APAR status
Closed as program error.
Error description
Users applying MQ fix pack 8.0.0.6, which contains APAR IV90867: Deprecation of 3DES CipherSpecs, remain able to use these deprecated CipherSpecs for inbound TLS connections by default if the queue manager is configured with SSLFIPS(YES).
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of MQ 8.0.0.6, who have a queue manager configured to run in FIPS-compliant mode [SSLFIPS(YES)], and wish for the following CipherSpecs to be disabled for inbound TLS connections by default: TLS_RSA_WITH_3DES_EDE_CBC_SHA ECDHE_ECDSA_3DES_EDE_CBC_SHA256 ECDHE_RSA_3DES_EDE_CBC_SHA256 Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: An omission in the logic of the CipherSpec deprecation added in MQ 8.0.0.6 IV90867 caused the deprecation of the CipherSpecs listed above to be ignored for inbound TLS connections when FIPS mode was enabled for the queue manager. If FIPS mode was not enabled, the CipherSpecs were disabled for inbound TLS connections by default as expected. The queue manager correctly rejected these CipherSpecs for outbound TLS connections by default, regardless of the SSLFIPS setting.
Problem conclusion
The queue manager inbound channel logic has been corrected to reject inbound TLS connections using these deprecated CipherSpecs by default. Deprecated CipherSpecs may be re-enabled using the steps documented in the MQ Knowledge Center: https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm .mq.sec.doc/q120565_.htm --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.7 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT19318
Reported component name
WEBSPHERE MQ 7.
Reported component ID
5724H7240
Reported release
750
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-02-17
Closed date
2017-02-28
Last modified date
2017-02-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE MQ 7.
Fixed component ID
5724H7240
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023