IBM Support

IV66840: WMQ V7 JAVA/JMS: ADD SUPPORT FOR SELECTED TLS CIPHERSPECS WHEN RUNNING IN NON-IBM JAVA RUNTIME ENVIRONMENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • This APAR adds new function to allow users of non-IBM Java
    runtime environments to make use of TLS CipherSuites.
    
    For a full list of CipherSuite to CipherSpec mappings supported
    by MQ consult the appropriate MQ Knowledge Center.
    
    The following WebSphere MQ CipherSuite to CipherSpec mappings
    have been enabled by this APAR for WebSphere MQ v7.0.1, v7.1
    and v7.5: :
    
    CipherSuite:                    CipherSpec:
    
    SSL_RSA_WITH_DES_CBC_SHA        TLS_RSA_WITH_DES_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA   TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA    TLS_RSA_WITH_AES_256_CBC_SHA
    
    The following WebSphere MQ CipherSuite to CipherSpec mappings
    have been enabled by this APAR for WebSphere MQ v7.1 and v7.5
    where the classes for Java and classes for JMS support SHA-2:¶
    
    
    TLS_RSA_WITH_NULL_SHA256        TLS_RSA_WITH_NULL_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
    
    
    The following WebSphere MQ CipherSuite to CipherSpec mappings
    have been enabled by this APAR for WebSphere MQ v8:
    
    CipherSuite -->
    CipherSpec
    
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -->
    ECDHE_ECDSA_3DES_EDE_CBC_SHA256
    
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -->
    ECDHE_ECDSA_AES_128_CBC_SHA256
    
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -->
    ECDHE_ECDSA_AES_128_GCM_SHA256
    
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -->
    ECDHE_ECDSA_AES_256_CBC_SHA384
    
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -->
    ECDHE_ECDSA_AES_256_GCM_SHA384
    
    TLS_ECDHE_ECDSA_WITH_NULL_SHA -->
    ECDHE_ECDSA_NULL_SHA256
    
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -->
    ECDHE_ECDSA_RC4_128_SHA256
    
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -->
    ECDHE_RSA_3DES_EDE_CBC_SHA256
    
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -->
    ECDHE_RSA_AES_128_CBC_SHA256
    
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -->
    ECDHE_RSA_AES_128_GCM_SHA256
    
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  -->
    ECDHE_RSA_AES_256_CBC_SHA384
    
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -->
    ECDHE_RSA_AES_256_GCM_SHA384
    
    TLS_ECDHE_RSA_WITH_NULL_SHA -->
    ECDHE_RSA_NULL_SHA256
    
    TLS_ECDHE_RSA_WITH_RC4_128_SHA -->
    ECDHE_RSA_RC4_128_SHA256
    
    SSL_RSA_WITH_3DES_EDE_CBC_SHA -->
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    
    TLS_RSA_WITH_AES_128_CBC_SHA -->
    TLS_RSA_WITH_AES_128_CBC_SHA
    
    TLS_RSA_WITH_AES_128_CBC_SHA256 -->
    TLS_RSA_WITH_AES_128_CBC_SHA256
    
    TLS_RSA_WITH_AES_128_GCM_SHA256 -->
    TLS_RSA_WITH_AES_128_GCM_SHA256
    
    TLS_RSA_WITH_AES_256_CBC_SHA -->
    TLS_RSA_WITH_AES_256_CBC_SHA
    
    TLS_RSA_WITH_AES_256_CBC_SHA256 -->
    TLS_RSA_WITH_AES_256_CBC_SHA256
    
    TLS_RSA_WITH_AES_256_GCM_SHA384 -->
    TLS_RSA_WITH_AES_256_GCM_SHA384
    
    SSL_RSA_WITH_DES_CBC_SHA -->
    TLS_RSA_WITH_DES_CBC_SHA
    
    TLS_RSA_WITH_NULL_SHA256 -->
    TLS_RSA_WITH_NULL_SHA256
    
    SSL_RSA_WITH_RC4_128_SHA -->
    TLS_RSA_WITH_RC4_128_SHA256
    
    
    
    Due to import regulations in some countries, some JRE
    providers supply default cryptographic jurisdiction policy
    files that limit the strength of cryptographic algorithms, for
    example cipher suites that use AES_256.  To use these
    restricted cipher suites, installation of the JCE Unlimited
    Strength Jurisdiction Policy files is required.
    
    If your JRE does not ship these files by default please obtain
    the unlimited strength policy files from your JRE vendor.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of non-IBM runtime environments, such
    as Oracle, who are trying to use TLS ciphers to secure the
    connections between a WebSphere MQ classes for Java or WebSphere
    MQ classes for JMS application and a WebSphere MQ queue manager.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    Although the WebSphere MQ Knowledge Centre contained a list of
    CipherSuite to CipherSpec mappings for both the SSL and TLS
    protocols, only the SSL protocol CipherSuites could be used in
    non-IBM Java runtime environments, such as Oracle.
    

Problem conclusion

  • WebSphere MQ classes for Java or classes for JMS clients running
    in non-IBM Java runtime environments, such as Oracle, can now
    use the TLS CipherSuite to CipherSpec mappings as detailed in
    the mappings table relevant to the version of the client in use.
    
    To enable these non-default mappings for non-IBM runtime
    environments, the following Java System Property:
    
      com.ibm.mq.cfg.useIBMCipherMappings
    
    must be set to the value:
    
      false
    
    For example, this can be configured by using the JVM argument:
    
      -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.0       7.0.1.13
    v7.1       7.1.0.7
    v7.5       7.5.0.5
    v8.0       8.0.0.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV66840

  • Reported component name

    WMQ LIN X86 V7

  • Reported component ID

    5724H7224

  • Reported release

    701

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-11-12

  • Closed date

    2015-02-03

  • Last modified date

    2015-12-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ LIN X86 V7

  • Fixed component ID

    5724H7224

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1"}]

Document Information

Modified date:
08 March 2021