A fix is available
APAR status
Closed as program error.
Error description
Change team finds that, when PRIMEPSA ( IGVDGNPP ) is enabled the follow errors can be generated between SSL partners ( ie. CSQX645E / CSQX620E ) as an attempt to locate the default key label fails. This is because CSQXGSSI is not correctly checking that pChlCertLabel is set prior to referencing it as the channel label. (In the APAR'd case the error does not occur if CERTLABL is specified at the channel level) When no label is passed, this reference will normally get a 'label' beginning with a null character '00'x, which is correctly treated as no label. However with PRIMEPSA enabled, the 'label' is based on values set by PRIMEPSA in low core. This causes an attempt to locate the certificate to use based on an invalid label, leading to the reported errors.
Local fix
Disable PRIMEPSA
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 0 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: When channel is started when PRIMEPSA * * is on, customer reported 'System SSL * * error' on sender qmgr and 'Certificate * * missing for channel' on receiver qmgr: * * * * CSQX645E CSQXRESP Certificate xxx * * missing for channel xxx * * * * CSQX620E CSQXRCTL System SSL * * error, * * channel xxx * * connection xxx * * function 'gsk_secure_socket_init' * * RC=438 * **************************************************************** When the receiver end of the channel starts, a gsk_secure_socket_init request is eventually called by CSQXGSKI with NULL passed for several parameters including the certificate label pChlCertLabel. Because NULL has been passed, the pChlCertLabel check is based on the contents of address 0 (the PSA). Without primePSA on, it is likely to return a 0 to correctly determine no label was provided; with primePSA turned on it does not return 0. This results in the check incorrectly determining that a label was passed.
Problem conclusion
Code in csqxgssi.c corrected so that when the check is done on the first character of pChlCertLabel, it is checked for NULL first so that it is not incorrectly dereferenced.
Temporary fix
Comments
APAR Information
APAR number
PH14757
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-07-22
Closed date
2019-08-12
Last modified date
2019-10-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI64696
Modules/Macros
CSQXGSSI
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
R000 PSY UI64696
UP19/09/26 P F909
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 October 2019