A fix is available
APAR status
Closed as new function.
Error description
In some circumstances, MQ rejects client connections without issuing any subsequent error messages. In the case of a new connection, MQ makes two initial checks to determine if a connection is valid: 1. Check if the initial data is a TSH header on an unencrypted channel 2. Check if it is an SSL flow If neither are seen, MQ will issue the following error messages: - CSQX053E for XFFSrriBadDataReceived rriBadDataReceived XFFSrriConvertValidate rriConvertValidate - CSQX207E Invalid data received - CSQX504E Local protocol error type=0000000B data=00000000 As a SSL v2 client hello is not supported in V9.1.1, it will be flagged as unrecognized data and issue the above set of error messages by MQ. . Additional symptoms: A back-level Java client trying to connect with the old SSL protocol may receive MQJE001: Completion Code 2, Reason 2397 . Pre-V7 client channels will have blanks for RVERSION in DISPLAY CHSTATUS output. . In MQ V9.0.0 with UI68820 applied and in V9.1.0 with UI68821 applied, this issue can also result in messages CSQX259E, CSQX053E and a CSQSNAP from xcsFreeOwnedBuffers.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 0 Modification 0, Release 1 * * Modification 0 and Release 2 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: When MQ receives a connection it does * * some checks on the received data to * * determine whether it represents an SSL * * flow. Changes introduced in PH23074 * * inadvertently made some assumptions * * about the format of received SSL data. * * If the SSL flow was using an old SSL V2 * * format hello, then various errors may * * occur in the CHINIT depending on the * * specific contents of the SSL hello. * **************************************************************** APAR PH23074 added additional checks to data received through an SSL connection. If the SSL connection uses an old SSL V2 format hello then various error messages may be output in the CHINIT depending on the specific contents of the data. This may result in messages CSQX259E, CSQX053E being issued in the CHINIT and a CSQSNAP dump being taken from xcsFreeOwnedBuffers.
Problem conclusion
The code has been changed to correctly reject SSL V2 format hellos. Note that connections using this old format will still be rejected, accompanied by CSQX207E and CSQX504E messages in the CHINIT.
Temporary fix
Comments
APAR Information
APAR number
PH14225
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
000
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-07-08
Closed date
2020-10-30
Last modified date
2021-01-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI71464 UI71465 UI72345
Modules/Macros
CSQFXLAT CSQMCNAC CSQUMSG CSQXCCCX CSQXCCIS CSQXGINI CSQXMSG CSQXRPLY
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R000 PSY UI71464
UP20/11/02 P F010 {
R100 PSY UI71465
UP20/11/02 P F010 {
R200 PSY UI72436
UP20/12/08 P F012 {
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
Document Information
Modified date:
05 January 2021