IBM Support

Change in behavior for channels using GCM based CipherSpecs.



Customers running channels with GCM CipherSpecs might notice connections ending with error AMQ9288 after prolonged usage of the same session key.


Following an NIST recommendation, the default behavior for channels using GCM CipherSpecs has been changed. After sending 2^32 TLS records using the same session key, a channel will end with error AMQ9288.

This is because a security vulnerability within GCM CipherSpecs means prolonged usage of the same session keys results in a higher chance of an attacker calculating the session keys in use and gaining access to the secure communication.

To prevent a channel failing with error AMQ9288, you have two choices:

1) Enable Secret Key resets on the channel in order to renegotiate the session keys in use after a certain number of bytes have been sent through the channel.

2) Use a different CipherSpec on a channel that does not use GCM and is not affected by this vulnerability.

You can also set the environment variable "GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE" before starting an MQ QMGR or Client to disable this restriction.

[{"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
18 May 2020