IBM Support

IT09423: WMQ-JAVA/JMS: NOT ABLE TO CONNECT TO A SSLV3 SECURED CHANNEL WHEN USING A NON-IBM JRE WITH IV66840 ACTIVATED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In WebSphere MQ 7.5, when APAR IV66840 is enabled to allow the
    use of TLS CipherSuites when using a non-IBM JRE, SSLv3
    CipherSuites can no longer be used to communicate with the queue
    manager, as was permitted prior to the activation of IV66840.
    
    Customers may need to use SSLv3 and TLS CipherSuites
    simultaneously from within the same non-IBM JVM, especially when
    migrating. To use the TLS CipherSuites, APAR IV66840 must be
    enabled through the use of the system property:
    
      com.ibm.mq.cfg.useIBMCipherMappings=false
    
    Once this property has been configured, the SSLv3 CipherSuites
    can no longer be used within the JVM to communicate with the
    queue manager.
    

Local fix

  • Run MQ Java applications in separate JVMs, some with APAR
    IV66840
    enabled, and some with it not enabled, this may mean
    re-engineering an application.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of WebSphere MQ classes for Java/JMS who have a
    requirement to connect from within the same non-IBM JVM to queue
    manager channels which are secured using a mix of both SSLv3 and
    TLS protocols.
    
    
    Platforms affected:
    AIX, HP-UX Itanium, Linux on Power, Linux on S390, Linux on x86,
    Linux on x86-64, Linux on zSeries, Solaris SPARC, Solaris
    x86-64, Windows, MultiPlatform, HP-UX PA-RISC
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    IV66840 added the capability to use TLS CipherSuites from a
    non-IBM JVM.
    
    To do this, a JVM system property must be defined with a
    specific value:
    
      com.ibm.mq.cfg.useIBMCipherMappings=false
    
    However doing this also disables the less secure SSLv3
    CipherSuites from within the JVM.
    
    
    On reflection this was not the appropriate action, as a user is
    not able to use both types of protocol within the same non-IBM
    JVM. The prevention of the SSLv3 protocols is policed by both
    recent JREs and the queue manager, and so does not need to be
    prohibited from within the WebSphere MQ classes for Java/JMS as
    well.
    

Problem conclusion

  • The following 5 SSLv3 CipherSuites are again permitted for use
    when using a non-IBM JRE with the JVM system property and value:
    
      com.ibm.mq.cfg.useIBMCipherMappings=false
    
    defined. These 5 SSLv3 CipherSuites and CipherSpecs which they
    map to are:
    
    SSL_RSA_WITH_NULL_MD5 --> NULL_MD5
    SSL_RSA_WITH_NULL_SHA --> NULL_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5 --> RC4_MD5_EXPORT
    SSL_RSA_WITH_RC4_128_MD5 --> RC4_MD5_US
    SSL_RSA_WITH_RC4_128_SHA --> RC4_SHA_US
    
    
    The following 2 CipherSuites have the capability of mapping to
    either an SSLv3 or TLS CipherSpec:
    
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    
    
    Prior to IV66840, these mapped to the following TLS CipherSpecs
    depending on if the FIPS compliance setting was configured:
    
    SSL_RSA_WITH_DES_CBC_SHA --> TLS_RSA_WITH_DES_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA --> TLS_RSA_WITH_3DES_EDE_CBC_SHA
    
    On an Oracle JVM where MQ FIPS compliance is not available,
    these CipherSuites mapped to the following SSLv3 CipherSpecs:
    
    SSL_RSA_WITH_DES_CBC_SHA --> DES_SHA_EXPORT
    SSL_RSA_WITH_3DES_EDE_CBC_SHA --> TRIPLE_DES_SHA_US
    
    
    APAR IT06775 added a property which permitted the selection of
    which of these CipherSpecs to map to from the corresponding
    CipherSuite in the non-FIPS compliance case. This property value
    was:
    
      com.ibm.mq.cfg.preferTLS
    
    When set to the value "true", the TLS CipherSpec was selected,
    when "false" the SSLv3 CipherSpec was used.
    
    As of APAR IV66840, when the non-IBM JRE mappings were used for
    a Oracle JVM to utilise TLS ciphers for example, these two
    CipherSuites always mapped to the TLS CipherSpecs. Under this
    APAR (IT09423) this has also been updated, so that the
    "com.ibm.mq.cfg.preferTLS" property continues to permit the
    selection - the default being to map to the SSLv3 CipherSpecs.
    
    
    Note that the above applies to WebSphere MQ classes for Java/JMS
    v7.5. In v8.0, the following three CipherSuites are restricted
    to using TLS CipherSpecs only when used with a Java/JMS
    application:
    
      SSL_RSA_WITH_RC4_128_SHA
      SSL_RSA_WITH_DES_CBC_SHA
      SSL_RSA_WITH_3DES_EDE_CBC_SHA
    
    meaning that in v8.0, this APAR has no effect for the above
    three CipherSuites. It does however permit the use of the SSLv3
    CipherSpecs for the other four CipherSuites listed above.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.1.13
    v7.1       7.1.0.7
    v7.5       7.5.0.6
    v8.0       8.0.0.4
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT09423

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7241

  • Reported release

    750

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-06-11

  • Closed date

    2015-10-23

  • Last modified date

    2015-10-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7241

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
22 July 2020