IBM Support

IT29602: The AMQ9288 message and documented limit of TLS records sent areincorrect

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In the Knowledge Centre under "Enabling CipherSpecs" at-
    
    https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.
    ibm.mq.sec.doc/q014260_.htm
    
    Note 4 states that "after 2^22 TLS records are sent, using
    the  same session key, the connection is terminated with message
    AMQ9288."
    
    This is incorrect.  It should be 2^32 instead of 2^22.
    
    The same is true for-
    
    https://www-01.ibm.com/support/docview.wss?uid=swg21964105
    
    Also the error message for example (CipherSpec could be
    different)-
    
    AMQ9288E: Secure data transfer limit for channel 'aaaa.bbb'
    exceeded.
    
    EXPLANATION:
    CipherSpec 'ECDHE_RSA_AES_256_GCM_SHA384' has reached a data
    transfer limit of 0 (the transfer limit is expressed in terms
    of TLS records for GCM ciphers, or MB for all other ciphers).
    Session keys using this CipherSpec must be used only to encrypt
    a limited quantity of data to reduce the risk of key
    compromise.
    
    is incorrect as it gives a value of zero.
    

Local fix

  • To prevent a channel failing with error AMQ9288, you may select
    one of three choices:
    1) Enable Secret Key resets on the channel in order to
    renegotiate the session keys in use after a certain number of
    bytes have been sent through the channel.
    2) Use a different CipherSpec that does not use GCM and is not
    affected by the TLS limit.
    3) Set the environment variable
    "GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE" before starting an MQ
    QMGR or Client
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    MQ SSL users configured to use GCM ciphers for their
    connections.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The information provided on the IBM MQ Knowledge Centre and
    associated documentation for SSL GCM ciphers indicates an
    incorrect value for the limit of number of TLS records sent
    using the  same session key.
    The correct value should be 2^32 records before the
    connection is terminated with message AMQ9288.
    In addition to this, when the number of TLS records is actually
    exceeded, the AMQ9288 error message incorrectly indicates 0 as
    the the number of TLS records.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IT29602

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-02

  • Closed date

    2019-08-19

  • Last modified date

    2019-08-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7251

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
27 August 2019