IBM Support

IT22832: Certificate chaining error reported by MQ IPT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A certificate chaining error when using MQ Internet Pass-Thru
(MQ IPT), but insufficient information is available to diagnose
the configuration error.


When attempting a TLS connection with MQIPT 2.1.0.3 and
WebSphere MQ, the following exception is noted in the MQ IPT
logs and a JSSE trace:

	"java.security.cert.CertPathValidatorException: Certificate
chaining error:"

Local fix

  • Ensure the client/server site certificate and full Certificate
Authority (CA) chain resides in either:
  1) SSLClientKeyRing/SSLServerKeyRing or
  2) a separate SSLClientCAKeyRing/SSLServerCAKeyRing containing
the CA intermediate and root certificates, plus the
SSLClientKeyRing/SSLServerKeyRing  containing the client/server
site certificate.

Problem summary

  • ****************************************************************
USERS AFFECTED:
MQ IPT users using SSL certificates for client/server
authentication on routes.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
For certificate authority (CA) chain verification, the MQIPT
trust manager only uses the certificate keystore's defined by
the SSLClientCAKeyRing/SSLServerCAKeyRing and/or
SSLClientKeyRing/SSLServerKeyRing parameters in the route
stanza. This overrides the default JSSE behaviour.

This behaviour was not apparent from the MQIPT trace file, as
the logic to perform this check did not trace its exception
handling.

Problem conclusion

  • Additional trace points have been added to highlight to users
this potential misconception of the location of the CA keystores
in the event of a certificate chaining error.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v2.1       2.1.0.4

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT22832
    • 

  • Reported component name
    IBM MQ BASE MP
    • 

  • Reported component ID
    5724H7251
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-10-18
    • 

  • Closed date
    2017-10-31
    • 

  • Last modified date
    2017-10-31
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ BASE MP
    • 

  • Fixed component ID
    5724H7251
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 October 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback