IBM Support

SE73841: MQ TLS channel failure at IBM i V7.4

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • MQ TLS channel fails when TLS v1.3 is enabled on IBM i v7.4.
    If the sender and receiver channel is running on IBM i v7.4
    with TLS 1.3 enabled, the MQ channel will fail the SSL/TLS
    handshake process.
    The sender channel logs
    AMQ9002I: Channel 'RCH740.RCH740B' is starting, immediately
    followed by
    AMQ9001I: Channel 'RCH740.RCH740B' ended normally
    
    MQ receiver channel side logs
    AMQ9638E: SSL communications error for channel '????'
    AMQ9999E: Channel '????' to host ended abnormally.
    
    The handshake data shows record level TLS1.3 with Client
    Hello/Server Hello at version 1.2.  The Client Hello contains a
    list of ciphers instead of the expected specific cipher listed
    in the sender channel cipherspec parameter.
    

Local fix

  • Disable TLSv1.3 in system value QSSLPCL on the IBMi.
    *Reminder this change is system wide and will disable TLS v1.3
    for other applications.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    MQ users who attempt to use SSL/TLS enabled channels on a system
    which has TLS 1.3 enabled
    
    
    Platforms affected:
    IBM iSeries
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    Even though a non-TLS 1.3 cipher is enabled on the channel, the
    system may choose an equivalent TLS 1.3 cipher to be used
    instead. This results in the channel not starting because of an
    invalid cipher that MQ is unaware of.
    

Problem conclusion

  • MQ code has been changed to disable the TLS 1.3 protocol during
    SSL/TLS handshake so that only the configured cipher is used for
    the connection.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.0 LTS   9.0.0.11
    v9.1 LTS   9.1.0.7
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    SE73841

  • Reported component name

    IBM MQ ISERIES

  • Reported component ID

    5724H7274

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-06-16

  • Closed date

    2020-07-14

  • Last modified date

    2020-12-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ ISERIES

  • Fixed component ID

    5724H7274

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910"}]

Document Information

Modified date:
05 December 2020