IBM Support

IT24507: AMS-enabled application receives 2063 (MQRC_SECURITY_ERROR) from MQOPEN after disabling OCSP or CRL checking

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.


APAR status

  • Closed as program error.

Error description

  • After disabling OCSP checking by setting 'ocsp.enable=off' in
    the keystore.conf file, and/or after disabling CRL CDP checking
    by setting 'crl.cdp=off' in the keystore.conf file, an MQ AMS
    application using the native interceptors fail to MQOPEN
    an AMS-protected queue with reason code 2063, which is

Local fix

  • You can work around the problem by adding an additional
    parameter in each case.  If you wish to disable OCSP, set both
    of these:
    To disable CRL CDP checking, set both of these parameters in
    the keystore.conf file:
     Restart the AMS application after making the change and OCSP
    and/or CRL CDP checking should be disabled for it.

Problem summary

  • ****************************************************************
    All users of Advanced Message Security attempting to use crl.cdp
    or ocsp.enable without a configured host.
    This affects users of the native interceptors, which excludes
    Java applications, but includes MCA (channel) interception.
    Platforms affected:
    A logic error within the AMS interceptor caused an internal
    validation check for OCSP and CRL checking to incorrectly fail
    when OCSP and/or CRL checking was set to off with no hostname
    configured in the keystore.conf file.

Problem conclusion

  • The AMS interceptor logic has been corrected to address this
    issue. The fix must be applied to the installation from which
    the AMS interceptor code is obtained - in the client interceptor
    case, the is the client installation. In the MCA interception
    case, this is the queue manager installation.
    The fix is targeted for delivery in the following PTFs:
    Version    Maintenance Level
    v9.0 LTS
    v9.1 CD    9.1.1
    v9.1 LTS
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'

Temporary fix


APAR Information

  • APAR number


  • Reported component name

    IBM MQ AMS V8.0

  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ AMS V8.0

  • Fixed component ID


Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
05 July 2018