APAR status
Closed as program error.
Error description
An SSLPEERMAP CHLAUTH rule is defined to grant access to a client based on the certificate provided in mutual authentication, specifically matching on the certificate issuer using the SSLCERTI parameter. A client fails to match the CHLAUTH rule when the sharing conversations value (SHARECNV) is negotiated to a value higher than 1.
Local fix
Option 1. Set SHARECNV(1) Option 2. Change the CHLAUTH SSLPEERMAP rule to match only on SSLPEER
Problem summary
**************************************************************** USERS AFFECTED: Users with client applications that perform multiple connections such as JMS or XMS with a negotiated SHARECNV value of higher than 1 that use mutual SSL/TLS authentication and define CHLAUTH SSLPEERMAP rules that match on the certificate issuer distinguished name (SSLCERTI) are affected. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: A programming error existed in the CHLAUTH checks of the SSLCERTI distinguished name when a second connection is made on a multiplexed client channel.
Problem conclusion
The programming error is corrected and CHALUTH SSLPEERMAP checks match using a single copy of SSLPEER and SSLCERTI for all multiplexed client connections made on the same socket. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.13 v9.0 CD 9.0.1 v9.0 LTS 9.0.0.8 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT28818
Reported component name
IBM MQ APPL M20
Reported component ID
5725Z0900
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-04-16
Closed date
2019-08-27
Last modified date
2019-08-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ APPL M20
Fixed component ID
5725Z0900
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
27 August 2019