IBM Support

IV73287: DEPRECATION OF WEAK CIPHERSPECS IN WEBSPHERE MQ V7 QUEUE MANAGERS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • This APAR covers changes to the WebSphere MQ Queue Manager to
    disallow the use of CipherSpecs which
    specify cryptographic algorithms or protocols that are now
    considered to be
    broken or weak.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This affects users of WebSphere MQ 7.0.1, 7.1 and 7.5 who are
    using SSL/TLS security on queue manager channels.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    In line with industry security guidelines and research,
    WebSphere MQ now considers the following CipherSpecs to be weak:
    
    RC4_SHA_US
    RC4_MD5_US
    TRIPLE_DES_SHA_US
    DES_SHA_EXPORT1024
    RC4_56_SHA_EXPORT1024
    RC4_MD5_EXPORT
    RC2_MD5_EXPORT
    DES_SHA_EXPORT
    TLS_RSA_WITH_DES_CBC_SHA
    NULL_SHA
    NULL_MD5
    FIPS_WITH_DES_CBC_SHA
    FIPS_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_NULL_SHA256
    

Problem conclusion

  • The CipherSpecs identified in the list above will no longer be
    permitted by default when initiating MQ channels.
    
    Attempting to start a channel instance using one of these
    CipherSpecs will result in AMQ9635, AMQ9773 (7.0.1 only) or
    AMQ9788 (7.1 and 7.5 only) messages in the queue manager's error
    log.
    
    
    If a return to the previous behavior is required, the
    CipherSpecs may be re-enabled within the SSL stanza of the
    qm.ini file as follows:
    
    SSL:
       AllowWeakCipherSpec=Yes
    
    
    
    Alternatively, these CipherSpecs may be re-enabled by setting or
    exporting the following environment variable to any value:
    
    AMQ_SSL_WEAK_CIPHER_ENABLE
    
    The variable should be set/exported within the environment used
    to start the queue manager. Defining this environment variable
    enables the CipherSpecs regardless of the value specified in the
    qm.ini file.
    
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.1.13
    v7.1       7.1.0.7
    v7.5       7.5.0.6
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV73287

  • Reported component name

    WMQ LIN X86 V7

  • Reported component ID

    5724H7224

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-05-14

  • Closed date

    2015-08-03

  • Last modified date

    2016-10-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ LIN X86 V7

  • Fixed component ID

    5724H7224

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1"}]

Document Information

Modified date:
08 March 2021