IBM Support

PH30305: IBM MQ ENFORCE SSLRKEYC MINIMUM VALUE TO OUTBOUND CHANNELS

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The IBM MQ Knowledge Center mentions that "Non-zero values less
than 4096 (4 KB) might cause channels to fail to start, or
might cause inconsistencies ..." so should be avoided. This
APAR will ensure that minimal values are enforced for outbound
channels in order to avoid unexpected behavior and/or
performance overhead as outlined in SupportPac MP16

Local fix

  • Ensure that SSLRKEYC is 0 (if SSL secret key resets are not
required), or set a non-zero value of no less than 32768

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
*                 Release 0 Modification 0, Release 1          *
*                 Modification 0 and Release 2 Modification 0. *
****************************************************************
* PROBLEM DESCRIPTION: When starting a TLS channel from a z/OS *
*                      queue manager the channel fails due to  *
*                      a small, non-zero SSLRKEYC value.       *
****************************************************************
The code that handles new outbound connections was missing a
check that ensures TLS channels use a secret key reset of 32 KB,
if SSLRKEYC was set in the range 1 - 32767 bytes. This allowed
small, non-zero values to be set without ensuring a secret key
reset of 32 KB was used. This caused the channel to fail before
the initial handshake was complete.

Problem conclusion

  • The code has been changed to include a check for the SSLRKEYC
value to ensure channels use a minimum secret key reset count
of 32 KB, if the SSLRKEYC value specified is in the range
1-32767 bytes. This prevents the channel failing before the
initial handshake is complete.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH30305
    • 

  • Reported component name
    IBM MQ Z/OS V9
    • 

  • Reported component ID
    5655MQ900
    • 

  • Reported release
    000
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-10-07
    • 

  • Closed date
    2021-01-29
    • 

  • Last modified date
    2021-04-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI73694 UI73695 UI73696
    

    • 



Modules/Macros


    

  • CSQXRMSS

    



Fix information


    

  • Fixed component name
    IBM MQ Z/OS V9
    • 

  • Fixed component ID
    5655MQ900
    • 



Applicable component levels


    

  • R000  PSY  UI73694
       UP21/03/03  P  F103
    • 

  • R100  PSY  UI73695
       UP21/03/03  P  F103
    • 

  • R200  PSY  UI73696
       UP21/03/03  P  F103
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 April 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback