IBM Support

IV73396: DEPRECATION OF SSLV3 CIPHERSPECS IN WEBSPHERE MQ V7 QUEUE MANAGERS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • This APAR covers changes to the WebSphere MQ Queue Manager to
disallow the configuration of SSLv3 CipherSpecs on new Queue
Managers created after the application of this change.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
Users wishing to use SSL/TLS to secure communication over MQ
channels.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
Once this change is applied, any queue managers created will
disallow the use of the following CipherSpecs on channel
definitions associated with the queue manager:

  AES_SHA_US
  RC4_SHA_US
  RC4_MD5_US
  TRIPLE_DES_SHA_US
  DES_SHA_EXPORT1024
  RC4_56_SHA_EXPORT1024
  RC4_MD5_EXPORT
  RC2_MD5_EXPORT
  DES_SHA_EXPORT
  NULL_SHA
  NULL_MD5
  FIPS_WITH_DES_CBC_SHA
  FIPS_WITH_3DES_EDE_CBC_SHA

Attempting to use or configure one of these CipherSpecs will
result in one or more of the following messages in the queue
manager error log: AMQ8242, AMQ9616, AMQ9635.

    



Problem conclusion


    

  • To override this restriction, set the environment variable
"AMQ_SSL_V3_ENABLE" to the value "TRUE" in the environment used
to start the queue manager

Alternatively, add the following entry to the SSL stanza of the
queue manager's qm.ini file:
    AllowSSLV3=y


Once this change is applied, queue managers using GSKit 8 will
have the GSK_STRICTCHECK_CBCPADBYTES functionality enabled by
default. To override this, set
GSK_STRICTCHECK_CBCPADBYTES=GSK_FALSE in the environment used to
start the queue manager.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v7.0       7.0.1.13
v7.1       7.1.0.7
v7.5       7.5.0.5

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV73396
    • 

  • Reported component name
    WMQ LIN X86 V7
    • 

  • Reported component ID
    5724H7224
    • 

  • Reported release
    701
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-05-19
    • 

  • Closed date
    2015-05-20
    • 

  • Last modified date
    2015-05-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ LIN X86 V7
    • 

  • Fixed component ID
    5724H7224
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            08 March 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback