PH55563: IBM MQ Z/OS: ALTER CHANNEL TO SET A BLANK CERTLABL DOES NOT UPDATE THE CERTIFICATE CACHE, SO THE OLD CERTLABL VALUE IS USED

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• ALTER CHANNEL with CERTLABL(' ') is not working as expected.
  After using this command to replace a label with blanks, the
  next start of the channel should use the CERTLABL or CERTQSGL
  for the QMGR or the default label. See information about
  "z/OS systems" at
  https://www.ibm.com/docs/en/ibm-mq/9.2?topic=repository-digital
  -certificate-labels-understanding-requirements
  
  DISPLAY CHANNEL shows CERTLABL( ) as expected, yet the old
  CERTLABL from the channel is used when the channel is started.
  If the label is no longer valid, the channel fails to start.
  For example, when the z/OS channel is a RCVR receiver channel,
  possible symptoms include:
  
  z/OS MQ message error :
  +CSQX228E ssid CSQXRESP Listener unable to start channel,
   channel <channel-name>
   TRPTYPE=TCP INDISP=GROUP
   connection <ip-addr>
  
  Distributed MQ message error:
  AMQ9636E: SSL distinguished name does not match peer name,
  channel '<channel-name>'.
  
  The comparable messages for the other platforms are AMQ9228E
  and CSQX636E.
  
  
  When a CERTLABL is removed from a channel, IBM MQ should cause
  the internal rebuild of the certificate label cache similar to
  when a CERTLABL is added to a channel. That is not occurring,
  so the cache contains out-of-date information in the table
  that maps channel names to certificates.
  

Local fix

• Perform REFRESH SECURITY TYPE(SSL) to force a rebuild of the
  cache. Be aware this command causes all running SSL channels to
  stop and restart.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 2 Modification 0, Release 3          *
  *                 Modification 0 and Release 4                 *
  *                 Modification 0                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: After altering the CERTLABL of a        *
  *                      channel, the channel is still using the *
  *                      old CERTLABL despite DISPLAY CHANNEL    *
  *                      showing the updated CERTLABL of the     *
  *                      channel as expected.                    *
  ****************************************************************
  The code responsible for processing DEFINE/ALTER CHANNEL
  commands was not triggering a rebuild of the certificate label
  cache for pre-existing channels when the CERTLABL had
  changed. As a result, it's possible for queue managers to
  use an out of date certificate cache after the CERTLABL
  attribute has been changed.
  

Problem conclusion

• The code has been changed to detect when the CERTLABL value has
  changed for a channel during DEFINE/ALTER CHANNEL command
  processing and to refresh the certificate cache if so.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI97911 UI97912 UI97913

Modules/Macros

• CSQMCNAC
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R200 PSY UI97913

     UP24/09/25 P F409

• R300 PSY UI97912

     UP24/09/25 P F409

• R400 PSY UI97911

     UP24/09/25 P F409

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.