APAR status
Closed as unreproducible.
Error description
MQCONNX from a client application using SSL/TLS channel fails with 2059 when establishing secure connection if ClientRevocationChecks is set to REQUIRED. The problem occurs when the application is not supplying MQSCO structure in MQCONNX call and application is not using CCDT. $ amqssslc -m QM93TLS -c SSL.SVRCONN.LNX -x 'hostname(1419)' -s TLS_AES_128_GCM_SHA256 -l ibmwebspheremqmqm Sample AMQSSSLC start Connecting to queue manager QM93TLS Using the server connection channel SSL.SVRCONN.LNX on connection name hostname(1419). Using SSL CipherSpec TLS_AES_128_GCM_SHA256 Certificate Label: ibmwebspheremqmqm No OCSP configuration specified. MQCONNX ended with reason code 2059
Local fix
If client revocation check is required then the application has to use CCDT or supply MQSCO in MQCONNX call. If client revocation check is not required then set the ClientRevocationCheck to OPTIONAL or DISABLED
Problem summary
This behaviour has been addressed by design changes in the MQ 9.3.5.0 continuous delivery release. MQ document has been updated to document the current behavior as below: If you are using either MQSCO or CCDT, then the connection succeeds. If there is no CCDT file and if MQSCO is also not supplied, then the connection fails with a reason code 2059 and the error log reports AMQ9518E: File '/var/mqm/AMQCLCHL.TAB' not found.
Problem conclusion
**************************************************************** USERS AFFECTED: MQ client application establishing secure connection via MQCONNX call without supplying MQSCO/CCDT when ClientRevocationCheck is set to REQUIRED are affected. Platforms affected: Linux on x86, AIX **************************************************************** PROBLEM DESCRIPTION: A defect in MQ when establishing secure connection causes the application to fail with 2059 in MQCONNX.
Temporary fix
Comments
This behaviour has been addressed by design changes in the MQ 9.3.5.0 continuous delivery release. MQ document has been updated to document the current behavior as below: If you are using either MQSCO or CCDT, then the connection succeeds. If there is no CCDT file and if MQSCO is also not supplied, then the connection fails with a reason code 2059 and the error log reports AMQ9518E: File '/var/mqm/AMQCLCHL. TAB' not found.
APAR Information
APAR number
IT44272
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED UR3
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-08-01
Closed date
2024-05-10
Last modified date
2024-05-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
10 May 2024