A fix is available
APAR status
Closed as program error.
Error description
During a Proof of Concept, it was determined that the use of AMS 'Confidentiality' QOP using encryption required the use of personal certificates and keyrings for the putting application. With additional testing, it was determined that this was not necessary, as 'dummy' certificates were used, and still access was allowed, with no errors posted. This was proof-positive, that with AMS 'Confidentiality' QOP - the producer's certificates were not even considered. This APAR is raised to eliminate this requirement, when using AMS 'confidentiality' Quality of Protection.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 2 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: When opening an AMS protected queue in * * bindings mode, the putting application * * user ID's drq.ams.keyring key ring is * * opened. The MQOPEN or MQPUT1 fails if * * the key ring doesn't exist. The key * * ring isn't used if the queue is * * protected by a confidentiality policy. * **************************************************************** When putting a message to a queue protected by an AMS confidentiality policy, the symmetric key used to encrypt the messages is encrypted using the recipients' public key certificates. The putting application user ID's key ring or certificates aren't used for this operation. The code currently tries to open the putting application user ID's drq.ams.keyring key ring irrespective of the AMS quality of protection used to protect the queue. This is despite the key ring contents not being used when putting to confidentiality protected queues.
Problem conclusion
The requirement for a putting application user ID to have a drq.ams.keyring key ring has been removed when only opening a confidentiality protected queue for output when connected in bindings mode. The IBM MQ for z/OS Version 9.2 Documentation is updated: IBM MQ 9.2 IBM MQ Configuring Configuring queue managers on z/OS Setting up IBM MQ for z/OS Configuring Advanced Message Security for z/OS Create key rings for Advanced Message Security (https://www.ibm.com/docs/en/ibm-mq/ 9.2?topic=zos-create-key-rings-advanced-message-security ) Add an informational Notes table below Procedure step 5 with contents: " 1. Steps 2 and 5 are not required if the application only opens a queue for output and sends messages to queues protected by an AMS confidentiality policy. " Add superscript 1 to Procedure steps 2 and 5.
Temporary fix
Comments
APAR Information
APAR number
PH44568
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-03-02
Closed date
2022-04-01
Last modified date
2022-05-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI79987
Modules/Macros
CSQ0DPRI
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R200 PSY UI79987
UP22/04/13 P F204
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200"}]
Document Information
Modified date:
04 May 2022