A fix is available
APAR status
Closed as program error.
Error description
Additional Symptom(s): Z/OS MQv9 QMGR receives CSQX575E <XXXX CSQXRESP Negotiation failed for channel and MQ Client fails with 2594 MQRC_PASSWORD_PROTECTION_ERROR The failure is occurring due to an unexpected error code being received when the chinit issues ioctl to determine if the channel has been secured by AT-TLS, and so whether the 'NULL' algorithm is allowable or not. When the ioctl call is made, the buffer provided is too small for the certificate to be returned in, and so an error is returned. The code expects this, and checks for this condition, however in this instance a different error code is being returned than was expected. Search Keyword(s): MQv9 CSQX575E MQ Client MQRC 2594 MQRC_PASSWORD_PROTECTION_ERROR
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 0 Modification 0 and Release 1 * * Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: MQ clients connecting to a z/OS queue * * manager using an AT-TLS configured * * socket and presenting a client * * certificate fail with MQRC 2594 * * MQRC_PASSWORD_PROTECTION_ERROR. * * * * Older MQ clients fail MQRC 2009 * * MQRC_CONNECTION_BROKEN, and the cause * * is reported using CSQX296E. * **************************************************************** A client configured to use SSL/TLS indicates that the password does not need protecting, because the connection is already secured. However, because the SSL/TLS protection is transparent to the channel initiator when AT-TLS is used, the channel is not configured for SSL/TLS at the server, and so a SIOCTTLSCTL request is issued to detect if the connection is secured by AT-TLS. If no client certificate was presented (server handshaking) the call succeeds, however if a certificate was presented (Server with Client Auth), an error in the processing of the return code from the request causes the server to incorrectly determine that the connection is not secured, and to fail the channel connection.
Problem conclusion
The error in checking the return code from the SIOCTTLSCTL request is corrected so that the state of the connection is correctly detected.
Temporary fix
Comments
APAR Information
APAR number
PH04516
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-10-25
Closed date
2018-11-15
Last modified date
2019-01-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI59736 UI59737
Modules/Macros
CMQXRMSA
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 January 2019