A fix is available
APAR status
Closed as program error.
Error description
SSLPEER('*'), with only the wildcard (asterisk), is not a valid value for the SSLPEER attribute. The allowed values for the field are detailed in the IBM documentation at https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-mq-rules- sslpeer-values Providing an invalid value, such as '*', for the SSLPEER attribute results in a rule being created which will never match a peer Distinguished Name. MQ should not allow these rules to be created in the first place. An example is: SET CHLAUTH (TO.CSQ1.TS1.S2) TYPE(SSLPEERMAP) - SSLPEER('*') - USERSRC(NOACCESS) WARN(NO) ACTION(REPLACE) - DESCR('block TO.CSQ1.TS1.S2 access') With WARN(NO), you expect CSQX777E for this channel but receive CSQX787I, where the text for these messages looks like: CSQX777E csect-name Channel channel-name from ipaddress has been blocked due to USERSRC(NOACCESS), Detail: detail CSQX787I csect-name Channel channel-name from ipaddress would have been blocked due to USERSRC(NOACCESS), Detail: detail The unexpected result is because the invalid rule with SSLPEER('*') is not matched, and another generic rule is matched.
Local fix
An asterisk can be used at the start of a Distinguished Name attribute, for example: SSLPEER('CN=*').
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 2 Modification 0 and * * Release 3 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: When modifying channel authentication * * rules with the SET CHLAUTH command, * * it's possible for rules with invalid * * SSLPEER values to be defined which * * then do not match with any peer * * certificate distinguished names. * **************************************************************** The code that handles the SET CHLAUTH command does minimal validation checking of SSLPEER values provided, which allows some invalid SSLPEER values to be defined and modified.
Problem conclusion
The code has been changed to check all SSLPEER values against the defined rules when a user attempts to add or modify a channel authentication rule.
Temporary fix
Comments
APAR Information
APAR number
PH47081
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-06-08
Closed date
2023-06-15
Last modified date
2023-09-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI92261 UI92262
Modules/Macros
CMQXRSCF CSQMSCA CSQTOEPL CSQWFMTC
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 September 2023