IBM Support

PI95953: Function to disable TLS v1.0 connections for queue manager

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A new parameter is required to allow TLS v1.0 to be optionally
    disabled on the queue manager
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
    *                 Release 0 Modification 0                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: The ability to disable TLS v1.0 needs   *
    *                      to be available.                        *
    ****************************************************************
    The ability to disable TLS v1.0 needs to be available as it may
    not comply with current security requirements.
    

Problem conclusion

  • The ability to disable TLS v1.0 has been added through the use
    of the DD card 'TLS10OFF'. Additionally the DD card 'TLS10ON'
    has been added to explicitly enable TLS v1.0. TLS v1.0 remains
    on by default.
    
    The MQ documentation is updated to detail messages produced by
    this APAR.
    
    ========== DOC Change for V900 Knowledge Center ===============
    
    The page "com.ibm.mq.ref.doc/csq_x.htm" in the Knowledge Center
    for V900 will be updated:
    
    Home
    > IBM MQ 9.0.x
      > IBM MQ
        > Reference
          > Messages
            > IBM MQ for z/OS messages, completion, and reason codes
              > Messages for IBM MQ for z/OS
                > Distributed queuing messages (CSQX...)
    
    The following is added to document the new messages that are
    produced:
    
    CSQX694I
    
        csect-name Cipher specifications based on the TLS v1.0
        protocol are disabled.
    Severity
        4
    Explanation
    
        Cipher specifications based on the TLS v1.0 protocol are not
        enabled, and channels configured to use those cipher
        specifications fail when started.
    System action
    
        Processing continues.
    System programmer response
    
        If you do not need to use cipher specifications based on the
        TLS v1.0 protocol, then you can disable them by adding a
        dummy Data Definition (DD) statement named 'TLS10OFF' to the
        channel initiator JCL. For example:
    
        //TLS10OFF DD DUMMY
    
        There are alternative mechanisms that can be used to
        forcibly disable cipher specifications based on the TLS v1.0
        protocol,if the Data Definition change is unsuitable.
        Contact IBM Service for further information.
    
    CSQX695I
    
        csect-name Cipher specifications based on the TLS v1.0
        protocol are enabled.
    Severity
        4
    Explanation
    
        Cipher specifications based on the TLS v1.0 protocol are
        enabled, and channels can be configured to use those cipher
        specifications.
    System action
    
        Processing continues.
    System programmer response
    
        If you need to use cipher specifications based on the
        TLS v1.0 protocol, then no action is required.
    
        If you do not need to use cipher specifications based on the
        TLS v1.0 protocol, see message CSQX694I for information on
        how to disable TLS v1.0.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI95953

  • Reported component name

    IBM MQ Z/OS V9

  • Reported component ID

    5655MQ900

  • Reported release

    000

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-29

  • Closed date

    2019-10-25

  • Last modified date

    2019-10-25

  • APAR is sysrouted FROM one or more of the following:

    PI95952

  • APAR is sysrouted TO one or more of the following:

    UI56029 UI56030 UI56032 UI56034 UI56035 UI56036

Modules/Macros

  • CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU CSQXCCIS CSQXGINI
    CSQXJST  CSQXRCML CSQXSSLI
    

Fix information

  • Fixed component name

    IBM MQ Z/OS V9

  • Fixed component ID

    5655MQ900

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
25 October 2019