IBM Support

IT06775: WEBSPHERE MQ JAVA/JMS CLIENT CIPHERSUITE TO CIPERSPEC MAPPING MAY HAVE MULTIPLE CHOICES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • To configure a WebSphere MQ classes for Java/JMS application to
    connect to a queue manager over a secure socket, the application
    selects a specific CipherSuite to use.
    
    However the specific CipherSuites which was selected maps to
    multiple CipherSpecs. The WebSphere MQ classes for Java/JMS API
    provides no mechanism by which the specific CipherSpec which is
    negotiated between the application and queue manager can be
    chosen.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This affect users of WebSphere MQ classes for Java/JMS, at
    versions 7.0.1, 7.1 and 7.5 trying to use the following
    CipherSuite -> CipherSpec mappings:
    
    CipherSuite CipherSpec
    ----------- ----------
    SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA
    SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA256
    
    when the JVM is not operating in FIPS mode.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The CipherSuites in the list above can each be used to map with
    2 different queue manager CipherSpecs - one which utilises the
    SSLv3 protocol, and one the TLS protocol.
    
    The WebSphere MQ Classes for Java/JMS configuration only
    permitted the mapping to the CipherSpec which utilised the TLS
    mapping if the JVM FIPS mode was enabled, despite this not being
    a prerequisite for these ciphers.
    

Problem conclusion

  • The WebSphere MQ classes for Java/JMS have been updated, such
    that the TLS usage mapping for the above
    CipherSuites/CipherSpecs can now be used if the JVM property:
    
        com.ibm.mq.cfg.preferTLS
    
    is set to true.
    
    
    For example, to set this property for the application
    "MyApplication" started from the command line, you would use the
    following syntax:
    
    java -Dcom.ibm.mq.cfg.preferTLS=true MyApplication
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.1.13
    v7.1       7.1.0.7
    v7.5       7.5.0.5
    v8.0       8.0.0.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT06775

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-01-27

  • Closed date

    2015-04-27

  • Last modified date

    2015-08-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R701 PSY

       UP



Document information

More support for: WebSphere MQ
APAR / Maintenance

Software version: 7.0.1

Reference #: IT06775

Modified date: 26 August 2015


Translate this page: