APAR status
Closed as Permanent restriction.
Error description
One or more of the following IBM MQ components: - AMQP server - Managed File Transfer (MFT) - MQ Console/web console - MQ Explorer - MQ REST API - MQ Telemetry service has been configured to use one of the RSA cipher suites shown below in FIPS mode: - SSL_RSA_WITH_AES_256_GCM_SHA384 - SSL_RSA_WITH_AES_128_GCM_SHA256 - SSL_RSA_WITH_AES_256_CBC_SHA256 - SSL_RSA_WITH_AES_128_CBC_SHA256 - SSL_RSA_WITH_AES_256_CBC_SHA - SSL_RSA_WITH_AES_128_CBC_SHA After upgrading to an IBM MQ Fix Pack that contains the IBM 8.0.8.20 (or later) Java Runtime Environment, the component stops working or reports errors related to FIPS.
Local fix
Use an alternative CipherSuite, or disable FIPS mode.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of: - AMQP server - Managed File Transfer (MFT) - MQ Console/web console - MQ Explorer - MQ REST API - MQ Telemetry service Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: IBM MQ is shipped with the IBM Java Runtime Environment (JRE), which is used by the following MQ components: - AMQP server - Managed File Transfer (MFT) - MQ Console/web console - MQ Explorer - MQ REST API - MQ Telemetry service In the IBM 8.0.8.20 JRE (and later), the cipher suites shown below have been removed from the IBMJCEPlusFIPS provider for FIPS 140-2: - SSL_RSA_WITH_AES_256_GCM_SHA384 - SSL_RSA_WITH_AES_128_GCM_SHA256 - SSL_RSA_WITH_AES_256_CBC_SHA256 - SSL_RSA_WITH_AES_128_CBC_SHA256 - SSL_RSA_WITH_AES_256_CBC_SHA - SSL_RSA_WITH_AES_128_CBC_SHA This means that when upgrading to an MQ Fix Pack or cumulative security update (CSU) that contains this IBM JRE, the MQ components mentioned above will not be able to use these cipher suites in FIPS mode. If a component tries to do so, it will either report errors or fail to start.
Problem conclusion
To continue using FIPS mode, the MQ components: - AMQP server - Managed File Transfer (MFT) - MQ Console/web console - MQ Explorer - MQ REST API - MQ Telemetry service should be changed to use a cipher suite that is still supported. For details of cipher suites that are supported, see the "TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS" topic in the MQ sections of the IBM Documentation site. --------------------------------------------------------------- The update is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 LTS 9.0.0.24 v9.1 LTS 9.1.0.21 v9.2 LTS 9.2.0.25 v9.3 LTS 9.3.0.17 v9.x CD 9.3.5.1 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT45890
Reported component name
IBM MQ BASE M/P
Reported component ID
5724H7261
Reported release
900
Status
CLOSED PRS
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-04-05
Closed date
2024-04-23
Last modified date
2024-04-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
25 April 2024