TLS troubleshooting information
Use the information listed here to help you solve problems with your TLS system.
Overview
For the error caused by Use non-FIPS cipher with FIPS enabled on client, you receive the following error message:
- JMSCMQ001
IBM MQ call failed with completion code 2 ('MQCC_FAILED') reason 2397 ('MQRC_JSSE_ERROR')
For every other problem documented within this topic you receive either the previous error message, or the following error message, or both:
- JMSWMQ0018
Failed to connect to queue manager 'queue_manager_name' with connection mode 'connection_mode' and host name 'host_name'
For each problem documented within this topic, the following information is provided:
- Output from the sample SystemOut.log or Console, detailing the cause of the exception..
- Queue manager error log information.
- Solution to the problem.
Note:
- We should always list out the stacks and the cause of the first exception.
- Whether or not the error information is written to the stdout log file depends on how the application is written, and on which framework we are using.
- The sample code includes stacks and line numbers. This information is useful guidance, but the stacks and line numbers are likely to change from one fix pack to another. We should use the stacks and line numbers as a guide to locating the correct section, and not use the information specifically for diagnostic purposes.
Cipher suite not set on client
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec.
- Solution
- Set a CipherSuite on the client so that both ends of the channel have a matching CipherSuite or CipherSpec pair.
Cipher suite not set on server
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9639: Remote channel 'SYSTEM.DEF.SVRCONN' did not specify a CipherSpec.
- Solution
- Change channel SYSTEM.DEF.SVRCONN to specify a valid CipherSpec.
Cipher Mismatch
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'SYSTEM.DEF.SVRCONN' to host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9631: The CipherSpec negotiated during the TLS handshake does not match the required CipherSpec for channel 'SYSTEM.DEF.SVRCONN'.
- Solution
- Change either the SSLCIPH definition of the server-connection channel or the Cipher suite of the client so that the two ends have a matching CipherSuite or CipherSpec pair.
Missing client personal certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure that the key database of the queue manager contains a signed personal certificate from the truststore of the client.
Missing server personal certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host closed connection during handshake], 3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ... 12 moreCaused by:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.qc.a(qc.java:158) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 moreCaused by:java.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:19) at com.ibm.jsse2.qc.a(qc.java:207)
- Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure that the key database of the queue manager contains a signed personal certificate from the truststore of the client.
Missing server signer on client
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.],3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ...Caused by:javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match. ...Caused by:com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match. at com.ibm.jsse2.util.h.a(h.java:99) at com.ibm.jsse2.util.h.b(h.java:27) at com.ibm.jsse2.util.g.a(g.java:14) at com.ibm.jsse2.yc.a(yc.java:68) at com.ibm.jsse2.yc.a(yc.java:17) at com.ibm.jsse2.yc.checkServerTrusted(yc.java:154) at com.ibm.jsse2.bb.a(bb.java:246) ... 28 moreCaused by:java.security.cert.CertPathValidatorException: The certificate issued by CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match. at com.ibm.security.cert.BasicChecker.(BasicChecker.java:111) at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:174) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:265) at com.ibm.jsse2.util.h.a(h.java:13) ... 34 moreCaused by:java.security.cert.CertPathValidatorException: Signature does not match. at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:297) at com.ibm.security.cert.BasicChecker.(BasicChecker.java:108)
- Queue manager error logs
- AMQ9665: SSL connection closed by remote end of channel '????'.
- Solution
- Add the certificate used to sign the personal certificate of the queue manager to the truststore of the client.
Missing client signer on server
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[Software caused connection abort: socket write error], 3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ... 12 moreCaused by:java.net.SocketException: Software caused connection abort: socket write error at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:120) at java.net.SocketOutputStream.write(SocketOutputStream.java:164) at com.ibm.jsse2.c.a(c.java:57) at com.ibm.jsse2.c.a(c.java:34) at com.ibm.jsse2.qc.b(qc.java:527) at com.ibm.jsse2.qc.a(qc.java:635) at com.ibm.jsse2.qc.a(qc.java:743) at com.ibm.jsse2.ab.a(ab.java:550) at com.ibm.jsse2.bb.b(bb.java:194) at com.ibm.jsse2.bb.a(bb.java:162) at com.ibm.jsse2.bb.a(bb.java:7) at com.ibm.jsse2.ab.r(ab.java:529) at com.ibm.jsse2.ab.a(ab.java:332) at com.ibm.jsse2.qc.a(qc.java:435) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
- Queue manager error logs
- AMQ9633: Bad SSL certificate for channel '????'.
- Solution
- Add the certificate used to sign the personal certificate of the client to the key database of the queue manager.
SSLPEER set on server does not match certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9643: Remote SSL peer name error for channel 'SYSTEM.DEF.SVRCONN' on host ''. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9636: SSL distinguished name does not match peer name, channel 'SYSTEM.DEF.SVRCONN'.
- Solution
- Ensure the value of SSLPEER set on the server-connection channel matches the distinguished name of the certificate.
SSLPEER set on client does not match certificate
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2398;AMQ9636: SSL distinguished name does not match peer name, channel '?'. [CN=JohnDoe, O=COMPANY, L=YOURSITE, C=XX] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1215) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9208: Error on receive from host host-name (address).
- Solution
- Ensure the value of SSLPEER set in the client matches the distinguished name of the certificate.
Use a non-FIPS cipher with FIPS enabled on client
- Output
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:578) at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:214) at com.ibm.msg.client.wmq.internal.WMQConnection.getConnectOptions(WMQConnection.java:1423) at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:339) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection (WMQConnectionFactory.java:6865) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection (WMQConnectionFactory.java:6221) at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection (JmsConnectionFactoryImpl.java:285) at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection (JmsConnectionFactoryImpl.java:233) at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6016) at com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6041) at tests.SimpleSSLConn.runTest(SimpleSSLConn.java:46) at tests.SimpleSSLConn.main(SimpleSSLConn.java:26)Caused by:com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:202)
- Queue manager error logs
- Not applicable.
- Solution
- Use a FIPS-enabled cipher, or disable FIPS on the client.
Use a non-FIPS cipher with FIPS enabled on the queue manager
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: handshake_failure], 3=localhost/127.0.0.1:1418 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1173) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:835) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868) ... 12 moreCaused by:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.ibm.jsse2.j.a(j.java:13) at com.ibm.jsse2.j.a(j.java:18) at com.ibm.jsse2.qc.b(qc.java:601) at com.ibm.jsse2.qc.a(qc.java:100) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134)
- Queue manager error logs
- AMQ9616: The CipherSpec proposed is not enabled on the server.
- Solution
- Use a FIPS-enabled cipher, or disable FIPS on the queue manager.
Can not find client keystore using IBM JRE
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'localhost(1418)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN]],3=localhost(1418),5=RemoteConnection.analyseErrorSegment] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2450) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1396) at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376) at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:561) at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:342) ... 8 moreCaused by:com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure the JVM property javax.net.ssl.keyStore specifies the location of a valid keystore.
Can not find client keystore using Oracle JRE
- Output
- Caused by:
java.security.PrivilegedActionException: java.io.FileNotFoundException: C:\filepath\wrongkey.jks (The system cannot find the file specified) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(Unknown Source) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.(Unknown Source) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at java.lang.Class.newInstance0(Unknown Source) at java.lang.Class.newInstance(Unknown Source) ... 28 moreCaused by:java.io.FileNotFoundException: C:\filepath\wrongkey.jks (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.(Unknown Source) at java.io.FileInputStream.(Unknown Source) at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(Unknown Source) at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(Unknown Source)
- Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure the JVM property javax.net.ssl.keyStore specifies the location of a valid keystore.
Keystore password error - IBM JRE
- Output
- Caused by:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=SYSTEM.DEF.SVRCONN] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4176) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2969) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1180) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:838) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection (RemoteConnectionSpecification.java:409) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession (RemoteConnectionSpecification.java:305) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1868)
- Queue manager error logs
- AMQ9637: Channel is lacking a certificate.
- Solution
- Ensure that the value of the JVM property javax.net.ssl.keyStorePassword specifies the password for the keystore specified by javax.net.ssl.keyStore.
Truststore password error - IBM JRE
- Output
- Caused by:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available at com.ibm.jsse2.j.a(j.java:13) at com.ibm.jsse2.qc.a(qc.java:204) at com.ibm.jsse2.ab.a(ab.java:342) at com.ibm.jsse2.ab.a(ab.java:222) at com.ibm.jsse2.bb.a(bb.java:157) at com.ibm.jsse2.bb.a(bb.java:492) at com.ibm.jsse2.ab.r(ab.java:529) at com.ibm.jsse2.ab.a(ab.java:332) at com.ibm.jsse2.qc.a(qc.java:435) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 moreCaused by:java.security.cert.CertificateException: No X509TrustManager implementation available at com.ibm.jsse2.xc.checkServerTrusted(xc.java:2) at com.ibm.jsse2.bb.a(bb.java:246)
- Queue manager error logs
- AMQ9665: SSL connection closed by remote end of channel '????'.
- Solution
- Ensure that the value of the JVM property javax.net.ssl.trustStorePassword specifies the password for the keystore specified by javax.net.ssl.trustStore.
Can not find or open queue manager key database
- Output
- Caused by:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.qc.a(qc.java:158) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 moreCaused by:java.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:19) at com.ibm.jsse2.qc.a(qc.java:207)
- Queue manager error logs
- AMQ9657: The key repository could not be opened (channel '????').
- Solution
- Ensure that the key repository you specify exists and that its permissions are such that the IBM MQ process involved can read from it.
Can not find or use queue manager key database password stash file
- Output
- Caused by:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.ibm.jsse2.qc.a(qc.java:158) at com.ibm.jsse2.qc.h(qc.java:185) at com.ibm.jsse2.qc.a(qc.java:566) at com.ibm.jsse2.qc.startHandshake(qc.java:120) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1142) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1134) at java.security.AccessController.doPrivileged(AccessController.java:229) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1134) ... 17 moreCaused by:ava.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.a.a(a.java:19) at com.ibm.jsse2.qc.a(qc.java:207)
- Queue manager error logs
- AMQ9660: SSL key repository: password stash file absent or unusable.
- Solution
- Ensure that a password stash file has been associated with the key database file in the same directory, and that the user ID, under which IBM MQ is running, has read access to both files.
Parent topic: IBM MQ Troubleshooting and support