A fix is available
APAR status
Closed as new function.
Error description
z/OS System SSL APAR in z/OS V1R13 has been updated by APAR OA39422 to support the TLS 1.2 protocol and SHA-256 and SHA-384 hashing algorithms for cipherspecs. This APAR will introduce support for these cipherspecs on SSL channels.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 * * Release 1 * **************************************************************** * PROBLEM DESCRIPTION: z/OS System SSL APAR in z/OS V1R13 has * * been updated by APAR OA39422 to support * * the TLS 1.2 protocol and SHA-256 and * * SHA-384 hashing algorithms for * * cipherspecs. These new cipherspecs are * * not supported by WebSphere MQ. * **************************************************************** * RECOMMENDATION: * **************************************************************** WebSphere MQ for z/OS Version 7 Release 1 has been updated to allow the use of cipherspecs using these hashing algorithms.
Problem conclusion
Temporary fix
Comments
WebSphere MQ for z/OS Version 7 Release 1 now provides the following new values in the channel attribute SSLCIPH: TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 Use of some of these cipherspecs will require specific types of certificates, and the enablement of Integrated Cryptographic Service Facility (ICSF). The Explanation of Message CSQX631E is updated to read as follows: Explanation The SSL cipher specification value for channel channel-name is local-ciph using protocol local-protocol, but the value specified at the remote end (from connection conn-id) is remote-ciph using protocol remote-protocol. The cipher specification and protocol values must be the same before the channel can be started. The cipher specification values are shown in the message as four-character codes; common values are: 0001 NULL_MD5 0002 NULL_SHA 0003 RC4_MD5_EXPORT 0004 RC4_MD5_US 0005 RC4_SHA_US 0006 RC2_MD5_EXPORT 0009 DES_SHA_EXPORT 0009 TLS_RSA_WITH_DES_CBC_SHA 000A TRIPLE_DES_SHA_US 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 003B TLS_RSA_WITH_NULL_SHA256 003C TLS_RSA_WITH_AES_128_CBC_SHA256 003D TLS_RSA_WITH_AES_256_CBC_SHA256 C023 ECDHE_ECDSA_AES_128_CBC_SHA256 C024 ECDHE_ECDSA_AES_256_CBC_SHA384 C027 ECDHE_RSA_AES_128_CBC_SHA256 C028 ECDHE_RSA_AES_256_CBC_SHA384 Message CSQX629E is added as follows: CSQX629E: csect-name Channel channel-name requires ICSF for SSLCIPH(ciph). Explanation: Channel channel-name is using a cipherspec ciph that requires ICSF callable services, but ICSF is not available. Sometimes the channel name and cipherspec are unknown and so are shown as '????'. If known, the value cipherspec is shown in the message as a four-character code. Recognized values are shown in message CSQX631E. The cipherspecs which use ephemeral elliptic curve algorithms will require ICSF. Severity: 8. System action: The channel will not start. The table listing cipherspecs found on the following pages: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/co m.ibm.mq.doc/sy12870_1.htm http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/co m.ibm.mq.doc/pc10990_.htm http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/co m.ibm.mq.doc /sc10950_.htm is updated to indicate that the following cipherspecs, previously only available on UNIX, Linux, and Windows platforms, are now also available on z/OS: TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 The table listing the relationships between cipherspecs and digital certificates on page: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/co m.ibm.mq.doc/sy11045_.htm is updated to note that Type 1 and 2 also apply to z/OS. See the documentation of the RACDCERT command here: http://publib.boulder.ibm.com/infocenter/zos/v1r13/topic/co m.ibm.zos.r13.icha400/le-gencert.htm?path=35_2_7_31#le-gencert or equivalent documentation for your External Security Manager for creating appropriate certificates. All references to two-character codes as a way of displaying or specifying cipherspecs are changed to four-character codes.
APAR Information
APAR number
PM77341
Reported component name
WMQ Z/OS V7
Reported component ID
5655R3600
Reported release
100
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2012-11-19
Closed date
2012-12-13
Last modified date
2013-03-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK90292 UK90293 UK90294 UK90295 UK90296 UK90297
Modules/Macros
CSQFMSGC CSQFXTXC CSQFXTXE CSQFXTXF CSQFXTXK CSQFXTXU CSQMCNAC CSQXCCIS CSQXGINI CSQXGIOC CSQXGSSI CSQXSRVS CSQXTRTB
Fix information
Fixed component name
WMQ Z/OS V7
Fixed component ID
5655R3600
Applicable component levels
R100 PSY UK90292
UP13/02/05 P F302
R101 PSY UK90293
UP13/02/05 P F302
R102 PSY UK90294
UP13/02/05 P F302
R103 PSY UK90295
UP13/02/05 P F302
R104 PSY UK90296
UP13/02/05 P F302
R105 PSY UK90297
UP13/02/05 P F302
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 March 2013