IBM Support

IT23235: New qm.ini parameter to disable TLS v1.0 connections for queue manager

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A new attribute is required to allow TLS v1.0 to be optionally
    disabled on the queue manager
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All users of IBM MQ v8 and v9 LTS
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    It was not possible to prevent the queue manager from accepting
    TLS 1.0 connections without enabling SUITEB mode, which was not
    desirable in some environments.
    

Problem conclusion

  • A new attribute is available in the qm.ini file, under the SSL
    stanza:
    
    SSL:
       AllowTLSV1=NO
    
    If this is set in the qm.ini before the queue manager is
    started, the queue manager will not accept inbound connections
    using the TLS v1.0 protocol. Similarly, if an LDAP connection is
    configured using an AUTHINFO object, only TLS 1.2 will be used
    to communicate with the LDAP server if secure communication is
    enabled for the AUTHINFO object.
    
    Alternatively, the AMQ_TLS_V1_DISABLE environment variable can
    be set for the environment used to start the queue manager,
    listener, and channel processes.
    
    If either property is set, as well as disallowing TLS 1.0
    connection attempts at the network layer, the queue manager's
    command server will also reject attempts to define or alter a
    channel definition to use a TLS 1.0 CipherSpec.
    
    
    The default queue manager behaviour is unchanged, such that TLS
    1.0 connections continue to be accepted if the new attribute or
    environment variable is not set.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.9
    v9.0 CD    9.0.5
    v9.0 LTS   9.0.0.3
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT23235

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-11-21

  • Closed date

    2018-01-12

  • Last modified date

    2018-01-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI95952

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7251

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
18 January 2018