IBM Support

PI65553: MQ Z/OS: REFRESH SECURITY TYPE(SSL) DOES NOT TAKE EFFECT IF A GSK_GET_UPDATE() CALL INDICATES NO UPDATES ARE NEEDED

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • REFRESH SECURITY TYPEP(SSL) is issued, for example to implement
a renewed certificate in the keyring.  The refresh sometimes
does not take place, which can cause various errors depending
on what needed to be refreshed, for example
  CSQX658E SSL certificate has expired

The MSTR joblog has
 CSQM137I CSQMRSEC  REFRESH SECURITY COMMAND ACCEPTED
 CSQ9022I CSQXCRPS ' REFRESH SECURITY' NORMAL COMPLETION
but that only means the command was successfully passed to the
channel initiator (CHIN) where the command is actually
processed.

The CHIN log does NOT have the messages
 CSQX618I CSQXRSSL SSL key repository refresh started
 CSQX619I CSQXRSSL SSL key repository refresh processed
to indicate that the refresh took place.

The refresh may not take effect when the label for the
certificate did not change.  See
https://developer.ibm.com/answers/questions/167788/why-is-csqx65
8e-still-received-even-though-ive-iss/

One of the checks made to see whether the refresh is even
necessary is a gsk_get_update() call.  If it returns zero
rather than one, that means the security manager indicated no
updates were necessary.

Please offer an option to force the refresh to take place
despite what gsk_get_update returns. Otherwise, a restart of
the CHIN is necessary to pick up the updates.

Additional Symptom(s) Search Keyword(s):

Local fix

  • Recycle the channel initiator (STOP CHINIT and START CHINIT) to
refresh MQ's SSL security cache.

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 *
*                 Release 1 Modification 0.                    *
****************************************************************
* PROBLEM DESCRIPTION: Following changes to SSL/TLS            *
*                      certificates, a REFRESH SECURITY        *
*                      TYPE(SSL) command does not result in    *
*                      the updated certificates being used by  *
*                      MQ when using a SAF-Compliant external  *
*                      security manager other than RACF.       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When a REFRESH SECURITY TYPE(SSL) command is issued, MQ uses a
gsk_get_update() call to inquire whether there are any pending
changes to SSL/TLS certificates. Where the result from the
gsk_get_update() call indicates that no changes have been made,
then a full refresh of certificates is not performed.

If an incorrect response is received from a gsk_get_update()
call when using a SAF-Compliant External Security Manager, MQ
will bypass the refresh of the certificate store.

The PTF for this APAR adds to capability to force MQ to always
perform a full refresh of the certificate store in response
to a REFRESH SECURITY TYPE(SSL) command.

Problem conclusion

  • Processing has been amended to force the REFRESH SECURITY
TYPE(SSL) command to unconditionally refresh the certificate
store when enabled by the queue manager configuration.

This new behavior is not enabled unless explicitly activated.
Following the application of this PTF, please contact IBM
Service for further instructions on how to activate this
capability.
100Y
CSQXGUPD

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI65553
    • 

  • Reported component name
    WMQ Z/OS V7
    • 

  • Reported component ID
    5655R3600
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-07-08
    • 

  • Closed date
    2016-08-25
    • 

  • Last modified date
    2016-10-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI67834 PI67835 UI40365
    

    • 



Modules/Macros


    

  • CSQXGUPD

    



Fix information


    

  • Fixed component name
    WMQ Z/OS V7
    • 

  • Fixed component ID
    5655R3600
    • 



Applicable component levels


    

  • R100  PSY  UI40365
       UP16/09/20  P  F609
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 October 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback