IBM Support

PI62193: WMQ WEAK CIPHER TLS_RSA_WITH_NULL_SHA256 NOT DEPRECATED

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • http://www-01.ibm.com/support/docview.wss?uid=swg21687433
    Security states deprecation of TLS_RSA_WITH_NULL_SHA256
    prevents its use within Websphere MQ however the user is able
    to define/start distributed channels with that CipherSpec.
    The CipherSpec's attribute will need to be updated to indicate
    it is considered WEAK.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 *
    *                 Release 1 Modification 0.                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: On distributed platforms, CipherSpec    *
    *                      TLS_RSA_WITH_NULL_SHA256 is now         *
    *                      declared as being "weak" but is not     *
    *                      marked as weak on z/OS.                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The PTF for APAR PI40485 added the concept of "weak CipherSpecs"
    which are CipherSpecs that are not recommended to be used and
    will be disabled by default unless action is taken by the system
    programmer to re-enable them. Since APAR PI40485 was closed, an
    additional CipherSpec, TLS_RSA_WITH_NULL_SHA256, has been marked
    as weak on distributed platforms. For consistency this
    CipherSpec is now being marked as weak on z/OS as well.
    

Problem conclusion

  • Channels that use CipherSpec TLS_RSA_WITH_NULL_SHA256 will be
    unable to connect following the application of this PTF unless
    additional steps are taken.
    
    Prior to applying this PTF, it is possible to determine whether
    your z/OS Queue Manager will be affected by the change or not.
    
    In order to determine whether any channels are defined that may
    use this weak CipherSpec, you can issue the following command to
    display affected channels:
    
    DISPLAY CHL(*) WHERE(SSLCIPH EQ TLS_RSA_WITH_NULL_SHA256)
    
    The above command will display a list of the channels
    configured to use that CipherSpec or "NO CHANNEL FOUND MATCHING
    REQUEST CRITERIA", which indicates that no channels are
    configured to use it.
    
    If any channels are identified using the above command, you
    should take appropriate action (such as changing the CipherSpec
    to one that is not known to be weak) before applying the PTF,
    otherwise your channels may fail to connect.
    
    Customers that wish to re-enable the use of weak CipherSpecs may
    do so by adding a dummy Data Definition (DD) statement named
    "CSQXWEAK" to the channel initiator JCL, e.g.:
    
    //CSQXWEAK  DD DUMMY
    
    There are alternative mechanisms that may be used to forcibly
    re-enable weak CipherSpec support if the Data Definition change
    is unsuitable. Please contact IBM Service for further
    information.
    
    Please note that re-enabling CipherSpecs in this manner will
    leave systems exposed to possible security problems. It is
    recommended to only use secure CipherSpecs that are not
    considered weak.
    100Y
    CSQMCNAC
    CSQXCCIS
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI62193

  • Reported component name

    WMQ Z/OS V7

  • Reported component ID

    5655R3600

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-05-10

  • Closed date

    2016-05-27

  • Last modified date

    2016-08-02

  • APAR is sysrouted FROM one or more of the following:

    PI61530

  • APAR is sysrouted TO one or more of the following:

    UI38238

Modules/Macros

  • CSQMCNAC CSQXCCIS
    

Fix information

  • Fixed component name

    WMQ Z/OS V7

  • Fixed component ID

    5655R3600

Applicable component levels

  • R100 PSY UI38238

       UP16/07/06 P F607

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 August 2016