IBM Support

PH14757: MQ CSQX620E CSQX645E WHEN PRIMEPSA IS ENABLED AS ATTEMPT TO LOCATE CERTIFICATE FAILS WITH SSL REASON CODE 438

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Change team finds that, when PRIMEPSA ( IGVDGNPP ) is enabled
    the follow errors can be generated between SSL partners ( ie.
    CSQX645E / CSQX620E ) as an attempt to locate the default key
    label fails. This is because CSQXGSSI is not correctly checking
    that pChlCertLabel is set prior to referencing it as the channel
    label. (In the APAR'd case the error does not occur if CERTLABL
    is specified at the channel level) When no label is passed, this
    reference will normally get a 'label' beginning with a null
    character '00'x, which is correctly treated as no label. However
    with PRIMEPSA enabled, the 'label' is based on values set by
    PRIMEPSA in low core. This causes an attempt to locate the
    certificate to use based on an invalid label, leading to the
    reported errors.
    

Local fix

  • Disable PRIMEPSA
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
    *                 Release 0 Modification 0.                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: When channel is started when PRIMEPSA   *
    *                      is on, customer reported 'System SSL    *
    *                      error' on sender qmgr and 'Certificate  *
    *                      missing for channel' on receiver qmgr:  *
    *                                                              *
    *                      CSQX645E CSQXRESP Certificate xxx       *
    *                      missing for channel xxx                 *
    *                                                              *
    *                      CSQX620E CSQXRCTL System SSL            *
    *                      error,                                  *
    *                          channel xxx                         *
    *                          connection xxx                      *
    *                          function 'gsk_secure_socket_init'   *
    *                          RC=438                              *
    ****************************************************************
    When the receiver end of the channel starts, a
    gsk_secure_socket_init request is eventually called by CSQXGSKI
    with NULL passed for several parameters including the
    certificate label pChlCertLabel. Because NULL has been passed,
    the pChlCertLabel check is based on the contents of address 0
    (the PSA). Without primePSA on, it is likely to return a 0
    to correctly determine no label was provided;  with primePSA
    turned on it does not return 0. This results in the
    check incorrectly determining that a label was passed.
    

Problem conclusion

  • Code in csqxgssi.c corrected so that when the check is done on
    the first character of pChlCertLabel, it is checked for NULL
    first so that it is not incorrectly dereferenced.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH14757

  • Reported component name

    IBM MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-22

  • Closed date

    2019-08-12

  • Last modified date

    2019-10-01

  • APAR is sysrouted FROM one or more of the following:

    PI89353

  • APAR is sysrouted TO one or more of the following:

    UI64696

Modules/Macros

  • CSQXGSSI
    

Fix information

  • Fixed component name

    IBM MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

  • R000 PSY UI64696

       UP19/09/26 P F909

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
01 October 2019