PI41577: MQ V8 EXPLORER CONNECT TO Z/OS QMGR VIA AT_TLS SECURED CHANNEL FAILED MQRC 2594 MQRC_PASSWORD_PROTECTION_ERROR

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Using MQExplorer 8.0.0.2 with AT-TLS channels to connect to
  WMQ for z/OS V8 handshake failed with:
  An unexpected error (2594) has occurred. (AMQ4999)
  An unexpected error (2594) has occurred. (AMQ4999)
   Traces show a failure to negotiate a password protection
  algorithm with the queue manager results in a MQRC 2594
  (MQRC_PASSWORD_PROTECTION_ERROR) exception.
   L3 found new code added as part of Version 8 included
  additional security to protect the password sent by client
  applications (in this case MQ Explorer) using the MQCSP
  structure will be protected. This will use MQ's password
  protection functionality if the communication is done
  without SSL/TLS, or relies on TLS if the communication
  is encrypted. However there exists a defect in this
  functionality when used with AT-TLS. The cause of this
  is due to the client code not protecting the password,
  as its communication is being done with TLS. However
  as AT-TLS is transparent to queue manager, it appears
  to the channel that the communication is in the clear
  which enforces that the password should have been
  sent protected. This is due to the PasswordProtection
  attribute being set to compatible and the client also
  being at the version 8 level.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 8 *
  *                 Release 0 Modification 0.                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: A client connecting to a queue manager  *
  *                      through a socket secured through z/OS   *
  *                      Communications Server Application       *
  *                      Transparent Transport Layer Security    *
  *                      (AT-TLS) will fail with MQRC 2594       *
  *                      (MQRC_PASSWORD_PROTECTION_ERROR).       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  During the connection to a queue manager by a client, a password
  protection algorithm is negotiated, which will be used to
  protect passwords in a MQCSP structure. If the client is V8 or
  later, talking to a V8 queue manager, it is required that a
  cipher is used for this protection if either side believes it is
  unsecured. In the case where an AT-TLS policy is used in the
  client connection, the client attempts to use a null cipher for
  this protection, however the TLS connection is transparent to
  the queue manager and rejects this proposal. This results in
  rfpIEF3_PROT_ALGORITHMS being flowed back to the client, which
  causes the MQCONN to fail with MQRC 2594.
  

Problem conclusion

• The password protection algorithm negotiation processing has
  been altered to be aware of connections using AT-TLS, to allow
  no password protection to be allowed, when the communication is
  secured using TLS through an active AT-TLS policy.
  000Y
  CMQXRMSA
  CSQXCCXT
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI29291

Modules/Macros

• CMQXRMSA CSQXCCXT
  

Fix information

• Fixed component name

  WMQ Z/OS 8

• Fixed component ID

  5655W9700

Applicable component levels

• R000 PSY UI29291

     UP15/08/11 P F508

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.