+

Search Tips | Advanced Search

TLS troubleshooting information

Use the information listed here to help you solve problems with your TLS system.


Overview

For the error caused by Use non-FIPS cipher with FIPS enabled on client, you receive the following error message:

    JMSCMQ001

    IBM MQ call failed with completion code 2 ('MQCC_FAILED') reason 2397 ('MQRC_JSSE_ERROR')

For every other problem documented within this topic you receive either the previous error message, or the following error message, or both:

    JMSWMQ0018

    Failed to connect to queue manager 'queue_manager_name' with connection mode 'connection_mode' and host name 'host_name'

For each problem documented within this topic, the following information is provided:

  • Output from the sample SystemOut.log or Console, detailing the cause of the exception..
  • Queue manager error log information.
  • Solution to the problem.

Note:

  • We should always list out the stacks and the cause of the first exception.
  • Whether or not the error information is written to the stdout log file depends on how the application is written, and on which framework we are using.
  • The sample code includes stacks and line numbers. This information is useful guidance, but the stacks and line numbers are likely to change from one fix pack to another. We should use the stacks and line numbers as a guide to locating the correct section, and not use the information specifically for diagnostic purposes.


Cipher suite not set on client

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel
    'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec.

    Solution
    Set a CipherSuite on the client so that both ends of the channel have a matching CipherSuite or CipherSpec pair.


Cipher suite not set on server

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error
    for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec.

    Solution
    Change channel SYSTEM.DEF.SVRCONN to specify a valid CipherSpec.


Cipher Mismatch

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error
    for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9631: The CipherSpec negotiated during the TLS handshake does not match the required CipherSpec for channel 'SYSTEM.DEF.SVRCONN'.

    Solution
    Change either the SSLCIPH definition of the server-connection channel or the Cipher suite of the client so that the two ends have a matching CipherSuite or CipherSpec pair.


Missing client personal certificate

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9637: Channel is lacking a certificate.

    Solution
    Ensure that the key database of the queue manager contains a signed personal certificate from the truststore of the client.


Missing server personal certificate

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed.
    [1=javax.net.ssl.SSLHandshakeException[Remote host closed connection during handshake],
    3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default]
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    ... 12 more
    
    Caused by:
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at com.ibm.jsse2.qc.a(qc.java:158)
    at com.ibm.jsse2.qc.h(qc.java:185)
    at com.ibm.jsse2.qc.a(qc.java:566)
    at com.ibm.jsse2.qc.startHandshake(qc.java:120)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134)
    at java.security.AccessController.doPrivileged(AccessController.java:229)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
    ... 17 more
    
    Caused by:
    java.io.EOFException: SSL peer shut down incorrectly
    at com.ibm.jsse2.a.a(a.java:19)
    at com.ibm.jsse2.qc.a(qc.java:207)
    

    Queue manager error logs
    AMQ9637: Channel is lacking a certificate.

    Solution
    Ensure that the key database of the queue manager contains a signed personal certificate from the truststore of the client.


Missing server signer on client

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed.
    [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.j:
    PKIX path validation failed: java.security.cert.CertPathValidatorException:
    The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is:
    java.security.cert.CertPathValidatorException: Signature does not match.],3=localhost/127.0.0.1:1418
    (localhost),4=SSLSocket.startHandshake,5=default]
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    ...
    
    Caused by:
    javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path validation failed:
    java.security.cert.CertPathValidatorException:
    The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted;
    internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.
    ...
    
    Caused by:
    com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException:
    The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted;
    internal cause is:	java.security.cert.CertPathValidatorException: Signature does not match.
    at com.ibm.jsse2.util.h.a(h.java:99)
    at com.ibm.jsse2.util.h.b(h.java:27)
    at com.ibm.jsse2.util.g.a(g.java:14)
    at com.ibm.jsse2.yc.a(yc.java:68)
    at com.ibm.jsse2.yc.a(yc.java:17)
    at com.ibm.jsse2.yc.checkServerTrusted(yc.java:154)
    at com.ibm.jsse2.bb.a(bb.java:246)
    ... 28 more
    
    Caused by:
    java.security.cert.CertPathValidatorException:
    The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted;
    internal cause is:	java.security.cert.CertPathValidatorException: Signature does not match.
    at com.ibm.security.cert.BasicChecker.(BasicChecker.java:111)
    at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:174)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:265)
    at com.ibm.jsse2.util.h.a(h.java:13)
    ... 34 more
    
    Caused by:
    java.security.cert.CertPathValidatorException: Signature does not match.
    at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:297)
    at com.ibm.security.cert.BasicChecker.(BasicChecker.java:108)
    

    Queue manager error logs
    AMQ9665: SSL connection closed by remote end of channel '????'.

    Solution
    Add the certificate used to sign the personal certificate of the queue manager to the truststore of the client.


Missing client signer on server

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed.
    [1=java.net.SocketException[Software caused connection abort: socket write error],
    3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default]
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    ... 12 more
    
    Caused by:
    java.net.SocketException: Software caused connection abort: socket write error
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:120)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:164)
    at com.ibm.jsse2.c.a(c.java:57)
    at com.ibm.jsse2.c.a(c.java:34)
    at com.ibm.jsse2.qc.b(qc.java:527)
    at com.ibm.jsse2.qc.a(qc.java:635)
    at com.ibm.jsse2.qc.a(qc.java:743)
    at com.ibm.jsse2.ab.a(ab.java:550)
    at com.ibm.jsse2.bb.b(bb.java:194)
    at com.ibm.jsse2.bb.a(bb.java:162)
    at com.ibm.jsse2.bb.a(bb.java:7)
    at com.ibm.jsse2.ab.r(ab.java:529)
    at com.ibm.jsse2.ab.a(ab.java:332)
    at com.ibm.jsse2.qc.a(qc.java:435)
    at com.ibm.jsse2.qc.h(qc.java:185)
    at com.ibm.jsse2.qc.a(qc.java:566)
    at com.ibm.jsse2.qc.startHandshake(qc.java:120)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134)
    at java.security.AccessController.doPrivileged(AccessController.java:229)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
    

    Queue manager error logs
    AMQ9633: Bad SSL certificate for channel '????'.

    Solution
    Add the certificate used to sign the personal certificate of the client to the key database of the queue manager.


SSLPEER set on server does not match certificate

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9643: Remote SSL peer name error for channel
    'SYSTEM.DEF.SVRCONN' on host ''. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9636: SSL distinguished name does not match peer name, channel 'SYSTEM.DEF.SVRCONN'.

    Solution
    Ensure the value of SSLPEER set on the server-connection channel matches the distinguished name of the certificate.


SSLPEER set on client does not match certificate

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2398;AMQ9636: SSL distinguished name does not match peer name,
    channel '?'. [CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX]
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1215)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9208: Error on receive from host host-name (address).

    Solution
    Ensure the value of SSLPEER set in the client matches the distinguished name of the certificate.


Use a non-FIPS cipher with FIPS enabled on client

    Output
    Check the queue manager is started and if running in client mode, check there is a listener running.
    Please see the linked exception for more information.
    at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:578)
    at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:214)
    at com.ibm.msg.client.wmq.internal.WMQConnection.getConnectOptions(WMQConnection.java:1423)
    at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:339)
    at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection
    (WMQConnectionFactory.java:6865)
    at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection
    (WMQConnectionFactory.java:6221)
    at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection
    (JmsConnectionFactoryImpl.java:285)
    at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection
    (JmsConnectionFactoryImpl.java:233)
    at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6016)
    at com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6041)
    at tests.SimpleSSLConn.runTest(SimpleSSLConn.java:46)
    at tests.SimpleSSLConn.main(SimpleSSLConn.java:26)
    
    Caused by:
    com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED')
    reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE').
    at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:202)
    

    Queue manager error logs
    Not applicable.

    Solution
    Use a FIPS-enabled cipher, or disable FIPS on the client.


Use a non-FIPS cipher with FIPS enabled on the queue manager

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed.
    [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: handshake_failure],
    3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default]
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    ... 12 more
    
    Caused by:
    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.ibm.jsse2.j.a(j.java:13)
    at com.ibm.jsse2.j.a(j.java:18)
    at com.ibm.jsse2.qc.b(qc.java:601)
    at com.ibm.jsse2.qc.a(qc.java:100)
    at com.ibm.jsse2.qc.h(qc.java:185)
    at com.ibm.jsse2.qc.a(qc.java:566)
    at com.ibm.jsse2.qc.startHandshake(qc.java:120)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134)
    at java.security.AccessController.doPrivileged(AccessController.java:229)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
    

    Queue manager error logs
    AMQ9616: The CipherSpec proposed is not enabled on the server.

    Solution
    Use a FIPS-enabled cipher, or disable FIPS on the queue manager.


Can not find client keystore using IBM JRE

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'localhost(1418)' rejected.
    [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed.
    [3=SYSTEM.DEF.SVRCONN]],3=localhost(1418),5=RemoteConnection.analyseErrorSegment]
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2450)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1396)
    at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
    at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:561)
    at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:342)
    ... 8 more
    
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9637: Channel is lacking a certificate.

    Solution
    Ensure the JVM property javax.net.ssl.keyStore specifies the location of a valid keystore.


Can not find client keystore using Oracle JRE

    Output
    Caused by:
    java.security.PrivilegedActionException: java.io.FileNotFoundException:
    C:\filepath\wrongkey.jks (The system cannot find the file specified)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(Unknown Source)
    at sun.security.ssl.SSLContextImpl$DefaultSSLContext.(Unknown Source)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at java.lang.Class.newInstance0(Unknown Source)
    at java.lang.Class.newInstance(Unknown Source)
    ... 28 more
    
    Caused by:
    java.io.FileNotFoundException: C:\filepath\wrongkey.jks (The system cannot find the file specified)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.(Unknown Source)
    at java.io.FileInputStream.(Unknown Source)
    at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(Unknown Source)
    at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(Unknown Source)
    

    Queue manager error logs
    AMQ9637: Channel is lacking a certificate.

    Solution
    Ensure the JVM property javax.net.ssl.keyStore specifies the location of a valid keystore.


Keystore password error - IBM JRE

    Output
    Caused by:
    com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection
    (RemoteConnectionSpecification.java:409)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession
    (RemoteConnectionSpecification.java:305)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
    

    Queue manager error logs
    AMQ9637: Channel is lacking a certificate.

    Solution
    Ensure that the value of the JVM property javax.net.ssl.keyStorePassword specifies the password for the keystore specified by javax.net.ssl.keyStore.


Truststore password error - IBM JRE

    Output
    Caused by:
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
    No X509TrustManager implementation available
    at com.ibm.jsse2.j.a(j.java:13)
    at com.ibm.jsse2.qc.a(qc.java:204)
    at com.ibm.jsse2.ab.a(ab.java:342)
    at com.ibm.jsse2.ab.a(ab.java:222)
    at com.ibm.jsse2.bb.a(bb.java:157)
    at com.ibm.jsse2.bb.a(bb.java:492)
    at com.ibm.jsse2.ab.r(ab.java:529)
    at com.ibm.jsse2.ab.a(ab.java:332)
    at com.ibm.jsse2.qc.a(qc.java:435)
    at com.ibm.jsse2.qc.h(qc.java:185)
    at com.ibm.jsse2.qc.a(qc.java:566)
    at com.ibm.jsse2.qc.startHandshake(qc.java:120)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134)
    at java.security.AccessController.doPrivileged(AccessController.java:229)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
    ... 17 more
    
    Caused by:
    java.security.cert.CertificateException: No X509TrustManager implementation available
    at com.ibm.jsse2.xc.checkServerTrusted(xc.java:2)
    at com.ibm.jsse2.bb.a(bb.java:246)
    

    Queue manager error logs
    AMQ9665: SSL connection closed by remote end of channel '????'.

    Solution
    Ensure that the value of the JVM property javax.net.ssl.trustStorePassword specifies the password for the keystore specified by javax.net.ssl.trustStore.


Can not find or open queue manager key database

    Output
    Caused by:
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at com.ibm.jsse2.qc.a(qc.java:158)
    at com.ibm.jsse2.qc.h(qc.java:185)
    at com.ibm.jsse2.qc.a(qc.java:566)
    at com.ibm.jsse2.qc.startHandshake(qc.java:120)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134)
    at java.security.AccessController.doPrivileged(AccessController.java:229)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
    ... 17 more
    
    Caused by:
    java.io.EOFException: SSL peer shut down incorrectly
    at com.ibm.jsse2.a.a(a.java:19)
    at com.ibm.jsse2.qc.a(qc.java:207)
    

    Queue manager error logs
    AMQ9657: The key repository could not be opened (channel '????').

    Solution
    Ensure that the key repository you specify exists and that its permissions are such that the IBM MQ process involved can read from it.


Can not find or use queue manager key database password stash file

    Output
    Caused by:
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at com.ibm.jsse2.qc.a(qc.java:158)
    at com.ibm.jsse2.qc.h(qc.java:185)
    at com.ibm.jsse2.qc.a(qc.java:566)
    at com.ibm.jsse2.qc.startHandshake(qc.java:120)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134)
    at java.security.AccessController.doPrivileged(AccessController.java:229)
    at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
    ... 17 more
    
    Caused by:
    ava.io.EOFException: SSL peer shut down incorrectly
    at com.ibm.jsse2.a.a(a.java:19)
    at com.ibm.jsse2.qc.a(qc.java:207)
    

    Queue manager error logs
    AMQ9660: SSL key repository: password stash file absent or unusable.

    Solution
    Ensure that a password stash file has been associated with the key database file in the same directory, and that the user ID, under which IBM MQ is running, has read access to both files.

Parent topic: IBM MQ Troubleshooting and support

Last updated: 2020-10-04