IBM Support

PH64733: IBM MQ Z/OS: A DEFAULT CERTIFICATE IS STILL REQUIRED EVEN WITH PH44820 APPLIED

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • With PH44820 applied, it seems reasonable that getting messages
    from confidentiality protected queues should not require a
    default certificate, provided the queue is opened for input
    only, however currently a default certificate is still
    required, even if the message is decrypted with a different
    certificate in the keyring.
    When the default is blank, the following error is received:
    CSQ0217E xxxxxx CSQ1 CSQ0COPN Failed to process object 'DEFAULT
    key in keyring userid/drq.ams.keyring'
    

Local fix

  • Set non-blank to the default cert
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
    *                 Release 2 Modification 0 and                 *
    *                 Release 3 Modification 0.                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: When getting messages from a            *
    *                      confidentiality protected queue, if no  *
    *                      default certificate is present in the   *
    *                      user's keyring, protected messages are  *
    *                      not decrypted even when the policy's    *
    *                      receiver certificate is in the user's   *
    *                      keyring.                                *
    ****************************************************************
    The code which handles the retrieval of certificates when
    opening a protected queue requires using the default certificate
    first, assuming it is always set. If this certificate failed at
    decrypting protected messages, then other certificates in the
    keyring should be attempted.
    

Problem conclusion

  • The code has been changed to handle no default certificate being
    set in a user's keyring when opening a confidentiality protected
    queue for browse or input only by checking other certificates in
    the keyring that match the recipient.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH64733

  • Reported component name

    IBM MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    300

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2025-01-07

  • Closed date

    2025-09-22

  • Last modified date

    2025-11-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UO05012 UO05013

Modules/Macros

  • CSQ0DPRI CSQ0DUNP
    

Fix information

  • Fixed component name

    IBM MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

  • R200 PSY UO05013

       UP25/11/12 P F511

  • R300 PSY UO05012

       UP25/11/12 P F511

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"300","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
30 November 2025