IBM Support

PH44568: ELIMINATE THE NEED FOR PRODUCER CERTIFICATES & KEYRINGS WHEN USING AMS 'CONFIDENTIALITY' QOP IN BINDINGS

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • During a Proof of Concept, it was determined that the use of
    AMS 'Confidentiality' QOP using encryption required the use of
    personal certificates and keyrings for the putting application.
    With additional testing, it was determined that this was not
    necessary, as  'dummy' certificates were used, and still access
    was allowed, with no errors posted.
    This was proof-positive, that with AMS 'Confidentiality' QOP -
    the producer's certificates were not even considered.
    This APAR is raised to eliminate this requirement, when using
    AMS 'confidentiality' Quality of Protection.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
    *                 Release 2 Modification 0.                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: When opening an AMS protected queue in  *
    *                      bindings mode, the putting application  *
    *                      user ID's drq.ams.keyring key ring is   *
    *                      opened. The MQOPEN or MQPUT1 fails if   *
    *                      the key ring doesn't exist. The key     *
    *                      ring isn't used if the queue is         *
    *                      protected by a confidentiality policy.  *
    ****************************************************************
    When putting a message to a queue protected by an AMS
    confidentiality policy, the symmetric key used to encrypt the
    messages is encrypted using the recipients' public key
    certificates. The putting application user ID's key ring or
    certificates aren't used for this operation.
    
    The code currently tries to open the putting application user
    ID's drq.ams.keyring key ring irrespective of the AMS quality of
    protection used to protect the queue. This is despite the key
    ring contents not being used when putting to confidentiality
    protected queues.
    

Problem conclusion

  • The requirement for a putting application user ID to have a
    drq.ams.keyring key ring has been removed when only opening a
    confidentiality protected queue for output when connected in
    bindings mode.
    
    The IBM MQ for z/OS Version 9.2 Documentation is updated:
    IBM MQ 9.2
     IBM MQ
      Configuring
       Configuring queue managers on z/OS
        Setting up IBM MQ for z/OS
         Configuring Advanced Message Security for z/OS
          Create key rings for Advanced Message Security
    (https://www.ibm.com/docs/en/ibm-mq/
         9.2?topic=zos-create-key-rings-advanced-message-security )
    
    Add an informational Notes table below Procedure step 5 with
    contents:
    "
    1. Steps 2 and 5 are not required if the application only opens
       a queue for output and sends messages to queues protected by
       an AMS confidentiality policy.
    "
    
    Add superscript 1 to Procedure steps 2 and 5.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH44568

  • Reported component name

    IBM MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    200

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-03-02

  • Closed date

    2022-04-01

  • Last modified date

    2022-05-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI79987

Modules/Macros

  • CSQ0DPRI
    

Fix information

  • Fixed component name

    IBM MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

  • R200 PSY UI79987

       UP22/04/13 P F204

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200"}]

Document Information

Modified date:
04 May 2022