A fix is available
APAR status
Closed as program error.
Error description
http://www-01.ibm.com/support/docview.wss?uid=swg21687433 Security states deprecation of TLS_RSA_WITH_NULL_SHA256 prevents its use within Websphere MQ however the user is able to define/start distributed channels with that CipherSpec. The CipherSpec's attribute will need to be updated to indicate it is considered WEAK.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 8 * * Release 0 Modification 0. * **************************************************************** * PROBLEM DESCRIPTION: On distributed platforms, CipherSpec * * TLS_RSA_WITH_NULL_SHA256 is now * * declared as being "weak" but is not * * marked as weak on z/OS. * **************************************************************** * RECOMMENDATION: * **************************************************************** The PTF for APAR PI40486 added the concept of "weak CipherSpecs" which are CipherSpecs that are not recommended to be used and will be disabled by default unless action is taken by the system programmer to re-enable them. Since APAR PI40486 was closed, an additional CipherSpec, TLS_RSA_WITH_NULL_SHA256, has been marked as weak on distributed platforms. For consistency this CipherSpec is now being marked as weak on z/OS as well.
Problem conclusion
Channels that use CipherSpec TLS_RSA_WITH_NULL_SHA256 will be unable to connect following the application of this PTF unless additional steps are taken. Prior to applying this PTF, it is possible to determine whether your z/OS Queue Manager will be affected by the change or not. In order to determine whether any channels are defined that may use this weak CipherSpec, you can issue the following command to display affected channels: DISPLAY CHL(*) WHERE(SSLCIPH EQ TLS_RSA_WITH_NULL_SHA256) The above command will display a list of the channels configured to use that CipherSpec or "NO CHANNEL FOUND MATCHING REQUEST CRITERIA", which indicates that no channels are configured to use it. If any channels are identified using the above command, you should take appropriate action (such as changing the CipherSpec to one that is not known to be weak) before applying the PTF, otherwise your channels may fail to connect. Customers that wish to re-enable the use of weak CipherSpecs may do so by adding a dummy Data Definition (DD) statement named "CSQXWEAK" to the channel initiator JCL, e.g.: //CSQXWEAK DD DUMMY There are alternative mechanisms that may be used to forcibly re-enable weak CipherSpec support if the Data Definition change is unsuitable. Please contact IBM Service for further information. Please note that re-enabling CipherSpecs in this manner will leave systems exposed to possible security problems. It is recommended to only use secure CipherSpecs that are not considered weak. 000Y CSQMCNAC CSQXCCIS
Temporary fix
Comments
APAR Information
APAR number
PI61530
Reported component name
WMQ Z/OS 8
Reported component ID
5655W9700
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-04-27
Closed date
2016-05-27
Last modified date
2016-08-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI62193 UI38234
Modules/Macros
CSQMCNAC CSQXCCIS
Fix information
Fixed component name
WMQ Z/OS 8
Fixed component ID
5655W9700
Applicable component levels
R000 PSY UI38234
UP16/07/06 P F607
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 August 2016