APAR status
Closed as program error.
Error description
APAR raised to address issues with enabling non-weak CipherSpecs using the TLS 1.0 protocol. The CSQX696I is being issued because some default behavior was changed in V9.2 and as a result the message is normally always issued on startup. ADDITIONAL KEYWORDS TLS10ON TLS10OFF WCIPSOFF WCIPSON GSKDCIPS CSQXWEAK CSQXSSL3 IBM Documentation General SSL/TLS Configuration Guidance https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.2.0/com. ibm.mq.sec.doc/q013000_.html
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 9 * * Release 2 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: When using MQ with a Strong TLS 1.0 * * CipherSpec and DD card configuration * * using TLS10ON, the channel would not * * start. * * * * When starting the CHINIT, a misleading * * CSQX696I message occurred, even when * * using CSQXWEAK DD card. * **************************************************************** Issue 1: Changes to CSQXGINI required that both TLS10ON and CSQXWEAK be specified before any TLS 1.0 ciphers could be enabled. (This should not be the case, since using TLS10ON on it's own should enable "Strong" TLS 1.0 ciphers, e.g 002F and 0035). Issue 2: The default behaviour of CSQXSSLI was changed to issue CSQX696I by default, unless the GSKDCIPS DD card was included.
Problem conclusion
CSQXGINI and CSQXSSLI have been updated to prevent these issues from occurring. The Knowledge Center has also been updated, to remove confusion regarding the effects of TLS10ON, CSQXWEAK, and CSQXSSL3 DD cards: ========== DOC Change for V920 Knowledge Center =============== The page "Deprecated CipherSpecs" for 9.2.0 will be modified: (https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com. ibm.mq.sec.doc/q014265_.html) Home > IBM MQ 9.2.x > IBM MQ > Securing > Confidentiality of messages > Enabling CipherSpecs > Deprecated CipherSpecs Under "Enabling deprecated CipherSpecs on z/OS", change second bullet point FROM: "If you want to re-enable the use of weak CipherSpecs, you do so by adding a dummy data definition (DD) statement named CSQXWEAK to the channel initiator JCL; for example:" TO: "If you want to re-enable the use of weak CipherSpecs, you do so by adding a dummy data definition (DD) statement named CSQXWEAK to the channel initiator JCL. If specified on it's own, this will only enable TLS 1.2 Weak CipherSpecs; for example:" Under "Enabling deprecated CipherSpecs on z/OS", change second bullet point FROM: "If you want to re-enable the use of SSLv3 CipherSpecs, you do so by also adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL; for example:" TO: "If you want to re-enable the use of SSLv3 CipherSpecs, you do so by adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL. Currently all SSLv3 CipherSpecs are considered Weak, so CSQXWEAK must also be specified:" Under "Enabling deprecated CipherSpecs on z/OS", change third bullet point FROM: "If you want to re-enable the deprecated TLS V1 protocol, you do so by also adding a dummy DD statement named TLS10ON (turn TLS V1.0 ON) to the channel initiator JCL; for example:" TO: "If you want to re-enable the deprecated TLS V1 CipherSpecs, you do so by adding a dummy DD statement named TLS10ON (turn TLS V1.0 ON) to the channel initiator JCL. If specified on it's own, this will enable TLS 1.0 Strong CipherSpecs. Add this alongside CSQXWEAK to enable Weak TLS V1 CipherSpecs:" Under "Enabling deprecated CipherSpecs on z/OS", change fourth bullet point FROM: "If you want to explicitly turn off the deprecated TLS V1 protocol, you do so by adding a dummy DD statement named TLS10OFF (turn TLS V1.0 OFF) to the channel initiator JCL; for example:" TO: "If you want to explicitly turn off the deprecated TLS V1 CipherSpecs, you do so by adding a dummy DD statement named TLS10OFF (turn TLS V1.0 OFF) to the channel initiator JCL; for example:" ========== DOC Change for V920 Knowledge Center =============== The page "Message manager messages (CSQM...)" for 9.2.0 will be modified: (https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com. ibm.mq.ref.doc/csq_m.html) Home > IBM MQ 9.2.x > IBM MQ > Reference > Messages > IBM MQ for z/OS messages, completion, and reason codes > Messages For IBM MQ for z/OS > Message manager messages (CSQM...) Under "CSQM102E", change "System programmer response", change paragraphs 2-5 FROM: "If you want to re-enable the use of weak CipherSpecs, you can do so by adding a dummy Data Definition (DD) statement named CSQXWEAK to the channel initiator JCL. For example: //CSQXWEAK DD DUMMY If you want to re-enable the disabled SSLv3 support in IBM MQ, you can do so by adding a dummy Data Definition (DD) statement named CSQXSSL3 to the channel initiator JCL. For example: //CSQXSSL3 DD DUMMY If you want to re-enable the disabled TLS 1.0 support in IBM MQ, you can do so by adding a dummy Data Definition (DD) statement named CSQXTLS1 to the channel initiator JCL. For example: //CSQXTLS1 DD DUMMY You need to specify the CSQXWEAK dummy DD statement, and the: -> CSQXSSL dummy DD statement, if you want to enable a weak SSL 3.0-based CipherSpec. -> CSQXTLS dummy DD statement, if you want to enable a weak TLS 1.0-based CipherSpec -> CSQXSSL and CSQXTLS dummy statements, if you want to enable both a weak SSL 3.0-based and TLS 1.0-based CipherSpec " TO: "If you want to re-enable the use of weak CipherSpecs, or CipherSpecs using a deprecated protocol, see "Enabling deprecated CipherSpecs on z/OS" on this page: Deprecated CipherSpecs" ========== DOC Change for V920 Knowledge Center =============== The page "Distributed queueing messages (CSQX...)" for 9.2.0 will be modified: (https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com. ibm.mq.ref.doc/csq_x.htm#csq_x__csqx671i) Home > IBM MQ 9.2.x > IBM MQ > Reference > Messages > IBM MQ for z/OS messages, completion, and reason codes > Messages For IBM MQ for z/OS > Distributed queueing messages (CSQX...) Under "CSQX616E", change "System programmer response", change paragraphs 3-5 FROM: "If you want to re-enable the use of weak CipherSpecs, you can do so by adding a dummy Data Definition (DD) statement named CSQXWEAK and one or both of the following data definitions to the channel initiator JCL. For example: //CSQXWEAK DD DUMMY If you want to re-enable the disabled SSLv3 support in IBM MQ, you can do so by adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL. For example: //CSQXSSL3 DD DUMMY If you want to re-enable the disabled TLS 1.0 support in IBM MQ, you can do so by adding a dummy DD statement named TLS10ON to the channel initiator JCL. For example: //TLS10ON DD DUMMY" TO: "If you want to re-enable the use of weak CipherSpecs, or CipherSpecs using a deprecated protocol, see "Enabling deprecated CipherSpecs on z/OS" on this page: Deprecated CipherSpecs" Under "CSQX674E", change "System programmer response", change paragraphs 3-5 FROM: "If you want to re-enable the use of weak CipherSpecs, you can do so by adding a dummy Data Definition (DD) statement named CSQXWEAK and one or both of the following data definitions to the channel initiator JCL. For example: //CSQXWEAK DD DUMMY If you want to re-enable the disabled SSLv3 support in IBM MQ, you can do so by adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL. For example: //CSQXSSL3 DD DUMMY If you want to re-enable the disabled TLS 1.0 support in IBM MQ, you can do so by adding a dummy DD statement named TLS10ON to the channel initiator JCL. For example: //TLS10ON DD DUMMY" TO: "If you want to re-enable the use of weak CipherSpecs, or CipherSpecs using a deprecated protocol, see "Enabling deprecated CipherSpecs on z/OS" on this page: Deprecated CipherSpecs" Under "CSQX690I", change "System programmer response", change paragraphs 2-4 FROM: "If you want to re-enable the use of weak CipherSpecs, you can do so by adding a dummy Data Definition (DD) statement named CSQWEAK to the channel initiator JCL. For example: //CSQWEAK DD DUMMY If you want to re-enable the disabled SSLv3 support in IBM MQ, you can do so by adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL. For example: //CSQXSSL3 DD DUMMY You need to specify both of the preceding dummy DD statements, if you want to enable a weak SSLv3-based CipherSpec." TO: "If you want to re-enable the use of weak CipherSpecs, or CipherSpecs using a deprecated protocol, see "Enabling deprecated CipherSpecs on z/OS" on this page: Deprecated CipherSpecs" Under "CSQX692I", change "System programmer response", change paragraphs 2-4 FROM: "If you want to re-enable the use of weak CipherSpecs, you can do so by adding a dummy Data Definition (DD) statement named CSQWEAK to the channel initiator JCL. For example: //CSQWEAK DD DUMMY If you want to re-enable the disabled SSLv3 support in IBM MQ, you can do so by adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL. For example: //CSQXSSL3 DD DUMMY You need to specify both of the preceding dummy DD statements, if you want to enable a weak SSLv3-based CipherSpec." TO: "If you want to re-enable the use of weak CipherSpecs, or CipherSpecs using a deprecated protocol, see "Enabling deprecated CipherSpecs on z/OS" on this page: Deprecated CipherSpecs" Under "CSQX694E", change "System programmer response", change paragraph 2 FROM: "If you want to re-enable the use of TLS V1.0 support in IBM MQ, you can do so by adding a dummy Data Definition (DD) statement named TLS10ON to the channel initiator JCL. For example: //TLS10ON DD DUMMY <code>" TO: "If you want to re-enable the use of weak CipherSpecs, or CipherSpecs using a deprecated protocol, see "Enabling deprecated CipherSpecs on z/OS" on this page: Deprecated CipherSpecs"
Temporary fix
Comments
APAR Information
APAR number
PH33782
Reported component name
IBM MQ Z/OS V9
Reported component ID
5655MQ900
Reported release
200
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-01-25
Closed date
2022-09-22
Last modified date
2022-09-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI74360
Modules/Macros
CSQXGINI CSQXSSLI
Fix information
Fixed component name
IBM MQ Z/OS V9
Fixed component ID
5655MQ900
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
22 September 2022