)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:
    1294)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJ
    mqiImpl.java:376)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnecti
    on.java:342)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7Pr
    oviderConnection(WMQConnectionFactory.java:8476)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProv
    iderConnection(WMQConnectionFactory.java:7818)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createCon
    nection(JmsConnectionFactoryImpl.java:299)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConn
    ection(JmsConnectionFactoryImpl.java:236)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConn
    ectionFactory.java:6018)
    [14/06/15 12:03:42.531.00]  0001
    com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnection
    Factory.java:6043)
    [14/06/15 12:03:42.531.00]  0001
    JmsProducer.main(JmsProducer.java:119)
    [14/06/15 12:03:42.531.00]  0001 Object ClassLoader = null
    [14/06/15 12:03:42.531.00]  0001 CurrentThread ClassLoader =
    sun.misc.Launcher$AppClassLoader@73d16e93
    [14/06/15 12:03:42.531.01]  0001  @10e31a9a
    c.i.m.j.remote.util.RemoteSSLCRLHelper
           ----+----+---  !
    checkCRL(X509Certificate,Collection<?>)<throwIndex 2>,
    [14/06/15 12:03:42.531.01]  0001 [javax.naming.NamingException:
    [LDAP: error code 1 - 000020D6: SvcErr: DSID-0310081B, problem
    5012 (DIR_ERROR), data 0
    [14/06/15 12:03:42.531.01]  0001  ]; remaining name
    'cn=r9vvd1m.hursley.ibm.com'
    [14/06/15 12:03:42.531.01]  0001 ]
    [java.security.cert.CertStoreException]
    [14/06/15 12:03:42.532.00]  0001  @10e31a9a
    c.i.m.j.remote.util.RemoteSSLCRLHelper
           ----+----+---  X
    checkCRL(X509Certificate,Collection<?>)<catchIndex 6>
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of the MQ classes for Java or classes
    for JMS where all the following conditions apply:
    
     - the IBM MQ classes for Java or IBM MQ classes for JMS in use
    are at version 7.0.1, 7.1, 7.5 or 8
     - the application runs using a non-IBM Java Runtime Environment
    (JRE).
     - the application uses secured connections to communicate with
    the queue manager.
     - the certificates used to secure the connections are stored in
    an Active Directory based LDAP server
     - one or more certificates in the certificate store do not have
    any Certificate Revocation Lists (CRLs) defined.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When attempting to make a secure connection to a queue manager,
    the MQ classes for Java and MQ classes for JMS query each
    certificate in the specified certificate store to see if it has
    any Certificate Revocation Lists (CRLs) defined. If no CRL has
    been specified for a certificate, the Java Runtime Environment
    (JRE) will return an exception to the MQ classes for Java or MQ
    classes for JMS. The MQ classes for Java or classes for JMS will
    then handle this exception internally, and carry on processing
    the certificate.
    
    The MQ classes for Java and classes for JMS were expecting the
    exception returned by the JRE to be of type
    javax.naming.NameNotFoundException. However, if the MQ classes
    for Java or classes for JMS were running in a non-IBM JRE, and
    the certificates were stored in an Active Directory based LDAP
    server, a javax.naming.NamingException was returned instead.
    Because the MQ classes for Java and classes for JMS were not
    expecting this type of exception, the exception was thrown back
    to the application rather than being handled internally.
    

Problem conclusion

  • The MQ classes for Java and MQ classes for JMS have been updated
    so that any javax.naming.NamingExceptions thrown because there
    is no CRL defined on a certificate are handled internally, and
    are not thrown back to the application.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.1.14
    v7.1       7.1.0.7
    v7.5       7.5.0.6
    v8.0       8.0.0.4
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT14282

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-11

  • Closed date

    2016-08-22

  • Last modified date

    2016-08-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R710 PSY

       UP

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]

Document Information

Modified date:
09 March 2021