PH66111: CSQX620E CPF CSQXRCTL SYSTEM SSL ERROR, CHANNEL CHANNEL-NAME CONNECTION CONN-ID FUNCTION 'GSK_SECURE_SOCKET_INIT' RC=516

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• There is a channel communication between MQ on z/OS and MQ on
  distributed platform.
  
  
  After migrating IBM MQ for z/OS to 9.3 and using TLS 1.3
  CipherSpec, the sender channel in z/OS began to fail with:
  
  
  CSQX620E cpf CSQXRCTL System SSL error, channel channel-name
  connection conn-id function
  'gsk_secure_socket_init' RC=516
  
  
  The connection is getting rejected because the MQ on
  distributed side does not support any of the key share groups
  which the MQ on z/OS client is proposing.
  
  
  The only group which the MQ z/OS client is saying it has
  support for is 001D Group x25519 (decimal 29).
  
  The server side is not supporting that.
  
  
  IBM MQ for z/OS V930 is only sending 0029.
  
  
  The previous version/releases of MQ on z/OS are sending other
  key share groups also, in addition to 0029.
  
  For MQ on distributed platform, the issue is addressed by APAR
  DT435816.
  

Local fix

• Work with TLS 1.2.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 3 Modification 0, and Release 4      *
  *                 Modification 0.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: An IBM MQ z/OS Queue Manager is unable  *
  *                      establish a TLS 1.3 FIPS connection to  *
  *                      an IBM MQ distributed queue manager.    *
  ****************************************************************
  An IBM MQ z/OS Queue Manager is unable establish a TLS 1.3 FIPS
  connection to an IBM MQ distributed queue manager. An attempt to
  start channel using this configuration returns the CSQX620E
  message for function 'GSK_SECURE_SOCKET_INIT' and return code
  516.
  
  This is caused by both the client and server key share groups
  not containing any common values.
  

Problem conclusion

• A service parameter has been added to the code to allow z/OS
  Queue Managers to start TLS channels with additional proposed
  key share groups when turned on. Please contact IBM support for
  details on enable this behaviour.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO04656 UO04657

Modules/Macros

• CSQIRECP CSQXGSSI
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R300 PSY UO04657

     UP25/09/13 P F509

• R400 PSY UO04656

     UP25/09/13 P F509

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.