IBM Support

IV73396: DEPRECATION OF SSLV3 CIPHERSPECS IN WEBSPHERE MQ V7 QUEUE MANAGERS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • This APAR covers changes to the WebSphere MQ Queue Manager to
    disallow the configuration of SSLv3 CipherSpecs on new Queue
    Managers created after the application of this change.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users wishing to use SSL/TLS to secure communication over MQ
    channels.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    Once this change is applied, any queue managers created will
    disallow the use of the following CipherSpecs on channel
    definitions associated with the queue manager:
    
      AES_SHA_US
      RC4_SHA_US
      RC4_MD5_US
      TRIPLE_DES_SHA_US
      DES_SHA_EXPORT1024
      RC4_56_SHA_EXPORT1024
      RC4_MD5_EXPORT
      RC2_MD5_EXPORT
      DES_SHA_EXPORT
      NULL_SHA
      NULL_MD5
      FIPS_WITH_DES_CBC_SHA
      FIPS_WITH_3DES_EDE_CBC_SHA
    
    Attempting to use or configure one of these CipherSpecs will
    result in one or more of the following messages in the queue
    manager error log: AMQ8242, AMQ9616, AMQ9635.
    

Problem conclusion

  • To override this restriction, set the environment variable
    "AMQ_SSL_V3_ENABLE" to the value "TRUE" in the environment used
    to start the queue manager
    
    Alternatively, add the following entry to the SSL stanza of the
    queue manager's qm.ini file:
        AllowSSLV3=y
    
    
    Once this change is applied, queue managers using GSKit 8 will
    have the GSK_STRICTCHECK_CBCPADBYTES functionality enabled by
    default. To override this, set
    GSK_STRICTCHECK_CBCPADBYTES=GSK_FALSE in the environment used to
    start the queue manager.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.1.13
    v7.1       7.1.0.7
    v7.5       7.5.0.5
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV73396

  • Reported component name

    WMQ LIN X86 V7

  • Reported component ID

    5724H7224

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-05-19

  • Closed date

    2015-05-20

  • Last modified date

    2015-05-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ LIN X86 V7

  • Fixed component ID

    5724H7224

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1"}]

Document Information

Modified date:
08 March 2021