A fix is available
APAR status
Closed as program error.
Error description
The transaction userid is not being correctly propagated for use in determining the keyring name in some cases.It results in ams_obtain_keyring() for userKeyringName userid/drq.ams.keyring failed with 3353017. Other error messages: CSQ0209E MQRC_SECURITY_ERROR CSQ0216E reason 03353033 for recipient userid.
Local fix
1.Set expiring cert to the default or 2.Create keyring transaction_id/drq.ams.keyring. This keyring is populated with the same personal and signer certs as the recipient keyring.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM for z/OS Version 9 * * Release 3 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: CICS applications issuing MQGET to get * * messages from a queue protected with a * * Privacy or Confidentiality policy fail * * with MQRC 2063 (MQRC_SECURITY_ERROR) if * * the default certificate cannot be used * * to unprotect the message. * **************************************************************** When getting from a Privacy or Confidentiality protected queue, an attempt is made to unprotect the message using the default certificate in the user's drq.ams.keyring. If this fails, and PH44820 is applied, a further attempt is made using other trusted certificates from the user's keyring that match the recipient DN's specified in the queue's policy. However when the getting application is a CICS transaction this subsequent attempt incorrectly looks for certificates in the CICS region user's keyring (if it exists) rather than the transaction user's keyring, leading to the unprotect attempt failing.
Problem conclusion
The certificates are now located using the correct keyring when the default certificate cannot be used to unprotect the message.
Temporary fix
Comments
APAR Information
APAR number
PH64732
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
300
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2025-01-07
Closed date
2025-10-09
Last modified date
2025-11-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UO05261
Modules/Macros
CSQ0DPRI
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R300 PSY UO05261
UP25/11/12 P F511
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"300","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Document Information
Modified date:
30 November 2025