APAR status
Closed as program error.
Error description
A new attribute is required to allow TLS v1.0 to be optionally disabled on the queue manager
Local fix
Problem summary
**************************************************************** USERS AFFECTED: All users of IBM MQ v8 and v9 LTS Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: It was not possible to prevent the queue manager from accepting TLS 1.0 connections without enabling SUITEB mode, which was not desirable in some environments.
Problem conclusion
A new attribute is available in the qm.ini file, under the SSL stanza: SSL: AllowTLSV1=NO If this is set in the qm.ini before the queue manager is started, the queue manager will not accept inbound connections using the TLS v1.0 protocol. Similarly, if an LDAP connection is configured using an AUTHINFO object, only TLS 1.2 will be used to communicate with the LDAP server if secure communication is enabled for the AUTHINFO object. Alternatively, the AMQ_TLS_V1_DISABLE environment variable can be set for the environment used to start the queue manager, listener, and channel processes. If either property is set, as well as disallowing TLS 1.0 connection attempts at the network layer, the queue manager's command server will also reject attempts to define or alter a channel definition to use a TLS 1.0 CipherSpec. The default queue manager behaviour is unchanged, such that TLS 1.0 connections continue to be accepted if the new attribute or environment variable is not set. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v8.0 8.0.0.9 v9.0 CD 9.0.5 v9.0 LTS 9.0.0.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT23235
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7251
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-11-21
Closed date
2018-01-12
Last modified date
2018-01-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI95952
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7251
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
18 January 2018