APAR status
Closed as Permanent restriction.
Error description
When an MQTT application attempted to connect to the MQXR service over a SSL/TLS secured socket, the connection attempt failed and the following error message was output from the MQXR service: AMQCO1008E: An SSL Handshake error occurred when a client at '/192.168.1.50' attempted to connect to channel 'SSL': javax.net.ssl.SSLHandshakeException: null cert chain The CipherSuite which the MQTT client was requesting to use was: SSL_RSA_FIPS_WITH_DES_CBC_SHA
Local fix
Problem summary
**************************************************************** USERS AFFECTED: Users of the JRE which is embedded into the MQ installation at the location: AIX, Linux, Solaris, HP-UX: <MQ_INSTALLATION_ROOT>/java/jre64/jre Windows: <MQ_INSTALLATION_ROOT>\java\jre who are attempting to use CipherSuites which use algorithms based on the DES_CBC set. Platforms affected: AIX, HP-UX Itanium, Linux on Power, Linux on S390, Linux on x86-64, Linux on zSeries, Solaris SPARC, Solaris x86-64, Windows **************************************************************** PROBLEM DESCRIPTION: The JRE embedded into MQ v8.0.0.16 has been updated under APAR IT35343 to the Java versions: 7.1.4.80 - AIX, Linux (x86-32, x86-64, ppc, ppcLE, zLinux), Windows(32-bit, 64-bit) 7.0.10.80 - Solaris (SPARC, x86-64) 7.0.10.75 - HP-UX (Itanium 32-bit, 64-bit) The JRE embedded into MQ v9.2.0.2 has been updated under APAR IT35540 to the Java versions: 8.0.6.25 - AIX, Linux (x86-64, ppcLE, zLinux), Solaris (SPARC, x86-64) Windows In these JREs, CipherSuites which use TLS algorithms which match "DES_CBC" have been disabled, for example the CipherSuite: SSL_RSA_FIPS_WITH_DES_CBC_SHA The result of this change to the JRE is that if an application is using this JRE, the application will no longer be able to use this CipherSuite, for example if connecting to the queue manager over a SSL/TLS secured channel. This includes user's own applications which utilise this JRE, or components of IBM MQ which use the JRE, such as: MQ Explorer MQTT service AMQP service Managed File Transfer
Problem conclusion
If you understand the security risk associated with using these disabled CipherSuites, and want to re-enable them, then you can update the JRE file: AIX, Linux, Solaris: <MQ_INSTALL_ROOT>/java/jre64/jre/lib/security/java.security Windows: <MQ_INSTALL_ROOT>\java\jre\lib\security\java.security to re-enable the CipherSuites using this DES_CBC algorithm. The entry in this file which controls this behaviour is the property: jdk.tls.disabledAlgorithms Remove the last entry: ", DES_CBC" to permit the JRE to use this algorithm again. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.16 v9.2 LTS 9.2.0.2 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT36099
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PRS
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-03
Closed date
2021-03-03
Last modified date
2021-03-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0"}]
Document Information
Modified date:
18 March 2021