PH64733: IBM MQ Z/OS: A DEFAULT CERTIFICATE IS STILL REQUIRED EVEN WITH PH44820 APPLIED

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• With PH44820 applied, it seems reasonable that getting messages
  from confidentiality protected queues should not require a
  default certificate, provided the queue is opened for input
  only, however currently a default certificate is still
  required, even if the message is decrypted with a different
  certificate in the keyring.
  When the default is blank, the following error is received:
  CSQ0217E xxxxxx CSQ1 CSQ0COPN Failed to process object 'DEFAULT
  key in keyring userid/drq.ams.keyring'
  

Local fix

• Set non-blank to the default cert
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
  *                 Release 2 Modification 0 and                 *
  *                 Release 3 Modification 0.                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: When getting messages from a            *
  *                      confidentiality protected queue, if no  *
  *                      default certificate is present in the   *
  *                      user's keyring, protected messages are  *
  *                      not decrypted even when the policy's    *
  *                      receiver certificate is in the user's   *
  *                      keyring.                                *
  ****************************************************************
  The code which handles the retrieval of certificates when
  opening a protected queue requires using the default certificate
  first, assuming it is always set. If this certificate failed at
  decrypting protected messages, then other certificates in the
  keyring should be attempted.
  

Problem conclusion

• The code has been changed to handle no default certificate being
  set in a user's keyring when opening a confidentiality protected
  queue for browse or input only by checking other certificates in
  the keyring that match the recipient.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UO05012 UO05013

Modules/Macros

• CSQ0DPRI CSQ0DUNP
  

Fix information

• Fixed component name

  IBM MQ Z/OS V9

• Fixed component ID

  5655MQ900

Applicable component levels

• R200 PSY UO05013

     UP25/11/12 P F511

• R300 PSY UO05012

     UP25/11/12 P F511

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.