PH64732: IBM MQ Z/OS: AMS_OBTAIN_KEYRING() FOR USERKEYRINGNAME USERID/DRQ.AMS.KEYRING FAILED WITH 3353017

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The transaction userid is not being correctly propagated for
  use in determining the keyring name in some cases.It results in
  ams_obtain_keyring() for userKeyringName userid/drq.ams.keyring
  failed with 3353017.
  Other error messages:
  CSQ0209E MQRC_SECURITY_ERROR
  CSQ0216E reason 03353033 for recipient userid.
  

Local fix

• 1.Set expiring cert to the default or
  2.Create keyring transaction_id/drq.ams.keyring. This keyring
  is populated with the same personal and signer certs as the
  recipient keyring.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM for z/OS Version 9          *
  *                 Release 3 Modification 0.                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: CICS applications issuing MQGET to get  *
  *                      messages from a queue protected with a  *
  *                      Privacy or Confidentiality policy fail  *
  *                      with MQRC 2063 (MQRC_SECURITY_ERROR) if *
  *                      the default certificate cannot be used  *
  *                      to unprotect the message.               *
  ****************************************************************
  When getting from a Privacy or Confidentiality protected queue,
  an attempt is made to unprotect the message using the default
  certificate in the user's drq.ams.keyring. If this fails, and
  PH44820 is applied, a further attempt is made using other
  trusted certificates from the user's keyring that match the
  recipient DN's specified in the queue's policy. However when the
  getting application is a CICS transaction this subsequent
  attempt incorrectly looks for certificates in the CICS region
  user's keyring (if it exists) rather than the transaction user's
  keyring, leading to the unprotect attempt failing.
  

Problem conclusion

• The certificates are now located using the correct keyring when
  the default certificate cannot be used to unprotect the message.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO05261

Modules/Macros

• CSQ0DPRI
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R300 PSY UO05261

     UP25/11/12 P F511

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.