Troubleshooting
Problem
When attempting to start secure channels defined with cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 activation fails with CSQX620E ( System SSL error, channel channel-name connection conn-id function ''gsk_secure_socket_init'' RC=456). RC 438 may also be returned.
Symptom
CSQX620E RC 456 or RC 438. By comparison, the same channels will successfully start if the cipher (TLS_RSA_WITH_AES_256_CBC_SHA256) is used instead.
Cause
Incorrect TLS / SSL security configuration
Diagnosing The Problem
Review of externalized messages and SSL trace along with review of SSL configuration, ACP settings and certificate construction
Resolving The Problem
IBM MQ on z/OS requires certain fixes and settings to be in place in order to allow activation of some of the strong TLS 1.2 CipherSpecs. (1) For MQ, version 8, ensure that the applicable PTF for PI97499 is applied on all z/OS queue managers that will connect via secure channels. At version 9, the fix for PI85046 is applicable. (2) Review MQ Knowledge Center reference > Digital certificates and CipherSpec compatibility in IBM MQ < TABLE 1, to ensure that the proper type of certificate is being used for the type of CipherSpec to be used. For example, in a SENDER/RECEIVER channel pair, if a Type 2 cipher is to be used, then the SSL client must use a certificate that employs an RSA public key. The understanding in such a configuration is that the SENDER channel represents the SSL client, and conversely the RECEIVER channel is the SSL server. The certificate configuration on the remote end of the channel (e.g. RECEIVER) must also meet the requirements for the chosen type of cipher, otherwise the channel will fail to start.
In configurations where a Java client will use such a cipher, only up-level clients are able to do so (being at least at the 8.0.0.2+ client code level) with the recommendation that 8.0.0.5 be used to re mediate other known issues (e.g. IT10837). (3) Further, for clients connecting, the administrator should confirm if any required unlimited/unrestricted Java security policies are installed, as described in the Knowledge Center topic > SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java < (4) Certain ACPs (access points) must also be enabled to support the use of certain ciphers (these being ECC Diffie-Hellman - Allow BP Curve 224, and ECC Diffie-Hellman - Allow Prime Curve 224)
.
Confirmation of whether point (4) is root cause can be determined through review of a z/OS System SSL trace captured during a failed channel start.
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"Security;SSL;TLS","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"8.0;9.0;9.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Historical Number
TS002529330
Was this topic helpful?
Document Information
Modified date:
15 September 2020
UID
ibm11084575