A fix is available
APAR status
Closed as program error.
Error description
A third party security scanner is flagging some TLS cipher specs for being allowed in a 3-way hand-shake even though the channel is not allowed to complete its connection. For instance, these were flagged: x'003B' TLS_RSA_WITH_NULL_SHA256 x'C010' TLS_ECDHE_RSA_WITH_NULL_SHA x'C011' TLS_ECDHE_RSA_WITH_RC4_128_SHA x'C012' TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Some that were flagged were taken care of by PI95953. Yet others can be removed from the list returned by System SSL for MQ's gsk_get_all_cipher_suites call--apply z/OS APARs in the chart at https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com. ibm.zos.v2r3.e0zm100/SSL_V2R2_ModifyConfigs_before_IPL.htm Additional Symptom(s) Search Keyword(s): SSL cipherspec SSLCIPH PCI
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM MQ for z/OS Version 8 * * Release 0 Modification 0 * **************************************************************** * PROBLEM DESCRIPTION: The ability to prevent weak or broken * * cipher specifications from being * * negotiated at the listener level is * * required. * **************************************************************** The ability to prevent weak or broken cipher specifications from being negotiated at the listener level is required to ensure that current security requirements are met.
Problem conclusion
The ability to prevent weak or broken cipher specifications from being negotiated at the listener level has been added through the use of the DD card 'WCIPSOFF'. Additionally with the use of the DD card 'GSKDCIPS' the ability to enable only the cipher specifications that System SSL has not marked as weak or broken has been added. The MQ documentation is updated to detail messages produced by this APAR. ========== DOC Change for V800 Knowledge Center =============== The page "com.ibm.mq.ref.doc/csq_x.htm" in the Knowledge Center for V800 will be updated: Home > IBM MQ 8.0.0 > IBM MQ > Reference > Diagnostic messages > Messages and reason codes for z/OS > Messages > Distributed queuing messages (CSQX...) The following is added to document the new messages that are produced: CSQX697I csect-name Weak or broken SSL cipher specifications blocked by listener. Severity 4 Explanation Weak or broken SSL cipher specifications have been blocked by the listener. Consequentially you will not receive a successful SSL handshake with any cipher specifications marked as either 'weak' or 'broken'. System action Processing continues. System programmer response If you do not want to be able to negotiate with the listener using weak or broken cipher specifications then you can disable them by adding a dummy Data Definition (DD) statement named 'WCIPSOFF' to the channel initiator JCL. For example: //WCIPSOFF DD DUMMY There are alternative mechanisms that can be used to achieve the same behavoir if the Data Definition change is unsuitable. Contact IBM Service for further information. CSQX698I csect-name Listener will only negotiate System SSL default cipher specifications. Severity 4 Explanation The listener will only negotiate with cipher specifications that are listed by default on System SSL's default cipher specification list. System action Processing continues. System programmer response If you only want to be able to negotiate with the listener using the ciphers specifications listed on System SSL's default cipher specification list then you can enable this behavoir by adding a dummy Data Definition (DD) statement named 'GSKDCIPS' to the channel initiator JCL. For example: //GSKDCIPS DD DUMMY There are alternative mechanisms that can be used to achieve the same behavoir if the Data Definition change is unsuitable. Contact IBM Service for further information.
Temporary fix
Comments
APAR Information
APAR number
PI97549
Reported component name
IBM MQ Z/OS V8
Reported component ID
5655W9700
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-05-03
Closed date
2018-05-29
Last modified date
2019-03-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI56135 UI56136 UI56137 UI56138 UI56139 UI56140
Modules/Macros
CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU CSQXGINI CSQXJST CSQXSSLI
Fix information
Fixed component name
IBM MQ Z/OS V8
Fixed component ID
5655W9700
Applicable component levels
R000 PSY UI56135
UP18/06/12 P F806 &
R001 PSY UI56136
UP18/06/12 P F806 &
R002 PSY UI56137
UP18/06/12 P F806 &
R003 PSY UI56138
UP18/06/12 P F806 &
R004 PSY UI56139
UP18/06/12 P F806 &
R005 PSY UI56140
UP18/06/12 P F806 &
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 March 2019