A fix is available
APAR status
Closed as program error.
Error description
In MQ V800 Advanced Message Security, if the CRL directory configuration is changed to remove a LDAP connection and to disable CRL checking using command F AMSM,REFRESH can result in the current active CRL directory continue to be used incorrectly, maintaining CRL checking active. Subsequent F AMSM,REFRESH commands can close the connection on the assumption that CRL checking is not enabled.
Local fix
Stop/Start AMSM Advanced Message Security task after any changes of the CRL directory configuration instaed of using REFRESH command.
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 8 * * Release 0 Modification 0 using Advanced * * Message Security (AMS). * **************************************************************** * PROBLEM DESCRIPTION: After executing command REFRESH KEYRING * * in the AMS server task (AMSM) an * * incorrect message CSQ0652I is issued in * * JOBLOG indicating that CRL checking is * * enabled when configuration file CRLFILE * * does not have a LDAP directory * * configured. * **************************************************************** * RECOMMENDATION: * **************************************************************** When AMSM is started with a valid CRL LDAP connection and later using command "F qmgrAMSM,REFRESH KEYRING" after the LDAP connections have been removed from CRLFILE with the intention to disable CRL checking, the current connection is not closed and unexpected message CSQ0652I in JOBLOG confirms that CRL checking is enabled . If a subsequent "F qmgrAMSM,REFRESH KEYRING" command is executed without changing CRLFILE to add LDAP configuration parameters then the current connection is closed despite that message CSQ0652I in syslog says that CRL checking is enabled. Applications invoking MQGET and/or MQPUT calls, to protected queues, fail with MQRC 2063 (MQRC_SECURITY_ERROR) because the LDAP directory handle is invalid (reason 0335300C from z/OS Cryptographic Services System SSL).
Problem conclusion
The REFRESH command disables CRL checking when there are not valid CRL LDAP configuration parameters in the CRLFILE dataset or the CRLFILE cannot be opened. Any previous LDAP connection is closed. 000Y CSQ0DCNS CSQ0DSRV
Temporary fix
Comments
APAR Information
APAR number
PI55819
Reported component name
WMQ Z/OS 8
Reported component ID
5655W9700
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-01-21
Closed date
2016-02-02
Last modified date
2016-04-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI34955
Modules/Macros
CSQ0DCNS CSQ0DSRV
Fix information
Fixed component name
WMQ Z/OS 8
Fixed component ID
5655W9700
Applicable component levels
R000 PSY UI34955
UP16/03/03 P F603
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
05 April 2016