A fix is available
APAR status
Closed as program error.
Error description
REFRESH SECURITY TYPEP(SSL) is issued, for example to implement a renewed certificate in the keyring. The refresh sometimes does not take place, which can cause various errors depending on what needed to be refreshed, for example CSQX658E SSL certificate has expired The MSTR joblog has CSQM137I CSQMRSEC REFRESH SECURITY COMMAND ACCEPTED CSQ9022I CSQXCRPS ' REFRESH SECURITY' NORMAL COMPLETION but that only means the command was successfully passed to the channel initiator (CHIN) where the command is actually processed. The CHIN log does NOT have the messages CSQX618I CSQXRSSL SSL key repository refresh started CSQX619I CSQXRSSL SSL key repository refresh processed to indicate that the refresh took place. The refresh may not take effect when the label for the certificate did not change. See https://developer.ibm.com/answers/questions/167788/why-is-csqx65 8e-still-received-even-though-ive-iss/ One of the checks made to see whether the refresh is even necessary is a gsk_get_update() call. If it returns zero rather than one, that means the security manager indicated no updates were necessary. Please offer an option to force the refresh to take place despite what gsk_get_update returns. Otherwise, a restart of the CHIN is necessary to pick up the updates. Additional Symptom(s) Search Keyword(s):
Local fix
Recycle the channel initiator (STOP CHINIT and START CHINIT) to refresh MQ's SSL security cache.
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 * * Release 1 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: Following changes to SSL/TLS * * certificates, a REFRESH SECURITY * * TYPE(SSL) command does not result in * * the updated certificates being used by * * MQ when using a SAF-Compliant external * * security manager other than RACF. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a REFRESH SECURITY TYPE(SSL) command is issued, MQ uses a gsk_get_update() call to inquire whether there are any pending changes to SSL/TLS certificates. Where the result from the gsk_get_update() call indicates that no changes have been made, then a full refresh of certificates is not performed. If an incorrect response is received from a gsk_get_update() call when using a SAF-Compliant External Security Manager, MQ will bypass the refresh of the certificate store. The PTF for this APAR adds to capability to force MQ to always perform a full refresh of the certificate store in response to a REFRESH SECURITY TYPE(SSL) command.
Problem conclusion
Processing has been amended to force the REFRESH SECURITY TYPE(SSL) command to unconditionally refresh the certificate store when enabled by the queue manager configuration. This new behavior is not enabled unless explicitly activated. Following the application of this PTF, please contact IBM Service for further instructions on how to activate this capability. 100Y CSQXGUPD
Temporary fix
Comments
APAR Information
APAR number
PI65553
Reported component name
WMQ Z/OS V7
Reported component ID
5655R3600
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-07-08
Closed date
2016-08-25
Last modified date
2016-10-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
CSQXGUPD
Fix information
Fixed component name
WMQ Z/OS V7
Fixed component ID
5655R3600
Applicable component levels
R100 PSY UI40365
UP16/09/20 P F609
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 October 2016