IT09423: WMQ-JAVA/JMS: NOT ABLE TO CONNECT TO A SSLV3 SECURED CHANNEL WHEN USING A NON-IBM JRE WITH IV66840 ACTIVATED

APAR status

• Closed as program error.

Error description

• In WebSphere MQ 7.5, when APAR IV66840 is enabled to allow the
  use of TLS CipherSuites when using a non-IBM JRE, SSLv3
  CipherSuites can no longer be used to communicate with the queue
  manager, as was permitted prior to the activation of IV66840.
  
  Customers may need to use SSLv3 and TLS CipherSuites
  simultaneously from within the same non-IBM JVM, especially when
  migrating. To use the TLS CipherSuites, APAR IV66840 must be
  enabled through the use of the system property:
  
    com.ibm.mq.cfg.useIBMCipherMappings=false
  
  Once this property has been configured, the SSLv3 CipherSuites
  can no longer be used within the JVM to communicate with the
  queue manager.
  

Local fix

• Run MQ Java applications in separate JVMs, some with APAR
  IV66840
  enabled, and some with it not enabled, this may mean
  re-engineering an application.
  

Problem summary

• ****************************************************************
  USERS AFFECTED:
  Users of WebSphere MQ classes for Java/JMS who have a
  requirement to connect from within the same non-IBM JVM to queue
  manager channels which are secured using a mix of both SSLv3 and
  TLS protocols.
  
  
  Platforms affected:
  AIX, HP-UX Itanium, Linux on Power, Linux on S390, Linux on x86,
  Linux on x86-64, Linux on zSeries, Solaris SPARC, Solaris
  x86-64, Windows, MultiPlatform, HP-UX PA-RISC
  
  ****************************************************************
  PROBLEM DESCRIPTION:
  IV66840 added the capability to use TLS CipherSuites from a
  non-IBM JVM.
  
  To do this, a JVM system property must be defined with a
  specific value:
  
    com.ibm.mq.cfg.useIBMCipherMappings=false
  
  However doing this also disables the less secure SSLv3
  CipherSuites from within the JVM.
  
  
  On reflection this was not the appropriate action, as a user is
  not able to use both types of protocol within the same non-IBM
  JVM. The prevention of the SSLv3 protocols is policed by both
  recent JREs and the queue manager, and so does not need to be
  prohibited from within the WebSphere MQ classes for Java/JMS as
  well.
  

Problem conclusion

• The following 5 SSLv3 CipherSuites are again permitted for use
  when using a non-IBM JRE with the JVM system property and value:
  
    com.ibm.mq.cfg.useIBMCipherMappings=false
  
  defined. These 5 SSLv3 CipherSuites and CipherSpecs which they
  map to are:
  
  SSL_RSA_WITH_NULL_MD5 --> NULL_MD5
  SSL_RSA_WITH_NULL_SHA --> NULL_SHA
  SSL_RSA_EXPORT_WITH_RC4_40_MD5 --> RC4_MD5_EXPORT
  SSL_RSA_WITH_RC4_128_MD5 --> RC4_MD5_US
  SSL_RSA_WITH_RC4_128_SHA --> RC4_SHA_US
  
  
  The following 2 CipherSuites have the capability of mapping to
  either an SSLv3 or TLS CipherSpec:
  
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA
  
  
  Prior to IV66840, these mapped to the following TLS CipherSpecs
  depending on if the FIPS compliance setting was configured:
  
  SSL_RSA_WITH_DES_CBC_SHA --> TLS_RSA_WITH_DES_CBC_SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA --> TLS_RSA_WITH_3DES_EDE_CBC_SHA
  
  On an Oracle JVM where MQ FIPS compliance is not available,
  these CipherSuites mapped to the following SSLv3 CipherSpecs:
  
  SSL_RSA_WITH_DES_CBC_SHA --> DES_SHA_EXPORT
  SSL_RSA_WITH_3DES_EDE_CBC_SHA --> TRIPLE_DES_SHA_US
  
  
  APAR IT06775 added a property which permitted the selection of
  which of these CipherSpecs to map to from the corresponding
  CipherSuite in the non-FIPS compliance case. This property value
  was:
  
    com.ibm.mq.cfg.preferTLS
  
  When set to the value "true", the TLS CipherSpec was selected,
  when "false" the SSLv3 CipherSpec was used.
  
  As of APAR IV66840, when the non-IBM JRE mappings were used for
  a Oracle JVM to utilise TLS ciphers for example, these two
  CipherSuites always mapped to the TLS CipherSpecs. Under this
  APAR (IT09423) this has also been updated, so that the
  "com.ibm.mq.cfg.preferTLS" property continues to permit the
  selection - the default being to map to the SSLv3 CipherSpecs.
  
  
  Note that the above applies to WebSphere MQ classes for Java/JMS
  v7.5. In v8.0, the following three CipherSuites are restricted
  to using TLS CipherSpecs only when used with a Java/JMS
  application:
  
    SSL_RSA_WITH_RC4_128_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
  
  meaning that in v8.0, this APAR has no effect for the above
  three CipherSuites. It does however permit the use of the SSLv3
  CipherSpecs for the other four CipherSuites listed above.
  
  ---------------------------------------------------------------
  The fix is targeted for delivery in the following PTFs:
  
  Version    Maintenance Level
  v7.0       7.0.1.13
  v7.1       7.1.0.7
  v7.5       7.5.0.6
  v8.0       8.0.0.4
  
  The latest available maintenance can be obtained from
  'WebSphere MQ Recommended Fixes'
  http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
  
  If the maintenance level is not yet available information on
  its planned availability can be found in 'WebSphere MQ
  Planned Maintenance Release Dates'
  http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
  ---------------------------------------------------------------
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WMQ BASE MULTIP

• Fixed component ID

  5724H7241

Applicable component levels