IBM Support

PI67835: MQ Z/OS: REFRESH SECURITY TYPE(SSL) DOES NOT TAKE EFFECT IF A GSK_GET_UPDATE() CALL INDICATES NO UPDATES ARE NEEDED

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • REFRESH SECURITY TYPEP(SSL) is issued, for example to implement
    a renewed certificate in the keyring.  The refresh sometimes
    does not take place, which can cause various errors depending
    on what needed to be refreshed, for example
      CSQX658E SSL certificate has expired
    
    The MSTR joblog has
     CSQM137I CSQMRSEC  REFRESH SECURITY COMMAND ACCEPTED
     CSQ9022I CSQXCRPS ' REFRESH SECURITY' NORMAL COMPLETION
    but that only means the command was successfully passed to the
    channel initiator (CHIN) where the command is actually
    processed.
    
    The CHIN log does NOT have the messages
     CSQX618I CSQXRSSL SSL key repository refresh started
     CSQX619I CSQXRSSL SSL key repository refresh processed
    to indicate that the refresh took place.
    
    The refresh may not take effect when the label for the
    certificate did not change.  See
    https://developer.ibm.com/answers/questions/167788/why-is-csqx65
    8e-still-received-even-though-ive-iss/
    
    One of the checks made to see whether the refresh is even
    necessary is a gsk_get_update() call.  If it returns zero
    rather than one, that means the security manager indicated no
    updates were necessary.
    
    Please offer an option to force the refresh to take place
    despite what gsk_get_update returns. Otherwise, a restart of
    the CHIN is necessary to pick up the updates.
    
    Additional Symptom(s) Search Keyword(s):
    

Local fix

  • Recycle the channel initiator (STOP CHINIT and START CHINIT) to
    refresh MQ's SSL security cache.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of IBM MQ for z/OS Version 9 Release 0             *
    * Modification 0.                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Following changes to SSL/TLS certificates, a REFRESH         *
    * SECURITY TYPE(SSL) command does not result in the updated    *
    * certificates being used by MQ when using a SAF-Compliant     *
    * external security manager other than RACF.                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * None                                                         *
    ****************************************************************
    When a REFRESH SECURITY TYPE(SSL) command is issued, MQ uses a
    gsk_get_update() call to inquire whether there are any pending
    changes to SSL/TLS certificates. Where the result from the
    gsk_get_update() call indicates that no changes have been made,
    then a full refresh of certificates is not performed.
    
    If an incorrect response is received from a gsk_get_update()
    call when using a SAF-Compliant External Security Manager, MQ
    will bypass the refresh of the certificate store.
    
    The PTF for this APAR adds to capability to force MQ to always
    perform a full refresh of the certificate store in response to a
    REFRESH SECURITY TYPE(SSL) command.
    

Problem conclusion

  • Processing has been amended to force the REFRESH SECURITY
    TYPE(SSL) command to unconditionally refresh the certificate
    store when enabled by the queue manager configuration.
    
    This new behavior is not enabled unless explicitly activated.
    Following the application of this PTF, please contact IBM
    Service for further instructions on how to activate this
    capability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI67835

  • Reported component name

    MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-19

  • Closed date

    2016-10-11

  • Last modified date

    2017-02-01

  • APAR is sysrouted FROM one or more of the following:

    PI65553

  • APAR is sysrouted TO one or more of the following:

    UI41770

Modules/Macros

  • CSQXGUPD CSQXRCML
    

Fix information

  • Fixed component name

    MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

  • R000 PSY UI41770

       UP17/01/10 P F701

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
01 February 2017