Change in behavior for channels using GCM based CipherSpecs
Customers running channels with GCM CipherSpecs might notice connections ending with error AMQ9288 after prolonged usage of the same session key.
Following a NIST recommendation, the default behavior for channels using GCM CipherSpecs has been changed. After sending 2^22 TLS records using the same session key, a channel will end with error AMQ9288.
This is because a security vulnerability within GCM CipherSpecs means prolonged usage of the same session keys results in a higher chance of an attacker calculating the session keys in use and gaining access to the secure communication.
To prevent a channel failing with error AMQ9288, you have two choices:
1) Enable Secret Key resets on the channel in order to renegotiate the session keys in use after a certain number of bytes have been sent through the channel.
2) Use a different CipherSpec on a channel that does not use GCM and is not affected by this vulnerability.
You can also set the environment variable "GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE" before starting an MQ QMGR or Client to disable this restriction.
More support for:
Software version: 188.8.131.52
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows
Software edition: All Editions
Reference #: 1964105
Modified date: 04 November 2015