IBM Support

Change in behavior for channels using GCM based CipherSpecs



Customers running channels with GCM CipherSpecs might notice connections ending with error AMQ9288 after prolonged usage of the same session key.


Following a NIST recommendation, the default behavior for channels using GCM CipherSpecs has been changed. After sending 2^22 TLS records using the same session key, a channel will end with error AMQ9288.

This is because a security vulnerability within GCM CipherSpecs means prolonged usage of the same session keys results in a higher chance of an attacker calculating the session keys in use and gaining access to the secure communication.

To prevent a channel failing with error AMQ9288, you have two choices:

1) Enable Secret Key resets on the channel in order to renegotiate the session keys in use after a certain number of bytes have been sent through the channel.

2) Use a different CipherSpec on a channel that does not use GCM and is not affected by this vulnerability.

You can also set the environment variable "GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE" before starting an MQ QMGR or Client to disable this restriction.

Document information

More support for: WebSphere MQ

Software version:

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition: All Editions

Reference #: 1964105

Modified date: 04 November 2015