A fix is available
APAR status
Closed as program error.
Error description
Using MQExplorer 8.0.0.2 with AT-TLS channels to connect to WMQ for z/OS V8 handshake failed with: An unexpected error (2594) has occurred. (AMQ4999) An unexpected error (2594) has occurred. (AMQ4999) Traces show a failure to negotiate a password protection algorithm with the queue manager results in a MQRC 2594 (MQRC_PASSWORD_PROTECTION_ERROR) exception. L3 found new code added as part of Version 8 included additional security to protect the password sent by client applications (in this case MQ Explorer) using the MQCSP structure will be protected. This will use MQ's password protection functionality if the communication is done without SSL/TLS, or relies on TLS if the communication is encrypted. However there exists a defect in this functionality when used with AT-TLS. The cause of this is due to the client code not protecting the password, as its communication is being done with TLS. However as AT-TLS is transparent to queue manager, it appears to the channel that the communication is in the clear which enforces that the password should have been sent protected. This is due to the PasswordProtection attribute being set to compatible and the client also being at the version 8 level.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 8 * * Release 0 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: A client connecting to a queue manager * * through a socket secured through z/OS * * Communications Server Application * * Transparent Transport Layer Security * * (AT-TLS) will fail with MQRC 2594 * * (MQRC_PASSWORD_PROTECTION_ERROR). * **************************************************************** * RECOMMENDATION: * **************************************************************** During the connection to a queue manager by a client, a password protection algorithm is negotiated, which will be used to protect passwords in a MQCSP structure. If the client is V8 or later, talking to a V8 queue manager, it is required that a cipher is used for this protection if either side believes it is unsecured. In the case where an AT-TLS policy is used in the client connection, the client attempts to use a null cipher for this protection, however the TLS connection is transparent to the queue manager and rejects this proposal. This results in rfpIEF3_PROT_ALGORITHMS being flowed back to the client, which causes the MQCONN to fail with MQRC 2594.
Problem conclusion
The password protection algorithm negotiation processing has been altered to be aware of connections using AT-TLS, to allow no password protection to be allowed, when the communication is secured using TLS through an active AT-TLS policy. 000Y CMQXRMSA CSQXCCXT
Temporary fix
Comments
APAR Information
APAR number
PI41577
Reported component name
WMQ Z/OS 8
Reported component ID
5655W9700
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-05-21
Closed date
2015-07-10
Last modified date
2015-09-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI29291
Modules/Macros
CMQXRMSA CSQXCCXT
Fix information
Fixed component name
WMQ Z/OS 8
Fixed component ID
5655W9700
Applicable component levels
R000 PSY UI29291
UP15/08/11 P F508
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 September 2015