IBM Support

PH33782: ADDRESS ISSUES WITH ENABLING NON-WEAK CIPHERSPECS USING THE TLS 1.0 PROTOCOL AND CSQX696I MESSAGE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • APAR raised to address issues with enabling non-weak
CipherSpecs using the TLS 1.0 protocol.

The CSQX696I is being issued because some default behavior was
changed in V9.2 and as a result the message is normally always
issued on startup.
ADDITIONAL KEYWORDS
TLS10ON TLS10OFF WCIPSOFF WCIPSON GSKDCIPS
CSQXWEAK CSQXSSL3
IBM Documentation General SSL/TLS Configuration Guidance
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.2.0/com.
ibm.mq.sec.doc/q013000_.html

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of IBM MQ for z/OS Version 9       *
*                 Release 2 Modification 0.                    *
****************************************************************
* PROBLEM DESCRIPTION: When using MQ with a Strong TLS 1.0     *
*                      CipherSpec and DD card configuration    *
*                      using TLS10ON, the channel would not    *
*                      start.                                  *
*                                                              *
*                      When starting the CHINIT, a misleading  *
*                      CSQX696I message occurred, even when    *
*                      using CSQXWEAK DD card.                 *
****************************************************************
Issue 1: Changes to CSQXGINI required that both TLS10ON and
CSQXWEAK be specified before any TLS 1.0 ciphers could be
enabled. (This should not be the case, since using TLS10ON on
it's own should enable "Strong" TLS 1.0 ciphers, e.g 002F and
0035).

Issue 2: The default behaviour of CSQXSSLI was changed to issue
CSQX696I by default, unless the GSKDCIPS DD card was included.

    



Problem conclusion


    

  • CSQXGINI and CSQXSSLI have been updated to prevent these issues
from occurring.

The Knowledge Center has also been updated, to remove confusion
regarding the effects of TLS10ON, CSQXWEAK, and CSQXSSL3 DD
cards:

========== DOC Change for V920 Knowledge Center ===============

The page "Deprecated CipherSpecs" for 9.2.0 will be modified:
(https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.
ibm.mq.sec.doc/q014265_.html)

Home
> IBM MQ 9.2.x
  > IBM MQ
    > Securing
      > Confidentiality of messages
        > Enabling CipherSpecs
          > Deprecated CipherSpecs

Under "Enabling deprecated CipherSpecs on z/OS", change second
bullet point FROM:
"If you want to re-enable the use of weak CipherSpecs, you do so
by adding a dummy data definition (DD) statement named CSQXWEAK
to the channel initiator JCL; for example:"
TO:
"If you want to re-enable the use of weak CipherSpecs, you do so
by adding a dummy data definition (DD) statement named CSQXWEAK
to the channel initiator JCL. If specified on it's own, this
will only enable TLS 1.2 Weak CipherSpecs; for example:"

Under "Enabling deprecated CipherSpecs on z/OS", change second
bullet point FROM:
"If you want to re-enable the use of SSLv3 CipherSpecs, you do
so by also adding a dummy DD statement named CSQXSSL3 to the
channel initiator JCL; for example:"
TO:
"If you want to re-enable the use of SSLv3 CipherSpecs, you do
so by adding a dummy DD statement named CSQXSSL3 to the channel
initiator JCL. Currently all SSLv3 CipherSpecs are considered
Weak, so CSQXWEAK must also be specified:"

Under "Enabling deprecated CipherSpecs on z/OS", change third
bullet point FROM:
"If you want to re-enable the deprecated TLS V1 protocol, you do
so by also adding a dummy DD statement named TLS10ON (turn TLS
V1.0 ON) to the channel initiator JCL; for example:"
TO:
"If you want to re-enable the deprecated TLS V1 CipherSpecs, you
do so by adding a dummy DD statement named TLS10ON (turn TLS
V1.0 ON) to the channel initiator JCL. If specified on it's own,
this will enable TLS 1.0 Strong CipherSpecs. Add this alongside
CSQXWEAK to enable Weak TLS V1 CipherSpecs:"

Under "Enabling deprecated CipherSpecs on z/OS", change fourth
bullet point FROM:
"If you want to explicitly turn off the deprecated TLS V1
protocol, you do so by adding a dummy DD statement named
TLS10OFF (turn TLS V1.0 OFF) to the channel initiator JCL; for
example:"
TO:
"If you want to explicitly turn off the deprecated TLS V1
CipherSpecs, you do so by adding a dummy DD statement named
TLS10OFF (turn TLS V1.0 OFF) to the channel initiator JCL;
for example:"



========== DOC Change for V920 Knowledge Center ===============

The page "Message manager messages (CSQM...)" for 9.2.0 will be
modified:
(https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.
ibm.mq.ref.doc/csq_m.html)

Home
> IBM MQ 9.2.x
  > IBM MQ
    > Reference
      > Messages
        > IBM MQ for z/OS messages, completion, and reason codes
          > Messages For IBM MQ for z/OS
            > Message manager messages (CSQM...)

Under "CSQM102E", change "System programmer response", change
paragraphs 2-5 FROM:
"If you want to re-enable the use of weak CipherSpecs, you can
do so by adding a dummy Data Definition (DD) statement named
CSQXWEAK to the channel initiator JCL. For example:
//CSQXWEAK DD DUMMY
If you want to re-enable the disabled SSLv3 support in IBM MQ,
you can do so by adding a dummy Data Definition (DD) statement
named CSQXSSL3 to the channel initiator JCL. For example:
//CSQXSSL3 DD DUMMY
If you want to re-enable the disabled TLS 1.0 support in IBM MQ,
you can do so by adding a dummy Data Definition (DD) statement
named CSQXTLS1 to the channel initiator JCL. For example:
//CSQXTLS1 DD DUMMY
You need to specify the CSQXWEAK dummy DD statement, and the:
 -> CSQXSSL dummy DD statement, if you want to enable a weak SSL
3.0-based CipherSpec.
 -> CSQXTLS dummy DD statement, if you want to enable a weak TLS
1.0-based CipherSpec
 -> CSQXSSL and CSQXTLS dummy statements, if you want to enable
both a weak SSL 3.0-based and TLS 1.0-based CipherSpec "
TO:
"If you want to re-enable the use of weak CipherSpecs, or
CipherSpecs using a deprecated protocol, see "Enabling
deprecated CipherSpecs on z/OS" on this page: Deprecated
CipherSpecs"



========== DOC Change for V920 Knowledge Center ===============

The page "Distributed queueing messages (CSQX...)" for 9.2.0
will be modified:
(https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.
ibm.mq.ref.doc/csq_x.htm#csq_x__csqx671i)

Home
> IBM MQ 9.2.x
  > IBM MQ
    > Reference
      > Messages
        > IBM MQ for z/OS messages, completion, and reason codes
          > Messages For IBM MQ for z/OS
            > Distributed queueing messages (CSQX...)

Under "CSQX616E", change "System programmer response", change
paragraphs 3-5 FROM:
"If you want to re-enable the use of weak CipherSpecs, you can
do so by adding a dummy Data Definition (DD) statement named
CSQXWEAK and one or both of the following data definitions to
the channel initiator JCL. For example:
//CSQXWEAK DD DUMMY
If you want to re-enable the disabled SSLv3 support in IBM MQ,
you can do so by adding a dummy DD statement named CSQXSSL3 to
the channel initiator JCL. For example:
//CSQXSSL3 DD DUMMY
If you want to re-enable the disabled TLS 1.0 support in IBM MQ,
you can do so by adding a dummy DD statement named TLS10ON to
the channel initiator JCL. For example:
//TLS10ON DD DUMMY"
TO:
"If you want to re-enable the use of weak CipherSpecs, or
CipherSpecs using a deprecated protocol, see "Enabling
deprecated CipherSpecs on z/OS" on this page: Deprecated
CipherSpecs"

Under "CSQX674E", change "System programmer response", change
paragraphs 3-5 FROM:
"If you want to re-enable the use of weak CipherSpecs, you can
do so by adding a dummy Data Definition (DD) statement named
CSQXWEAK and one or both of the following data definitions to
the channel initiator JCL. For example:
//CSQXWEAK DD DUMMY
If you want to re-enable the disabled SSLv3 support in IBM MQ,
you can do so by adding a dummy DD statement named CSQXSSL3 to
the channel initiator JCL. For example:
//CSQXSSL3 DD DUMMY
If you want to re-enable the disabled TLS 1.0 support in IBM MQ,
you can do so by adding a dummy DD statement named TLS10ON to
the channel initiator JCL. For example:
//TLS10ON DD DUMMY"
TO:
"If you want to re-enable the use of weak CipherSpecs, or
CipherSpecs using a deprecated protocol, see "Enabling
deprecated CipherSpecs on z/OS" on this page: Deprecated
CipherSpecs"

Under "CSQX690I", change "System programmer response", change
paragraphs 2-4 FROM:
"If you want to re-enable the use of weak CipherSpecs, you can
do so by adding a dummy Data Definition (DD) statement named
CSQWEAK to the channel initiator JCL. For example:
//CSQWEAK DD DUMMY
If you want to re-enable the disabled SSLv3 support in IBM MQ,
you can do so by adding a dummy DD statement named CSQXSSL3 to
the channel initiator JCL. For example:
//CSQXSSL3 DD DUMMY
You need to specify both of the preceding dummy DD statements,
if you want to enable a weak SSLv3-based CipherSpec."
TO:
"If you want to re-enable the use of weak CipherSpecs, or
CipherSpecs using a deprecated protocol, see "Enabling
deprecated CipherSpecs on z/OS" on this page: Deprecated
CipherSpecs"

Under "CSQX692I", change "System programmer response", change
paragraphs 2-4 FROM:
"If you want to re-enable the use of weak CipherSpecs, you can
do so by adding a dummy Data Definition (DD) statement named
CSQWEAK to the channel initiator JCL. For example:
//CSQWEAK DD DUMMY
If you want to re-enable the disabled SSLv3 support in IBM MQ,
you can do so by adding a dummy DD statement named CSQXSSL3 to
the channel initiator JCL. For example:
//CSQXSSL3 DD DUMMY
You need to specify both of the preceding dummy DD statements,
if you want to enable a weak SSLv3-based CipherSpec."
TO:
"If you want to re-enable the use of weak CipherSpecs, or
CipherSpecs using a deprecated protocol, see "Enabling
deprecated CipherSpecs on z/OS" on this page: Deprecated
CipherSpecs"

Under "CSQX694E", change "System programmer response", change
paragraph 2 FROM:
"If you want to re-enable the use of TLS V1.0 support in IBM MQ,
you can do so by adding a dummy Data Definition (DD) statement
named TLS10ON to the channel initiator JCL. For example:
//TLS10ON DD DUMMY <code>"
TO:
"If you want to re-enable the use of weak CipherSpecs, or
CipherSpecs using a deprecated protocol, see "Enabling
deprecated CipherSpecs on z/OS" on this page: Deprecated
CipherSpecs"

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH33782
    • 

  • Reported component name
    IBM MQ Z/OS V9
    • 

  • Reported component ID
    5655MQ900
    • 

  • Reported release
    200
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-01-25
    • 

  • Closed date
    2022-09-22
    • 

  • Last modified date
    2022-09-22
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI74360
    

    • 



Modules/Macros


    

  • CSQXGINI CSQXSSLI

    



Fix information


    

  • Fixed component name
    IBM MQ Z/OS V9
    • 

  • Fixed component ID
    5655MQ900
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"200","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback