IBM Support

SE74591: MQ C/RPG/COBOL Client install with TLS and ONE-WAY authentication failed with private keystore

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • 5725A49 MQ Client installed on IBM i allows C RPG and COBOL
    programs to connect in client mode to a Manager across the
    network.  When we secure the connection with TLS / SSL there is
    the option of one-way or two-way authentication.  With the
    SVRCN channel definition set to "Client Authentication"
    *REQUIRED, two-way authentication is required and must be setup
    appropriately.
    
    But with Client Authentication *OPTIONAL, 5725A49 MQ Clients
    will fail to connect if the certificates are only properly
    placed for one-way authentication (no server/user  certificate
    in the keystore used by the MQ Client job)
    

Local fix

  • Use two-way authentication
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Who use MQ Client with private keystore to config one way
    authentication for SSL/TLS connection.
    
    
    Platforms affected:
    IBM iSeries
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    MQ code incorrectly deals with Client using private keystore to
    config one way authentication for SSL/TLS connection. It will
    return AMQ9657E: The key repository could not be opened (channel
    'XXXX').  if the private keystore doesn't contain the
    certificate.
    

Problem conclusion

  • MQ code is corrected to deal with the one way connection
    properly. Since one way authentication doesn't require a client
    to supply a certificate, there is no need to have the client
    certificate in the private keystore.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.0 LTS   9.0.0.12
    v9.1 LTS   9.1.0.8
    v9.2 LTS   9.2.0.2
    v9.x CD    9.2.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    SE74591

  • Reported component name

    IBM MQ ISERIES

  • Reported component ID

    5724H7264

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-10-21

  • Closed date

    2020-10-27

  • Last modified date

    2021-01-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ ISERIES

  • Fixed component ID

    5724H7264

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]

Document Information

Modified date:
12 January 2021