Troubleshooting
Problem
This document is intended to help diagnose IBM MQ Java™ or JMS SSL setup errors.
It lists most of the common configuration errors that can cause an SSL or TLS connection from a Java/JMS client to a queue manager to fail, and gives the course of action to resolve the problem.
In each case the error can be diagnosed by a combination of the error seen in the client log - either a console output, trace file or SystemOut.log file - and the queue manager's error logs.
.
The document is quite long, so the easiest way to find the potential error is to search for one of the errors seen in this list, then filter this list using the error from the opposite end of the channel.
.
All cases here assume that 2-way authentication is being attempted (SSLCAUTH set to REQUIRED on the queue manager's SVRCONN channel). This is the default, and the errors are very similar for 1-way authentication (SSLCAUTH set to OPTIONAL).
It lists most of the common configuration errors that can cause an SSL or TLS connection from a Java/JMS client to a queue manager to fail, and gives the course of action to resolve the problem.
In each case the error can be diagnosed by a combination of the error seen in the client log - either a console output, trace file or SystemOut.log file - and the queue manager's error logs.
.
The document is quite long, so the easiest way to find the potential error is to search for one of the errors seen in this list, then filter this list using the error from the opposite end of the channel.
.
All cases here assume that 2-way authentication is being attempted (SSLCAUTH set to REQUIRED on the queue manager's SVRCONN channel). This is the default, and the errors are very similar for 1-way authentication (SSLCAUTH set to OPTIONAL).
Symptom
- Instructions on collecting documentation
- Cause 1: Client missing personal certificate
- Cause 2: Missing server personal certificate
- Cause 3: Missing server signer on client
- Cause 4: Missing client signer on server
- Cause 5: Cipher spec mismatch
- Cause 6: No cipher enabled on client
- Cause 7: No cipher enabled on queue manager's server connection channel
- Cause 8 Using non-FIPS cipher, FIPS enabled on client (not on server)
- Cause 9: Using non_FIPS cipher, FIPS enabled on server (not on client)
- Cause 10: Using FIPS cipher, FIPS not enabled on client
- Cause 11: Using non_FIPS cipher, FIPS enabled at both ends
- Cause 12: Value of SSLPEER on client does not match personal certificate
- Cause 13: Value of SSLPEER on server does not match personal certificate
- Cause 14: Listener not running on server
- Cause 15: Can not find client keystore
- Cause 16: Client keystore password incorrect
- Cause 17: Can not find client truststore
- Cause 18: Client truststore password incorrect
Diagnosing The Problem
Two sets of documentation are required:
- SystemOut, console output or Java/JMS trace - this will show the exceptions with stack outputs as seen below
- AMQERR*.LOG files from the queue manager install location. these will contain the AMQxxxx errors as seen below
Resolving The Problem
| Cause 1 | Client missing personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager. JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2059' ('MQRC_Q_MGR_NOT_AVAILABLE') Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059; AMQ9204: Connection to host localhost(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059; AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN]],3=localhost(1414), 5=RemoteConnection.analyseErrorSegment] at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:2010) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1227) at com.ibm.msg.client.wmq.internal.WMQConnection. (WMQConnection.java:355) Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059; AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection .analyseErrorSegment(RemoteConnection.java:4366) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection .receiveTSH(RemoteConnection.java:2902) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection .initSess(RemoteConnection.java:1440) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection .connect(RemoteConnection.java:1115) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) |
| Queue Manager Error Logs |
AMQ9637: Channel is lacking a certificate. |
| Solution | Add a personal certificate to the client's keystore which has been signed by a certificate in the queue manager's key database. |
| Cause 2 | Missing server personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager. JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR')) Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397; AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException [Remote host closed connection during handshake],3=localhost/127.0.0.1:1414(localhost), 4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection .protocolConnect(RemoteTCPConnection.java:1020) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection .connect(RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.tc.a(tc.java:438) at com.ibm.jsse2.tc.g(tc.java:416) at com.ibm.jsse2.tc.a(tc.java:60) at com.ibm.jsse2.tc.startHandshake(tc.java:381) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection$6 .run(RemoteTCPConnection.java:1005) at java.security.AccessController.doPrivileged(AccessController.java:202) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection .protocolConnect(RemoteTCPConnection.java:1000) ... 11 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:120) at com.ibm.jsse2.tc.a(tc.java:540) ... 17 more ) |
| Queue Manager Error Logs |
AMQ9637: Channel is lacking a certificate. |
| Solution | Add a personal certificate to the queue manager's key database which has been signed by a certificate in the client's truststore, and which has a label of the form"ibmwebspheremqqmname." |
| Cause 3 | Missing server signer on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR') Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397; AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.g: PKIX path building failed : java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=Some Name, O=IBM, L=Hursley, ST=Hampshire, C=UK is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection .protocolConnect(RemoteTCPConnection.java:1020) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection .connect(RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=Some Name, O=IBM, L=Hursley, ST=Hampshire, C=UK is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match |
| Queue Manager Error Logs |
AMQ9665: SSL connection closed by remote end of channel '????'. |
| Solution | Add the certificate used to sign the queue manager's personal certificate to the client's truststore. |
| Cause 4 | Missing client signer on server |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[Software caused connection abort: socket write error], 3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default]], 3=localhost(1414),5=RemoteTCPConnection.protocolConnect] at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:2010) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1227) at com.ibm.msg.client.wmq.internal.WMQConnection. (WMQConnection.java:355) ... 6 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[Software caused connection abort: socket write error], 3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:1020) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.net.SocketException: Software caused connection abort: socket write error |
| Queue Manager Error Logs |
AMQ9633: Bad SSL certificate for channel '????'. |
| Solution | Add the certificate used to sign the queue manager's personal certificate to the client's truststore. |
| Cause 5 | Cipher spec mismatch |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN'. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment (RemoteConnection.java:4322) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH (RemoteConnection.java:2902) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess (RemoteConnection.java:1440) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1115) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection (RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1599) |
| Queue Manager Error Logs |
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel 'SYSTEM.DEF.SVRCONN'. |
| Solution | Ensure that the cipher suite on the client matches the cipher spec on the queue manager's server connection channel. |
| Cause 6 | No cipher enabled on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN'. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment (RemoteConnection.java:4322) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH (RemoteConnection.java:2902) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess (RemoteConnection.java:1440) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1115) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection (RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1599) |
| Queue Manager Error Logs |
AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec. |
| Solution | Ensure that there is a cipher suite set on the client matching the cipher spec on the queue manager's server connection channel. |
| Cause 7 | No cipher enabled on queue manager's server connection channel |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager. JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN'. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment (RemoteConnection.java:4322) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH (RemoteConnection.java:2902) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess (RemoteConnection.java:1440) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1115) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) |
| Queue Manager Error Logs |
AMQ9635: Channel 'SYSTEM.DEF.SVRCONN' did not specify a valid CipherSpec. |
| Solution | Ensure that there is a cipher spec on the queue manager's server connection channel matching the cipher suite set on the client.. |
| Cause 8 | Using non-FIPS cipher, FIPS enabled on client (not on server) |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2393' ('MQRC_SSL_INITIALIZATION_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_NULL_MD5 or ciphersuite is not supported in FIPS mode], 3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1748) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:674) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection (RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_NULL_MD5 or ciphersuite is not supported in FIPS mode at com.ibm.jsse2.q.a(q.java:84) at com.ibm.jsse2.r.(r.java:75) at com.ibm.jsse2.tc.setEnabledCipherSuites(tc.java:184) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1741) |
| Queue Manager Error Logs |
No errors seen |
| Solution | Either disable FIPS on the client or ensure both FIPS is enabled on the server and a FIPS-enabled cipher is being used. |
| Cause 9 | Using non_FIPS cipher, FIPS enabled on server (not on client) |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: handshake_failure],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:1020) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection (RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.ibm.jsse2.n.a(n.java:8) |
| Queue Manager Error Logs |
AMQ9616: The CipherSpec proposed is not enabled on the SSL server. |
| Solution | Either disable FIPS on the server or ensure both FIPS is enabled on the client and a FIPS-enabled cipher is being used. |
| Cause 10 | Using FIPS cipher, FIPS not enabled on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: handshake_failure],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:1020) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection (RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.ibm.jsse2.n.a(n.java:8) |
| Queue Manager Error Logs |
AMQ9616: The CipherSpec proposed is not enabled on the SSL server. |
| Solution | Either enable FIPS on the client or ensure a non FIPS-enabled cipher is being used. |
| Cause 11 | Using non_FIPS cipher, FIPS enabled at both ends |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager. JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2393' ('MQRC_SSL_INITIALIZATION_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_NULL_MD5 or ciphersuite is not supported in FIPS mode], 3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1748) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:674) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_NULL_MD5 or ciphersuite is not supported in FIPS mode at com.ibm.jsse2.q.a(q.java:84) |
| Queue Manager Error Logs |
No errors seen.. |
| Solution | Either disable FIPS at both ends or ensure a FIPS-enabled cipher is being used. |
| Cause 12 | Value of SSLPEER on client does not match personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2398' ('MQRC_SSL_PEER_NAME_MISMATCH'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2398;AMQ9636: SSL distinguished name does not match peer name, channel '?'. [4=CN=Some Name, O=IBM, ST=Hampshire, C=UK] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:1071) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) |
| Queue Manager Error Logs |
No errors seen |
| Solution | Ensure the value of SSLPEER matches the distinguished name of the personal certificate. |
| Cause 13 | Value of SSLPEER on server does not match personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2059' ('MQRC_Q_MGR_NOT_AVAILABLE'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9643: Remote SSL peer name error for channel 'SYSTEM.DEF.SVRCONN'. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment (RemoteConnection.java:4330) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH (RemoteConnection.java:2902) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess (RemoteConnection.java:1440) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1115) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) |
| Queue Manager Error Logs |
AMQ9636: SSL distinguished name does not match peer name, channel 'SYSTEM.DEF.SVRCONN'. |
| Solution | Ensure the value of SSLPEER matches the distinguished name of the personal certificate. |
| Cause 14 | Listener not running on server |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager. JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2059' ('MQRC_Q_MGR_NOT_AVAILABLE'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9213: A communications error for occurred. [1=java.net.ConnectException[Connection refused: connect],3=localhost] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:663) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.net.ConnectException: Connection refused: connect at java.net.PlainSocketImpl.socketConnect(Native Method) |
| Queue Manager Error Logs |
No errors seen |
| Solution | Start the listener on the queue manager. |
| Cause 15 | Can not find client keystore |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: ],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default]], 3=localhost(1414),5=RemoteTCPConnection.makeSocketSecure] at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:2010) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1227) at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:355) ... 6 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: ],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1706) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:674) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at javax.net.ssl.DefaultSSLSocketFactory.a(SSLSocketFactory.java:7) at javax.net.ssl.DefaultSSLSocketFactory.createSocket (SSLSocketFactory.java:1) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1699) ... 13 more Caused by: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at java.security.Provider$Service.newInstance(Provider.java:894) at sun.security.jca.GetInstance.getInstance(GetInstance.java:299) at sun.security.jca.GetInstance.getInstance(GetInstance.java:237) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:25) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:15) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:17) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.chooseSocketFactory (RemoteTCPConnection.java:2158) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1689) ... 13 more Caused by: java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.lang.Exception: Keystore file does not exist: C:\keystore\wrongfile.jks |
| Queue Manager Error Logs |
No errors seen |
| Solution | Specify the correct name and location for the client keystore. |
| Cause 16 | Client keystore password incorrect |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: ],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1706) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:674) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at javax.net.ssl.DefaultSSLSocketFactory.a(SSLSocketFactory.java:7) at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:1) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1699) ... 13 more Caused by: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at java.security.Provider$Service.newInstance(Provider.java:894) at sun.security.jca.GetInstance.getInstance(GetInstance.java:299) at sun.security.jca.GetInstance.getInstance(GetInstance.java:237) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:25) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:15) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:17) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.chooseSocketFactory (RemoteTCPConnection.java:2158) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1689) ... 13 more Caused by: java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect |
| Queue Manager Error Logs |
No errors seen |
| Solution | Specify the correct password for the client keystore. |
| Cause 17 | Can not find client truststore |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: ],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1706) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:674) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection (RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at javax.net.ssl.DefaultSSLSocketFactory.a(SSLSocketFactory.java:7) at javax.net.ssl.DefaultSSLSocketFactory.createSocket (SSLSocketFactory.java:1) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1699) ... 13 more Caused by: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at java.security.Provider$Service.newInstance(Provider.java:894) at sun.security.jca.GetInstance.getInstance(GetInstance.java:299) at sun.security.jca.GetInstance.getInstance(GetInstance.java:237) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:25) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:15) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:17) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.chooseSocketFactory (RemoteTCPConnection.java:2158) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1689) ... 13 more Caused by: java.lang.Exception: Truststore file does not exist: C:\keystore\wrongfile.jks |
| Queue Manager Error Logs |
No errors seen.. |
| Solution | Specify the correct name and location for the client truststore. |
| Cause 18 | Client truststore password incorrect |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). Stack includes: Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: ],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.createSocket,5=default] at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1706) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress (RemoteTCPConnection.java:674) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect (RemoteTCPConnection.java:991) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect (RemoteConnection.java:1112) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool .getConnection(RemoteConnectionPool.java:350) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect (RemoteFAP.java:1599) ... 8 more Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at javax.net.ssl.DefaultSSLSocketFactory.a(SSLSocketFactory.java:7) at javax.net.ssl.DefaultSSLSocketFactory.createSocket (SSLSocketFactory.java:1) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1699) ... 13 more Caused by: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: at java.security.Provider$Service.newInstance(Provider.java:894) at sun.security.jca.GetInstance.getInstance(GetInstance.java:299) at sun.security.jca.GetInstance.getInstance(GetInstance.java:237) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:25) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:15) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:17) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.chooseSocketFactory (RemoteTCPConnection.java:2158) at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure (RemoteTCPConnection.java:1689) ... 13 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:414) at com.ibm.jsse2.uc.a(uc.java:54) at com.ibm.jsse2.lc.f(lc.java:12) at com.ibm.jsse2.lc.(lc.java:16) at java.lang.J9VMInternals.newInstanceImpl(Native Method) at java.lang.Class.newInstance(Class.java:1345) at java.security.Provider$Service.newInstance(Provider.java:880) ... 20 more Caused by: java.security.UnrecoverableKeyException: Password verification failed |
| Queue Manager Error Logs |
No errors seen. |
| Solution | Specify the correct password for the client truststore. |
++ Additional Information:
tags: "MQ SSL"; "MQ TLS"; MQSSL; MQTLS
+++ end +++
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008MzAAI","label":"Security"}],"ARM Case Number":"TS014395210","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
WMQ MQ
Was this topic helpful?
Document Information
Modified date:
26 October 2023
UID
swg21614686