APAR status
Closed as documentation error.
Error description
A connection from the WebSphere MQ V7 Explorer to a queue manager cannot be secured using the cipher spec TLS_RSA_WITH_AES_256_CBC_SHA. Attempting to do so will lead to an error: Queue manager QM1 is not available for client connection due to an SSL configuration error. (AMQ4199). with an accompanying error in the queue manager error log: AMQ9665: SSL connection closed by remote end of channel '????' A trace of the Explorer taken at the time of the will show the following: RemoteTCPConnection.parseCipherSpec(String)() rc=0 [0x26ca26ca] Exception caught [idx=2]: java.lang.IllegalArgumentException: Cannot support SSL_RSA_WITH_AES_256_CBC_SHA with currently installed providers or cipher suite is not legal in FIPS mode.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects all users attempting to secure a connection from the WebSphere MQ V7 Explorer to a queue manager using the cipher spec TLS_RSA_WITH_AES_256_CBC_SHA. Platforms affected: All Distributed (iSeries, all Unix and Windows) +Java **************************************************************** PROBLEM SUMMARY: The Java Runtime Environment (JRE) shipped with the Explorer does not ship the unrestricted policy files needed for 256 bit encryption, and so this level of encryption cannot be used to connect from the Explorer to a remote queue manager unless the unrestricted policy files are added to the JRE used by the Explorer.
Problem conclusion
The cipher spec TLS_RSA_WITH_AES_256_CBC_SHA can not be used to secure a connection from the Explorer to a queue manager unless the unrestricted policy files are added to the JRE used by the Explorer. References to this cipher spec in the documentation should make a note of this fact. The supported list of cipher specs can be found in the following sections of the WebSphere MQ V7 InfoCenter: Using Java -> WebSphere MQ Classes for Java --> Writing WebSphere MQ Classes for Java applications ---> Secure Sockets Layer (SSL) support ----> SSL Cipher Specs and Cipher Suites Using Java -> WebSphere MQ Classes for JMS --> Writing applications ---> Accessing WebSphere MQ features ----> Using Secure Sockets Layer (SSL) -----> SSL Cipher Specs and Cipher Suites Security -> Working with WebSphere MQ TLS and SSL support --> Working with Cipher Specs ---> Specifying Cipher Specs The policy files can be accessed from http://www.ibm.com/developerworks/java/jdk/security/50 and are also available in the gskit/jre/lib/security directory of the MQ Server install.
Temporary fix
Comments
APAR Information
APAR number
IC61490
Reported component name
WMQ WINDOWS V7
Reported component ID
5724H7220
Reported release
700
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-06-12
Closed date
2009-06-30
Last modified date
2011-05-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDEZSF","label":"IBM WebSphere MQ Managed File Transfer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 March 2023