What's changed in IBM MQ 9.3.x CD CSUs

Cumulative security updates (CSUs) typically contain small numbers of security updates, but IBM® might on occasion ship additional APARs in these deliveries if a technical need should arise, for example if intrinsically linked to a security update.

IBM MQ 9.3.5 CSU 1

Removal of support for RSA key exchange when operating in FIPS mode

From IBM MQ 9.3.5 CSU 1, the IBM Java 8 JRE removes support for RSA key exchange when operating in FIPS mode. This removal applies to the following CipherSuites:

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

To continue using FIPS mode, the following IBM MQ components should be changed to use a CipherSuite that is still supported:

AMQP server
Managed File Transfer (MFT)
IBM MQ Console
IBM MQ Explorer
IBM MQ REST API
IBM MQ Telemetry service

For more information, see TLS CipherSpecs and CipherSuites in IBM MQ classes for Java.