Direct links to fixes
7.1.0.8-WS-MQ-IBMi-LAIV90867
7.1.0.8-WS-MQ-Windows-LAIV90867-178856
7.1.0.8-WS-MQ-SolarisX64-LAIV90867-178856
7.1.0.8-WS-MQ-SolarisSparc64-LAIV90867-178856
7.1.0.8-WS-MQ-LinuxX64-LAIV90867-178856
7.1.0.8-WS-MQ-LinuxPPC64-LAIV90867-178856
7.1.0.8-WS-MQ-LinuxIA32-LAIV90867-178856
7.1.0.8-WS-MQ-Linux_z64-LAIV90867-178856
7.1.0.8-WS-MQ-HPUXIA64-LAIV90867-178856
7.1.0.8-WS-MQ-AIXPPC64-LAIV90867-178856
7.5.0.7-WS-MQ-Windows-LAIV90867
7.5.0.7-WS-MQ-SolarisX64-LAIV90867
7.5.0.7-WS-MQ-SolarisSparc64-LAIV90867
7.5.0.7-WS-MQ-LinuxX64-LAIV90867
7.5.0.7-WS-MQ-LinuxPPC64-LAIV90867
7.5.0.7-WS-MQ-LinuxIA32-LAIV90867
7.5.0.7-WS-MQ-Linux_z64-LAIV90867
7.5.0.7-WS-MQ-HPUXIA64-LAIV90867
7.5.0.7-WS-MQ-AIXPPC64-LAIV90867
APAR status
Closed as program error.
Error description
This APAR covers changes to the IBM MQ Queue Manager to disallow the use of CipherSpecs which specify cryptographic algorithms that are now considered to be broken or weak.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This affects users of IBM MQ who are using SSL/TLS security on queue manager channels. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: In line with industry security guidelines and research, IBM MQ now considers the following CipherSpecs to be weak: TLS_RSA_WITH_3DES_EDE_CBC_SHA ECDHE_ECDSA_3DES_EDE_CBC_SHA256 ECDHE_RSA_3DES_EDE_CBC_SHA256
Problem conclusion
The CipherSpecs identified in the list above will no longer be permitted by default when initiating MQ channels. To re-enable these CipherSpecs, please refer to the relevant release's documentation: 7.1 : http://www-01.ibm.com/support/docview.wss?uid=swg1IV73287 7.5 : http://www-01.ibm.com/support/docview.wss?uid=swg1IV73287 8.0 : http://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.i bm.mq.sec.doc/q120565_.htm?view=kc#q120565___deptls 9.0 : https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com. ibm.mq.sec.doc/q120565_.htm?view=kc#q120565___deptls Once re-enabled, the CipherSpec listed above can be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, either avoid using triple DES, or enable secret key reset when using these CipherSpecs. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v7.5 7.5.0.8 v8.0 8.0.0.6 v9.0 CD 9.0.2 v9.0 LTS 9.0.0.1 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IV90867
Reported component name
WMQ LIN X86-64
Reported component ID
5724H7230
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-11-18
Closed date
2017-01-31
Last modified date
2017-06-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ LIN X86-64
Fixed component ID
5724H7230
Applicable component levels
R710 PSY
UP
Document Information
Modified date:
09 March 2021