This application has ended. See above for any problems found.
Severity
0 : Informational
Explanation
If there are problems then resolve these and run this tool again.
AMQ3001E
No Certificate could be found for the Queue Manager <insert_3>
Severity
20 : Error
Explanation
Queue managers will use a certificate with the label set in the Queue Manager's CERTLABL attribute. There is no certificate with the label <insert_4> in the key repository being used by the queue manager The Key repository being used is located at <insert_5>.
Response
A valid certificate with the label <insert_4> needs to be added to the key repository.
AMQ3002E
No personal certificate could be found for the client in the client's key repository.
Severity
20 : Error
Explanation
There is no certificate with the label <insert_3> in the key repository being used by the client. The key repository referenced is located at <insert_4>.
Response
A valid certificate with the label <insert_3> needs to be added to the key repository. The client repository does not need to contain a personal certificate if the server-connection channel on the queue manager that it is connecting to has SSLCAUTH (SSL client authentication) set to OPTIONAL the SSLPEER parameter is empty.
AMQ3003E
No key repository could be found for the queue manager <insert_3>
Severity
20 : Error
Explanation
Queue managers use the SSLKEYR attribute to identify the location of the SSL key repository to use. No key repository file could be found at the location specified in the queue manager's SSLKEYR attribute The key repository referenced is <insert_4>.
Response
Alter the queue manager's SSLKEYR attribute to point at the correct key repository or create a key repository at the specified location.
AMQ3004E
No key repository could be found for the client
Severity
20 : Error
Explanation
No key repository file could be found at the location provided for the client. The key repository referenced is <insert_3>.
Response
Alter the MQSSLKEYR environment variable or -clientkeyr option to point at the correct key repository or create a key repository at the specified location.
AMQ3005E
No stash file could be found for the key repository in use by <insert_3>
Severity
20 : Error
Explanation
Queue managers use an encoded stash file to determine the password to use to access the key repository. No stash file could be found at the location specified from the queue manager's SSLKEYR attribute. The stash file referenced is <insert_4>.
Response
Key repositories need to be created with the 'stash' option. Either recreate the key repository or use the key database tools to create the missing stash file.
AMQ3006E
No stash file could be found for the key repository in use by the client
Severity
20 : Error
Explanation
No stash file could be found at the location provided for the client. The stash file referenced is <insert_3>.
Response
Key repositories need to be created with the 'stash' option. Either recreate the key repository or use the key database tools to create the missing stash file.
AMQ3007E
The SSLKEYR attribute of the queue manager is blank.
Severity
20 : Error
Explanation
Queue managers use the SSLKEYR attribute to identify the location of the SSL key repository to use. It is a required attribute if SSL is to be used.
Response
Alter the queue manager's SSLKEYR attribute to point at the correct key repository.
AMQ3008E
No key repository could be found for the queue manager <insert_3>
Severity
20 : Error
Explanation
Queue managers use the SSLKEYR attribute to identify the location of the SSL key repository to use. The location is determined by adding the file extension .kdb to the value of the SSLKEYR attribute. No key repository file could be found at the location <insert_4>.kdb
Response
The SSLKEYR attribute of the queue manager has incorrectly included the .kdb file extension. Alter the queue manager attribute to remove this file extension.
AMQ3009E
No key repository could be found for the Client
Severity
20 : Error
Explanation
No key repository file could be found at the location provided for the client. This application looked for <insert_3>.kdb
Response
The MQSSLKEYR environment variable or -clientkeyr option has incorrectly included the .kdb file extension. Alter the attribute to remove this file extension.
AMQ3010E
Invalid access rights found for the key repository in use by queue manager <insert_3>
Severity
20 : Error
Explanation
The userid 'mqm' needs read-access to the queue managers key repository <insert_4>. This should be enabled for both the .kdb file itself, and every parent directory between the kdb and the root directory.
Response
Alter file access to the key repository so that mqm has read access. Ensure mqm has access to every parent directory above the key repository, or move the kdb to a location that mqm has access to.
AMQ3011E
Invalid access rights found for the stash file in use by queue manager <insert_3>
Severity
20 : Error
Explanation
The userid 'mqm' needs read-access to the queue managers stash file <insert_4>. This should be enabled for both the .sth file itself, and every parent directory between the stash file and the root directory.
Response
Alter file access to the stash file so that mqm has read access. Ensure mqm has access to every parent directory above the stash file, or move the stash file to a location that mqm has access to.
AMQ3012E
Invalid access rights found for the key repository in use by the client
Severity
20 : Error
Explanation
The userid 'mqm' needs read-access to the clients key repository <insert_4>. This should be enabled for both the .kdb file itself, and every parent directory between the kdb and the root directory.
Response
Alter file access to the key repository so that mqm has read access. Ensure mqm has access to every parent directory above the key repository, or move the kdb to a location that mqm has access to.
AMQ3013E
Invalid access rights found for the stash file in use by the Client
Severity
20 : Error
Explanation
The userid 'mqm' needs read-access to the clients stash file <insert_4>. This should be enabled for both the .sth file itself, and every parent directory between the stash file and the root directory.
Response
Alter file access to the stash file so that mqm has read access. Ensure mqm has access to every parent directory above the stash file, or move the stash file to a location that mqm has access to.
AMQ3014E
Invalid password found in the stash file for key repository <insert_3>
Severity
20 : Error
Explanation
IBM MQ uses an encoded stash file to determine the password to use to access the key repository. The password found in the stash file <insert_4> was incorrect.
Response
Alter the key repository password to match the value in the stash file or recreate the stash file.
AMQ3015E
Certificate has a 'valid-from' time in the future.
Severity
20 : Error
Explanation
The certificate with the label <insert_4> in <insert_3> cannot be used until the valid-from date.
Response
Create a new certificate with valid date attributes.
AMQ3016E
Certificate has expired.
Severity
20 : Error
Explanation
The certificate with the label <insert_4> in <insert_3> is no longer valid.
Response
Create a new certificate with valid date attributes.
AMQ3017E
<insert_3> certificate failed authentication with the <insert_4> key repository
Severity
20 : Error
Explanation
Authentication involves a chain of trusted certificates. The digital signature of the <insert_3>s certificate needs to be verified by the <insert_4>s key repository,with the public key from the certificate of the issuing Certification Authority (CA). If the <insert_3>s certificate is itself also a root CA (self-signed) then this certificate needs to be present in the <insert_4>s repository. If the <insert_3>s CA certificate is a root certificate, then this root certificate needs to be present in the <insert_4>s key repository. If the <insert_3>s CA certificate was issued by an intermediate CA, the intermediate CA certificate must itself be verified. This continues along a chain of CA certificates until a root certificate is reached. All certificates in the chain must be verified correctly. The <insert_4>s repository does not contain a valid chain leading to a root certificate.
Response
Verify the authentication chains for each certificate. Ensure that the <insert_3>s certificate or signer certificate has been added to the <insert_4>s Key repository. Alternatively, the client's key repository does not need to contain a personal certificate if the server-connection channel on the queue manager that it is connecting to has SSLCAUTH (SSL client authentication) set to OPTIONAL and no SSLPEER parameter set. The fact that one is present means that IBM MQ will use it. Therefore, an alternative approach may be to remove the personal certificate for the client from the client's key repository, and ensure that one or more SSL-enabled channels have SSLCAUTH (SSL client authentication) set to OPTIONAL and no SSLPEER value.
AMQ3018E
Client connection refused by server.
Severity
20 : Error
Explanation
This test tool attempts to validate the SSL certificates by using them to establish an SSL-protected connection between a client and server thread. This failed. The reason for the failure was that the client connection was refused by the server. This is unrelated to the SSL setup, and is most likely because a firewall running on this machine prevented the connection.
Response
Ensure that no firewall is preventing access to local ports and try again.
AMQ3019E
Unable to connect to queue manager <insert_3>.
Severity
20 : Error
Explanation
A connection to the queue manager is required in order to examine SSL configuration parameters. The MQCONN attempt failed with return code <insert_4>.
Response
Ensure that the queue manager name has been spelt correctly and that the queue manager is running.
AMQ3020E
Unable to open the queue manager <insert_3>.
Severity
20 : Error
Explanation
A connection to the queue manager is required in order to examine SSL configuration parameters. The MQOPEN attempt failed with return code <insert_4>.
Response
Ensure that the current user has permission to query the queue manager attributes.
AMQ3021E
Unable to open the queue <insert_4> on <insert_3>.
Severity
20 : Error
Explanation
A temporary dynamic queue is opened in order to collect responses to a command used to get channel definitions. This is required in order to examine SSL configuration parameters for channels on <insert_3>. The MQOPEN attempt failed with return code <insert_5>
Response
Ensure that the current user has permission to open a temporary dynamic queue.
AMQ3022E
Unable to inquire the queue manager <insert_3>
Severity
20 : Error
Explanation
A connection to the queue manager is required in order to examine SSL configuration parameters. The MQINQ attempt to examine a queue manager parameter (<insert_4>) failed with return code <insert_5>.
Response
Ensure that the current user has permission to query the queue manager attributes.
AMQ3023E
Unable to put to queue <insert_4> on <insert_3>.
Severity
20 : Error
Explanation
A message containing a PCF command is put on <insert_4> requesting channel definitions. This is required in order to examine SSL configuration parameters for channels on <insert_3>. The MQPUT attempt failed with return code <insert_5>
Response
Ensure that the specified queue exists, and that the current user has permission to open and put to it.
AMQ3024E
Unable to get from queue <insert_4> on <insert_3>.
Severity
20 : Error
Explanation
A message containing a PCF command is put on <insert_4> requesting channel definitions. This is required in order to examine SSL configuration parameters for channels on <insert_3>. This appeared to complete successfully, however the attempt to get the responses from the expected reply-to queue failed with return code <insert_5>.
Response
Ensure that the command server is running on <insert_3>.
AMQ3025W
Unable to close PCF reply queue
Severity
10 : Warning
Explanation
A message containing a PCF command is put to the command queue, with a request for channel definitions. This is required in order to examine SSL configuration parameters for channels. This appeared to complete successfully, however the attempt to close the reply queue (after examining the replies) failed with return code <insert_3>.
Response
No action required.
AMQ3026W
Unable to disconnect from <insert_3>.
Severity
10 : Warning
Explanation
A connection to the queue manager is required in order to examine SSL configuration parameters. The MQDISC used to disconnect failed with return code <insert_4>.
Response
No action required.
AMQ3027W
SSL Certificate Revocation List parameter found (SSLCRLNL = <insert_3>)
Severity
10 : Warning
Explanation
During an SSL 'handshake', the queue manager and client authenticate each other with digital certificates. Authentication can include a check that the certificate received can still be trusted. Certification Authorities can revoke personal certificates by publishing them in a Certificate Revocation List (CRL). This application currently does not have functionality to check CRLs.
Response
Verify the CRL parameters for <insert_4> manually.
AMQ3028E
Relative path given for client key repository.
Severity
20 : Error
Explanation
This application currently requires absolute paths for the client key repository file. The relative path <insert_3> was provided.
Response
Run this application again, giving the full path.
AMQ3029E
Value specified in Queue Manager CERTLABL attribute is not valid.
Severity
20 : Error
Explanation
IBM MQ Queue Managers will use the certificate that has been set in the Queue Manager's CERTLABL attribute. This value must be a valid value consisting of alpha-numeric characters. Additionally the CERTLABL can contain symbols and spaces, however the CERTLABL value can not be blank and should not start or end with space characters.
Response
The Queue Manager CERTLABL value was found to be <insert_3>. Change this to a valid value following the advice above.
AMQ3030E
Value specified in Client CERTLABL attribute is not valid.
Severity
20 : Error
Explanation
IBM MQ Clients will attempt to use the certificate that has been provided to them. This value must be a valid value consisting of alpha-numeric characters. Additionally the CERTLABL can contain symbols and spaces, however the CERTLABL value can not be blank and should not start or end with space characters. Finally the provided CERTLABL length can not be longer than 64 characters long.
Response
The Client CERTLABL value was found to be <insert_3>. Change this to a valid value following the advice above.
AMQ3031S
This program encountered a internal error and had to quit.
Severity
40 : Severe
Explanation
Check above for any additional information and try again. Additionally check the global error logs for any error messages and resolve any issues found.
Response
If this problem persists contact MQ L3 Support for assistance.
AMQ3032E
There was a problem with the arguments supplied for the client checks.
Severity
20 : Error
Explanation
Both a -clientuser and -clientlabel value were supplied. This Program only allows one of the arguments to be provided.
Response
Run this application again only supplying one of the parameters.
AMQ3033E
There was a problem with the arguments supplied.
Severity
20 : Error
Explanation
The argument <insert_3> was not recognised. Please refer to the usage statement for available arguments.
Response
Run this application again only supplying valid parameters.
AMQ3034E
There was a problem with the arguments supplied.
Severity
20 : Error
Explanation
The required argument <insert_3> is missing.
Response
Run this application again supplying the missing parameter.
AMQ3035W
No Client user name or Client Certificate label provided.
Severity
10 : Warning
Explanation
This application will be unable to identify client's certificate and cannot test Queue Manager to Client connections. If you plan to connect this client to a channel with SSLCAUTH(REQUIRED) you will be UNABLE to connect.
Response
No action required.
AMQ3036W
The Channel <insert_3> is not SSL enabled but has a CERTLABL value of <insert_4>.
Severity
10 : Warning
Response
If the channel <insert_3> is supposed to be SSL enabled set a CipherSpec in the channel SSLCIPH attribute to enable SSL. If the channel is not supposed to be SSL enabled alter the Channel definition to remove the CERTLABL value.
AMQ3037E
No certificate could be found for the channel <insert_3>.
Severity
20 : Error
Explanation
This tool looked in the Queue Manager's key repository located at <insert_5> for a certificate with label <insert_4>, which is the certificate specified in the channel's CERTLABL attribute, but was unable to find one.
Response
A valid certificate with the label <insert_4> needs to be added to the key repository. Alternatively, alter the channel definition to remove the CERTLABL value.
AMQ3038E
Unable to find a channel called <insert_4> on Queue Manager <insert_3>.
Severity
20 : Error
Response
Check for the existence of the channel and create if necessary or correct the spelling in this applications argument. Alternatively do not provide the argument -clientchannel when running this application.
AMQ3039E
No personal certificate could be found for the client in the client's key repository and the channel requires a client certificate.
Severity
20 : Error
Explanation
There is no certificate with the label <insert_3> in the key repository being used by the client (<insert_4>) The channel <insert_5> has been configured to require a client certificate either by setting SSLCAUTH(REQUIRED) or by setting a value in SSLPEER.
Response
A valid certificate with the label <insert_3> needs to be added to the key repository. Alternatively, alter the channel <insert_5> definition so that SSLCAUTH is set to OPTIONAL and no SSLPEER value is set.
AMQ3040E
The user running this program does not have access rights to examine a directory
Severity
20 : Error
Explanation
The user running this program does not have access rights to examine the directory identified in <insert_3> and so cannot determine the containing file permissions.
Response
Please run this application as a user with access to the directory or change the directory permissions to allow access for the user running this application.
AMQ3041E
A filename is longer than this application can handle.
Severity
20 : Error
Explanation
The filename <insert_3> is too long for this application.
Response
Please shorten the filename and retry.
AMQ3042E
The user running this program does not have access rights to examine a file
Severity
20 : Error
Explanation
The user running this program does not have access rights to examine the file <insert_3> and so cannot determine the file permissions.
Response
Please run this application as a user with access to the file or change the file permissions to allow access for the user running this application.
AMQ3043E
An unknown error was encountered while trying to access a file.
Severity
20 : Error
Explanation
An unknown error was encountered while trying to access the file <insert_4>. This file is of type <insert_3>, the return code was <insert_1>.
Response
Please try again. If this problem persists contact MQ L3 Support with details of this error. Internal Error - amqT_MQCERTCK_STAT_ERROR. Function Error - <insert_1>
AMQ3044W
Unable to verify if the mqm user can access a file.
Severity
10 : Warning
Explanation
Unable to check the whether the 'mqm' user has read access to file. <insert_3>. In order for MQ to perform TLS operations it must be able to access this file.
Response
Please confirm that the mqm user or group has access to this file manually.
AMQ3045E
Unable to retrieve a password.
Severity
20 : Error
Explanation
Unable to retrieve the password from <insert_3>.
Response
Please ensure that this application will be able to obtain the password for the repository and try again.
AMQ3046E
<insert_3>s certificate failed validation.
Severity
20 : Error
Response
Please verify that the certificate is a valid TLS certificate and try again. If this problem persists contact MQ L3 support for assistance.
AMQ3047E
Invalid access rights found for the parent directory of the key repository in use by queue manager <insert_3>.
Severity
20 : Error
Response
Alter directory access to the parent directory so that mqm has read access. Or move the kdb and stash file to a location that mqm has access to.
AMQ3048E
Invalid access rights found for the parent directory of the key repository in use by the client.
Severity
20 : Error
Response
Alter directory access to the parent directory so that mqm has read access. Or move the kdb and stash file to a location that mqm has access to.
AMQ3049E
The queue manager is not registered as an application with Digital Certificate Manager (DCM).
Severity
20 : Error
Explanation
Queue managers will use the certificate assigned via Digital Certificate Manager to this queue manager.
Response
Issue CHGMQM to set the SSLYKEYR value to blanks and then reissue CHGMQM to set SSLKEYR(*SYSTEM) to register the queue manager again with Digital Certificate Manager.
AMQ3050E
The port number <insert_3> was invalid.
Severity
20 : Error
Explanation
The port number supplied must be an integer value between 1 and 65535.
Response
Please check the value you supplied and try again.
AMQ3051E
A certificate failed authentication.
Severity
20 : Error
Explanation
Authentication involves a chain of trusted certificates. The digital signature of the client or server's certificate needs to be verified by the other's key repository, with the public key from the certificate of the issuing Certification Authority (CA). If the certificate is itself also a root CA (self-signed) then this certificate needs to be present in the key repository. If the CA certificate is a root certificate, then this root certificate needs to be present in the key repository. If the CA certificate was issued by an intermediate CA, the intermediate CA certificate must itself be verified. This continues along a chain of CA certificates until a root certificate is reached. All certificates in the chain must be verified correctly. The client or server's key repository does not contain a valid chain leading to a root certificate.
Response
Verify the authentication chains for each certificate. Ensure that the necessary certificate(s) or signer certificate(s) have been added to the Key repositories. Alternatively, the client's key repository does not need to contain a personal certificate if the server-connection channel on the queue manager that it is connecting to has SSLCAUTH (SSL client authentication) set to OPTIONAL and no SSLPEER parameter set. The fact that one is present means that IBM MQ will use it. Therefore, an alternative approach may be to remove the personal certificate for the client from the client's key repository, and ensure that one or more SSL-enabled channels have SSLCAUTH (SSL client authentication) set to OPTIONAL and no SSLPEER value.
AMQ3052E
A certificate label has been specified on channel <insert_3> while system store is in use.
Severity
20 : Error
Explanation
Certificate labels can not be used when using System Store to manage your SSL certificates.
Response
Remove the certificate label definition from the channel or if you wish to use certificate labels configure your Queue Manager to use key repositories instead of System Store.
AMQ3053I
The usage of <insert_3> is incorrect.
Severity
0 : Informational
Explanation
Usage: <insert_3> QMgrName [-clientkeyr client_key_repository]
[-clientchannel channel_name]
[-clientuser client_username | -clientlabel client_certlabel]
[-clientport portNumber]
-clientkeyr Location of the Client's Key Repository.
-clientchannel Name of the channel the client application will connect to.
-clientuser User that will be running the client application. Cannot be used with -clientlabel.
-clientlabel Label of the Client's Certificate. Cannot be used with -clientuser.
-clientport Port for <insert_3> to use during client connection tests. Must be available. Default is <insert_1>.