Encountering error AMQ9288E for channels using GCM based CipherSpecs

News

Abstract

Customers running channels with GCM CipherSpecs might notice connections ending with error AMQ9288E after prolonged usage of the same session key.

Content

Following an NIST recommendation, the default behavior for channels using GCM CipherSpecs has been changed in MQ 8.0.0.4.
After sending 2^32 TLS records using the same session key, a channel will end with error AMQ9288E.

This is because a security vulnerability within GCM CipherSpecs means prolonged usage of the same session keys results in a higher chance of an attacker calculating the session keys in use and gaining access to the secure communication.

To prevent a channel failing with error AMQ9288E, you have these choices:

1) Enable Secret Key resets on the channel in order to renegotiate the session keys in use after a certain number of bytes have been sent through the channel.

2) Use a different CipherSpec on a channel that does not use GCM and is not affected by this vulnerability.

3) You can also set the following environment variable before starting an MQ queue manager or an MQ Client application to disable this restriction.

Linux/AIX:
export GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE

Windows:
set GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE

+++ end +++

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008MzAAI","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

Encountering error AMQ9288E for channels using GCM based CipherSpecs

News

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?