APAR status
Closed as program error.
Error description
A certificate chaining error when using MQ Internet Pass-Thru (MQ IPT), but insufficient information is available to diagnose the configuration error. When attempting a TLS connection with MQIPT 2.1.0.3 and WebSphere MQ, the following exception is noted in the MQ IPT logs and a JSSE trace: "java.security.cert.CertPathValidatorException: Certificate chaining error:"
Local fix
Ensure the client/server site certificate and full Certificate Authority (CA) chain resides in either: 1) SSLClientKeyRing/SSLServerKeyRing or 2) a separate SSLClientCAKeyRing/SSLServerCAKeyRing containing the CA intermediate and root certificates, plus the SSLClientKeyRing/SSLServerKeyRing containing the client/server site certificate.
Problem summary
**************************************************************** USERS AFFECTED: MQ IPT users using SSL certificates for client/server authentication on routes. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: For certificate authority (CA) chain verification, the MQIPT trust manager only uses the certificate keystore's defined by the SSLClientCAKeyRing/SSLServerCAKeyRing and/or SSLClientKeyRing/SSLServerKeyRing parameters in the route stanza. This overrides the default JSSE behaviour. This behaviour was not apparent from the MQIPT trace file, as the logic to perform this check did not trace its exception handling.
Problem conclusion
Additional trace points have been added to highlight to users this potential misconception of the location of the CA keystores in the event of a certificate chaining error. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v2.1 2.1.0.4 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT22832
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-18
Closed date
2017-10-31
Last modified date
2017-10-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7251
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 October 2017