APAR status
Closed as program error.
Error description
If a queue manager is configured for TLS communication and SSLFIPS(YES) is set on the queue manager configuration, any TLS enabled Channels that attempt to start with the TLS_CHACHA20_POLY1305_SHA256 CipherSpec will fail with an AMQ9620 error message with inserts function gsk_secure_soc_init and error code 12. This will happen if the SSLCIPH field of a channel is set to any of the following options: "TLS_CHACHA20_POLY1305_SHA256", "ANY", "ANY_TLS13", "ANY_TLS13_OR_HIGHER" or "ANY_TLS12_OR_HIGHER".
Local fix
If intending to use SSLFIPS(YES) to set the queue manager into FIPS mode TLS_CHACHA20_POLY1305_SHA256 cannot be used. Ensure TLS_CHACHA20_POLY1305_SHA256 is not set on any channel SSLCIPH attribute. IF SSLFIPS(YES) is in use and an Alias CipherSpecs is set in the SSLCIPH attribute on channel objects then TLS_CHACHA20_POLY1305_SHA256 should be disabled at the queue manager level using the AllowedCipherSpecs SSL stanza attribute in the qm.ini file. If FIPS is not required then changing SSLFIPS to NO will enable TLS_CHACHA20_POLY1305_SHA256 CipherSpec for use.
Problem summary
**************************************************************** USERS AFFECTED: Those with SSLFIPS(YES) configured on the queue manager object, with TLS 1.3 enabled in the queue manager qm.ini and a channel with SSLCIPH(TLS_CHACHA20_POLY1305_SHA256) or an Alias CipherSpec. (ANY, ANY_TLS12_OR_HIGHER, ANY_TLS13, ANY_TLS13_OR_HIGHER). Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: TLS_CHACHA20_POLY1305_SHA256 was incorrectly included in the internal list of ciphers to enable when SSLFIPS(YES) was configured, which caused MQ's cryptographic provider to fail to initialize due to the presence of this non-FIPS CipherSpec in the list. As a result, any TLS communications that were attempted to be started when FIPS was enabled on the queue manager object and a channel specified the TLS_CHACHA20_POLY1305_SHA256 or Alias CipherSpecs for communication failed because TLS_CHACHA20_POLY1305_SHA256 is not a valid FIPS CipherSpec. The following Alias CipherSpecs are affected: ANY, ANY_TLS12_OR_HIGHER, ANY_TLS13 and ANY_TLS13_OR_HIGHER. TLS_CHACHA20_POLY1305_SHA256 is only available if TLS 1.3 is enabled.
Problem conclusion
The TLS_CHACHA20_POLY1305_SHA256 has been removed from IBM MQ's list of FIPS CipherSpecs which prevents it from being selected during the TLS Handshake, when FIPS is enabled. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.15 v9.3 LTS 9.3.0.10 v9.x CD 9.3.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT43650
Reported component name
MQ BASE V9.3
Reported component ID
5724H7291
Reported release
930
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-04-27
Closed date
2023-05-19
Last modified date
2023-05-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.3
Fixed component ID
5724H7291
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.3","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
20 May 2023