Troubleshooting
Problem
An IBM MQ queue manager is experiencing a problem with TLS (formerly SSL) and you need to collect MustGather data to find a solution.
Environment
The instructions apply to IBM MQ V9.2 and other supported levels on z/OS. Refer to the IBM MQ Read First page for steps on other operating systems :
Resolving The Problem
Please answer these questions about the problem and then follow the steps below:
RACDCERT ID(ssidCHIN) LISTRING(key ring)
RACDCERT ID(ssidCHIN) list(LABEL('...'))
RACDCERT CERTAUTH LIST
- Was the TLS issue associated with a channel ?
- If not associated with a channel, what specific error (message) occurred ?
- Did the issue seem to be associated with the currency of the TLS key ring ?
Step 1: Generate Data
If the issue is reproducible or is happening right now, generate data to provide more information about the problem:
A. Generate a trace while the TLS problem is happening.
B. Additional useful diagnostics include :
Step 2: Prepare Data to Send
Preparatory steps apply to dumps, traces and job logs.
Use TRSMAIN/AMATERSE utility before uploading to ECUREP and ensure PMR#, B/O#, Country# is specified.
FTP must be done in binary mode only.
job logs may be emailed if not too large or attached to the case.
Email address : websphere_support@ecurep.ibm.com
Subject line must include Case#
Subject line must include Case#
- See message CSQY000I for z/OS IBM MQ level and for distributed IBM MQ see here.
- Record the operating system version and maintenance level on both sides of the channel.
- Provide the expected chain-of-trust on both sides of the TLS channel.
- For CSQX633E / CSQX634E displays of the key ring are useful.
Displaying RACF's view of CHIN key ring :
RACDCERT ID(ssidCHIN) LISTRING(key ring)
Displaying RACF's view of specific certificate :
RACDCERT ID(ssidCHIN) list(LABEL('...'))
Displaying certificate authorities :
RACDCERT CERTAUTH LIST
Step 3: Send Data to IBM
A good description of the problem and the data is the most important information you can provide to IBM. Please do not send data without providing a description!
- Send your data to the IBM ECuRep repository After confirmation, emails may be sent to websphere_support@ecurep.ibm.com.
- While the data is transferring, send an email or use the IBM Service Request tool to update your PMR with your description of the problem and of the data you are sending.
- Contact your country representative if you need to speak to an IBM technical support representative, or in the US call 1-800-IBM-SERV. Refer to the IBM Software Support Handbook for more information on working with IBM.
Related Information
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security->TLS (SSL)"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"8.0.0;9.0.0;9.1.0;9.2.0"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security->TLS (SSL)"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"8.0.0;9.0.0;9.1.0;9.2.0"}]
Product Synonym
IBM MQ
Was this topic helpful?
Document Information
Modified date:
11 November 2021
UID
swg21293655