Customers running channels with GCM CipherSpecs might notice connections ending with error AMQ9288 after prolonged usage of the same session key.
This is because a security vulnerability within GCM CipherSpecs means prolonged usage of the same session keys results in a higher chance of an attacker calculating the session keys in use and gaining access to the secure communication.
To prevent a channel failing with error AMQ9288, you have two choices:
1) Enable Secret Key resets on the channel in order to renegotiate the session keys in use after a certain number of bytes have been sent through the channel.
2) Use a different CipherSpec on a channel that does not use GCM and is not affected by this vulnerability.
You can also set the environment variable "GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE" before starting an MQ QMGR or Client to disable this restriction.
Was this topic helpful?
18 May 2020