News
Abstract
Customers running channels with GCM CipherSpecs might notice connections ending with error AMQ9288E after prolonged usage of the same session key.
Content
After sending 2^32 TLS records using the same session key, a channel will end with error AMQ9288E.
This is because a security vulnerability within GCM CipherSpecs means prolonged usage of the same session keys results in a higher chance of an attacker calculating the session keys in use and gaining access to the secure communication.
To prevent a channel failing with error AMQ9288E, you have these choices:
1) Enable Secret Key resets on the channel in order to renegotiate the session keys in use after a certain number of bytes have been sent through the channel.
2) Use a different CipherSpec on a channel that does not use GCM and is not affected by this vulnerability.
3) You can also set the following environment variable before starting an MQ queue manager or an MQ Client application to disable this restriction.
Linux/AIX:
export GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE
Windows:
set GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE
+++ end +++
Was this topic helpful?
Document Information
Modified date:
06 May 2024
UID
swg21964105