PI97549: MQ Z/OS: DISABLE CERTAIN CIPHERSPECS FROM BEING NEGOTIATED BY THE MQ LISTENER

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• A third party security scanner is flagging some TLS cipher
  specs for being allowed in a 3-way hand-shake even though the
  channel is not allowed to complete its connection.
  
  For instance, these were flagged:
  x'003B'     TLS_RSA_WITH_NULL_SHA256
  x'C010'     TLS_ECDHE_RSA_WITH_NULL_SHA
  x'C011'     TLS_ECDHE_RSA_WITH_RC4_128_SHA
  x'C012'     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  Some that were flagged were taken care of by PI95953.  Yet
  others can be removed from the list returned by System SSL for
  MQ's gsk_get_all_cipher_suites call--apply z/OS APARs in the
  chart at
  https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.
  ibm.zos.v2r3.e0zm100/SSL_V2R2_ModifyConfigs_before_IPL.htm
  
  Additional Symptom(s) Search Keyword(s):
  SSL cipherspec SSLCIPH PCI
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM MQ for z/OS Version 8       *
  *                 Release 0 Modification 0                     *
  ****************************************************************
  * PROBLEM DESCRIPTION: The ability to prevent weak or broken   *
  *                      cipher specifications from being        *
  *                      negotiated at the listener level is     *
  *                      required.                               *
  ****************************************************************
  The ability to prevent weak or broken cipher specifications from
  being negotiated at the listener level is required to ensure
  that current security requirements are met.
  

Problem conclusion

• The ability to prevent weak or broken cipher specifications from
  being negotiated at the listener level has been added through
  the use of the DD card 'WCIPSOFF'.
  
  Additionally with the use of the DD card 'GSKDCIPS' the ability
  to enable only the cipher specifications that System SSL has not
  marked as weak or broken has been added.
  
  The MQ documentation is updated to detail messages produced by
  this APAR.
  
  ========== DOC Change for V800 Knowledge Center ===============
  
  The page "com.ibm.mq.ref.doc/csq_x.htm" in the Knowledge Center
  for V800 will be updated:
  
  Home
  > IBM MQ 8.0.0
    > IBM MQ
      > Reference
        > Diagnostic messages
          > Messages and reason codes for z/OS
            > Messages
              > Distributed queuing messages (CSQX...)
  
  The following is added to document the new messages that are
  produced:
  
  CSQX697I
  
      csect-name Weak or broken SSL cipher specifications blocked
      by listener.
  Severity
      4
  Explanation
  
      Weak or broken SSL cipher specifications have been blocked
      by the listener. Consequentially you will not receive a
      successful SSL handshake with any cipher specifications
      marked as either 'weak' or 'broken'.
  System action
  
      Processing continues.
  System programmer response
  
      If you do not want to be able to negotiate with the listener
      using weak or broken cipher specifications then you can
      disable them by adding a dummy Data Definition (DD)
      statement named 'WCIPSOFF' to the channel initiator JCL.
      For example:
  
      //WCIPSOFF DD DUMMY
  
      There are alternative mechanisms that can be used to achieve
       the same behavoir if the Data Definition change is
       unsuitable. Contact IBM Service for further information.
  
  CSQX698I
  
      csect-name Listener will only negotiate System SSL default
      cipher specifications.
  Severity
      4
  Explanation
  
      The listener will only negotiate with cipher specifications
      that are listed by default on System SSL's default cipher
      specification list.
  System action
  
      Processing continues.
  System programmer response
  
      If you only want to be able to negotiate with the listener
      using the ciphers specifications listed on System SSL's
      default cipher specification list then you can enable this
      behavoir by adding a dummy Data Definition (DD) statement
      named 'GSKDCIPS' to the channel initiator JCL. For example:
  
      //GSKDCIPS DD DUMMY
  
      There are alternative mechanisms that can be used to achieve
       the same behavoir if the Data Definition change is
       unsuitable. Contact IBM Service for further information.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PI97243

• APAR is sysrouted TO one or more of the following:

  UI56135 UI56136 UI56137 UI56138 UI56139 UI56140

Modules/Macros

• CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU CSQXGINI CSQXJST
  CSQXSSLI
  

Fix information

• Fixed component name

  IBM MQ Z/OS V8

• Fixed component ID

  5655W9700

Applicable component levels

• R000 PSY UI56135

     UP18/06/12 P F806 &

• R001 PSY UI56136

     UP18/06/12 P F806 &

• R002 PSY UI56137

     UP18/06/12 P F806 &

• R003 PSY UI56138

     UP18/06/12 P F806 &

• R004 PSY UI56139

     UP18/06/12 P F806 &

• R005 PSY UI56140

     UP18/06/12 P F806 &

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.