IBM Support

PH04516: MQ CLIENT V8 CONNECT TO Z/OS MQV9 QMGR VIA AT_TLS SECURED CHANNEL FAILED MQRC 2594 MQRC_PASSWORD_PROTECTION_ERROR

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Additional Symptom(s):
    
    Z/OS MQv9 QMGR receives CSQX575E <XXXX CSQXRESP Negotiation
    failed for channel and MQ Client fails with 2594
    MQRC_PASSWORD_PROTECTION_ERROR
    
    The failure is occurring due to an unexpected error code being
    received when the chinit issues ioctl to determine if the
    channel has been secured by AT-TLS, and so whether the 'NULL'
    algorithm is allowable or not.
    
    When the ioctl call is made, the buffer provided is too small
    for the certificate to be returned in, and so an error is
    returned. The code expects this, and checks for this condition,
    however in this instance a different error code is being
    returned than was expected.
    
    
    Search Keyword(s):
    
    MQv9 CSQX575E MQ Client MQRC 2594 MQRC_PASSWORD_PROTECTION_ERROR
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
    *                 Release 0 Modification 0 and Release 1       *
    *                 Modification 0.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: MQ clients connecting to a z/OS queue   *
    *                      manager using an AT-TLS configured      *
    *                      socket and presenting a client          *
    *                      certificate fail with MQRC 2594         *
    *                      MQRC_PASSWORD_PROTECTION_ERROR.         *
    *                                                              *
    *                      Older MQ clients fail MQRC 2009         *
    *                      MQRC_CONNECTION_BROKEN, and the cause   *
    *                      is reported using CSQX296E.             *
    ****************************************************************
    A client configured to use SSL/TLS indicates that the password
    does not need protecting, because the connection is already
    secured.
    However, because the SSL/TLS protection is transparent to the
    channel initiator when AT-TLS is used, the channel is not
    configured for SSL/TLS at the server, and so a SIOCTTLSCTL
    request is issued to detect if the connection is secured by
    AT-TLS.
    If no client certificate was presented (server handshaking) the
    call succeeds, however if a certificate was presented
    (Server with Client Auth), an error in the processing of the
    return code from the request causes the server to incorrectly
    determine that the connection is not secured, and to fail the
    channel connection.
    

Problem conclusion

  • The error in checking the return code from the SIOCTTLSCTL
    request is corrected so that the state of the connection is
    correctly detected.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH04516

  • Reported component name

    IBM MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-10-25

  • Closed date

    2018-11-15

  • Last modified date

    2019-01-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI59736 UI59737

Modules/Macros

  • CMQXRMSA
    

Fix information

  • Fixed component name

    IBM MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

  • R000 PSY UI59736

       UP18/12/14 P F812 ¢

  • R100 PSY UI59737

       UP18/12/15 P F812 ¢

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
02 January 2019