PI55819: MQ V8 AMS - CRL DIRECTORY CONNECTION IS CLOSED WHILE STILL IN USE AFTER ISSUING 'F QMGRAMSM,REFRESH' COMMAND.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• In MQ V800 Advanced Message Security, if the CRL directory
  configuration is changed to remove a LDAP connection and to
  disable CRL checking using command F AMSM,REFRESH can result in
  the current active CRL directory continue to be used
  incorrectly, maintaining CRL checking active.  Subsequent F
  AMSM,REFRESH commands can close the connection on the assumption
  that CRL checking is not enabled.
  

Local fix

• Stop/Start AMSM Advanced Message Security task after any changes
  of the CRL directory configuration instaed of using REFRESH
  command.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 8 *
  *                 Release 0 Modification 0 using Advanced      *
  *                 Message Security (AMS).                      *
  ****************************************************************
  * PROBLEM DESCRIPTION: After executing command REFRESH KEYRING *
  *                      in the AMS server task (AMSM) an        *
  *                      incorrect message CSQ0652I is issued in *
  *                      JOBLOG indicating that CRL checking is  *
  *                      enabled when configuration file CRLFILE *
  *                      does not have a LDAP directory          *
  *                      configured.                             *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When AMSM is started with a valid CRL LDAP connection and later
  using command "F qmgrAMSM,REFRESH KEYRING" after the LDAP
  connections have been removed from CRLFILE with the intention to
  disable CRL checking, the current connection is not closed and
  unexpected message CSQ0652I in JOBLOG confirms that CRL checking
  is enabled .
  
  If a subsequent "F qmgrAMSM,REFRESH KEYRING" command is executed
  without changing CRLFILE to add LDAP configuration parameters
  then the current connection is closed despite that message
  CSQ0652I in syslog says that CRL checking is enabled.
  
  Applications invoking MQGET and/or MQPUT calls, to protected
  queues, fail with MQRC 2063 (MQRC_SECURITY_ERROR) because the
  LDAP directory handle is invalid (reason 0335300C from z/OS
  Cryptographic Services System SSL).
  

Problem conclusion

• The REFRESH command disables CRL checking when there are not
  valid CRL LDAP configuration parameters in the CRLFILE dataset
  or the CRLFILE cannot be opened. Any previous LDAP connection is
  closed.
  000Y
  CSQ0DCNS
  CSQ0DSRV
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI34955

Modules/Macros

• CSQ0DCNS CSQ0DSRV
  

Fix information

• Fixed component name

  WMQ Z/OS 8

• Fixed component ID

  5655W9700

Applicable component levels

• R000 PSY UI34955

     UP16/03/03 P F603

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.