IBM Support

IT36099: JRE CipherSuites using algorithms based on DES_CBC are disabled

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • When an MQTT application attempted to connect to the MQXR
    service over a SSL/TLS secured socket, the connection attempt
    failed and the following error message was output from the MQXR
    service:
    
    AMQCO1008E: An SSL Handshake error occurred when a client at
    '/192.168.1.50' attempted to connect to channel 'SSL':
    javax.net.ssl.SSLHandshakeException: null cert chain
    
    
    The CipherSuite which the MQTT client was requesting to use was:
    
      SSL_RSA_FIPS_WITH_DES_CBC_SHA
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of the JRE which is embedded into the MQ installation at
    the location:
    
    AIX, Linux, Solaris, HP-UX:
    
      <MQ_INSTALLATION_ROOT>/java/jre64/jre
    
    Windows:
      <MQ_INSTALLATION_ROOT>\java\jre
    
    who are attempting to use CipherSuites which use algorithms
    based on the DES_CBC set.
    
    
    Platforms affected:
    AIX, HP-UX Itanium, Linux on Power, Linux on S390, Linux on
    x86-64, Linux on zSeries, Solaris SPARC, Solaris x86-64, Windows
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The JRE embedded into MQ v8.0.0.16 has been updated under APAR
    IT35343 to the Java versions:
    
      7.1.4.80 -  AIX, Linux (x86-32, x86-64, ppc, ppcLE, zLinux),
    Windows(32-bit, 64-bit)
      7.0.10.80 - Solaris (SPARC, x86-64)
      7.0.10.75 - HP-UX (Itanium 32-bit, 64-bit)
    
    
    The JRE embedded into MQ v9.2.0.2 has been updated under APAR
    IT35540 to the Java versions:
    
      8.0.6.25 - AIX, Linux (x86-64, ppcLE, zLinux), Solaris (SPARC,
    x86-64) Windows
    
    
    
    In these JREs, CipherSuites which use TLS algorithms which match
    "DES_CBC" have been disabled, for example the CipherSuite:
    
       SSL_RSA_FIPS_WITH_DES_CBC_SHA
    
    
    The result of this change to the JRE is that if an application
    is using this JRE, the application will no longer be able to use
    this CipherSuite, for example if connecting to the queue manager
    over a SSL/TLS secured channel.
    
    This includes user's own applications which utilise this JRE, or
    components of IBM MQ which use the JRE, such as:
    
      MQ Explorer
      MQTT service
      AMQP service
      Managed File Transfer
    

Problem conclusion

  • If you understand the security risk associated with using these
    disabled CipherSuites, and want to re-enable them, then you can
    update the JRE file:
    
    
    AIX, Linux, Solaris:
      <MQ_INSTALL_ROOT>/java/jre64/jre/lib/security/java.security
    
    Windows:
      <MQ_INSTALL_ROOT>\java\jre\lib\security\java.security
    
    
    to re-enable the CipherSuites using this DES_CBC algorithm.
    
    
    The entry in this file which controls this behaviour is the
    property:
    
      jdk.tls.disabledAlgorithms
    
    
    Remove the last entry:
    
    ", DES_CBC"
    
    to permit the JRE to use this algorithm again.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.16
    v9.2 LTS   9.2.0.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT36099

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-03

  • Closed date

    2021-03-03

  • Last modified date

    2021-03-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0"}]

Document Information

Modified date:
18 March 2021