APAR status
Closed as program error.
Error description
It is expected that a queue manager channel process will generate a failure data capture (FDC) record with probe ID CO373099 from the cciTcpSslResetCallback function if an invalid TLS renegotiation flow is detected (at TLS 1.2 or earlier protocol levels). This FDC record does not state the remote peer connection name in the header, which is likely to be of interest for diagnostic purposes. +--------------------------------------------------------------- --------------+ | | | IBM MQ First Failure Symptom Report | | ========================================= | | | | [...] | | Probe Id :- CO373099 | | Application Name :- MQM | | Component :- cciTcpSslResetCallback | | SCCS Info :- /build/slot2/p920_P/src/lib/comms/amqccisa.c, | | Program Name :- amqrmppa | | [...] | | Major Errorcode :- rrcE_PROTOCOL_ERROR | | Minor Errorcode :- OK | | Probe Type :- MSGAMQ9504 | | Probe Severity :- 2 | | Probe Description :- AMQ9504E: A protocol error was detected for channel | | '????'. | | FDCSequenceNumber :- 0 | | Comment1 :- ???? | | Comment2 :- Detected multiple key resets | | | +--------------------------------------------------------------- --------------+ MQM Function Stack cciResponderThread ccxResponder rrxResponder rriAcceptSess ccxReceive cciSslSecureReceive ccigsk_secure_soc_read cciTcpSslResetCallback xcsFFST
Local fix
The information in question can be identified later on in the FDC file, in the "Conversation Control Block" section as follows: Conversation Control Block { ID CONV Type 2 MaxTransmissionSize 15360 PeerName 9.20.88.99
Problem summary
**************************************************************** USERS AFFECTED: All users of MQ who have a TLS configuration and are seeking to identify the remote peer associated with a failure data capture record with probe ID CO373099. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The diagnostic logic evaluated in this error scenario did not include a call to include the peer name in the diagnostic header (although it could be found elsewhere, as described in the local fix section).
Problem conclusion
The MQ client and queue manager TLS channel logic has been modified to add the peer connection name to the header of the FDC record generated when cciTcpSslResetCallback fails due to a invalid TLS negotiation. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.7 v9.3 LTS 9.3.0.2 v9.x CD 9.3.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT41904
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-08-31
Closed date
2022-11-18
Last modified date
2022-11-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
19 November 2022