PH64293: IBM MQ Z/OS :THE SYSTEM SSL CALLBACK FAILS WITH RC=514 BECAUSE THE CHINIT CERTIFICATE CACHE DOESN'T EXIST.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Queue manager reports following System SSL error:
  +CSQX620E CSQ1 CSQXRESP System SSL error, channel
  SYSTEM.ADMIN.SVRCONN connection Connection_name (ip) function
  'gsk_secure_socket_init' RC=514
  The System SSL callback is failing because the CHINIT
  certificate cache doesn't exist.
  If the CHIN determines it needs to build/rebuild the
  certificate label cache, then it will put a DISPLAY CHANNEL(*)
  CERTLABL WHERE(CERTLABL NE ' ') PCF message to the
  SYSTEM.COMMAND.INPUT queue. It will wait for a reply on a
  dynamic queue created from the SYSTEM.COMMAND.REPLY.MODEL model
  queue. If the QMGR command server is unable to put the reply
  message to the dynamic reply queue, say because the pageset is
  full, then the get wait will time out. In this case the CHIN
  can't build the certificate label cache which leads to the
  follow on problems seen. This results in a CSQX772E message
  from CSQXSUPR with "MQCMD_INQUIRE_CHANNEL" in the CHIN joblog
  after the wait interval expires:
  +CSQX772E CSQ1CSQXSUPR MQCMD_INQUIRE_CHANNEL failed, MQRC=2033
   (MQRC_NO_MSG_AVAILABLE)
  It follows that the root cause of this problem is the page set
  full condition seen on CSQ1.
  

Local fix

• n/a
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 4 Modification 0.                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: Starting a channel may fail with a      *
  *                      System SSL error and error code from    *
  *                      'gsk_secure_socket_init'. A previous    *
  *                      message in the channel initiator job    *
  *                      log referencing                         *
  *                      'MQCMD_INQUIRE_CHANNEL' suggests that   *
  *                      a problem occurred earlier in the       *
  *                      startup process, preventing channels    *
  *                      from starting.                          *
  ****************************************************************
  This problem occurs during the TLS handshake process on the
  responding end of the conversation when trying to start a
  channel. The certificate label cache is required to map the
  inbound connection to its associated certificate label. If the
  cache is not built successfully during channel initiator
  startup the handshake fails and the channel terminates
  abnormally. The failure is driven through SystemSSL,
  resulting in an error.
  

Problem conclusion

• Additional checks for a valid label cache have been added and a
  new message, CSQX168E, will be issued when this problem is
  encountered.
  
  The IBM MQ for z/OS Version 9.4.x.
  
  Documentation are updated:
  IBM MQ
   Reference
    Messages and reason codes
     IBM MQ for z/OS messages, completion, and reason codes
      Messages for IBM MQ for z/OS
       Message manager messages (CSQX...)
  ( https://www.ibm.com/docs/en/ibm-mq/
  9.4.x?topic=zos-distributed-queuing-messages-csqx )
  
  Added message CSQX168E:
  "
  CSQX168E
      csect-name Certificate label cache not generated. Unable to
      start channel channel-name, connection conn-id
  
  Severity
      8
  
  Explanation
      An error occurred during channel initiation where the
      required certificate label cache to establish a TLS
      connection was unable to be generated. This failure
      prevents the channel connection identified by channel-name
      from starting.
  
  System action
      The channel will not start.
  
  System programmer response
      Use the preceding messages on the z/OS console to
      investigate the issue.
  
      To re-attempt building the cache you can issue the
      [REFRESH SECURITY TYPE(SSL)]
      ( https://www.ibm.com/docs/en/SSFKSJ_9.4.0/
      refadmin/q086490_.html ) command.
  "
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO06523 UO06524 UO06525 UO06526 UO06527 UO06528

Modules/Macros

• CSQFXLAT CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU CSQXGSNI
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R400 PSY UO06523

     UP26/02/14 P F602

• R401 PSY UO06524

     UP26/02/14 P F602

• R402 PSY UO06525

     UP26/02/14 P F602

• R403 PSY UO06526

     UP26/02/14 P F602

• R404 PSY UO06527

     UP26/02/14 P F602

• R405 PSY UO06528

     UP26/02/14 P F602

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.