IBM Support

IT43650: Channel fails with AMQ9620 gsk_secure_soc_init error 12 when FIPS is enabled and TLS_CHACHA20_POLY1305_SHA256 is used

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If a queue manager is configured for TLS communication and
SSLFIPS(YES) is set on the queue manager configuration, any TLS
enabled Channels that attempt to start with the
TLS_CHACHA20_POLY1305_SHA256 CipherSpec will fail with an
AMQ9620 error message with inserts function gsk_secure_soc_init
and error code 12.

This will happen if the SSLCIPH field of a channel is set to any
of the following options: "TLS_CHACHA20_POLY1305_SHA256", "ANY",
"ANY_TLS13", "ANY_TLS13_OR_HIGHER" or "ANY_TLS12_OR_HIGHER".

Local fix

  • If intending to use SSLFIPS(YES) to set the queue manager into
FIPS mode TLS_CHACHA20_POLY1305_SHA256 cannot be used. Ensure
TLS_CHACHA20_POLY1305_SHA256 is not set on any channel SSLCIPH
attribute.
IF SSLFIPS(YES) is in use and an Alias CipherSpecs is set in the
SSLCIPH attribute on channel objects then
TLS_CHACHA20_POLY1305_SHA256 should be disabled at the queue
manager level using the AllowedCipherSpecs SSL stanza attribute
in the qm.ini file.
If FIPS is not required then changing SSLFIPS to NO will enable
TLS_CHACHA20_POLY1305_SHA256 CipherSpec for use.

Problem summary

  • ****************************************************************
USERS AFFECTED:
Those with SSLFIPS(YES) configured on the queue manager object,
with TLS 1.3 enabled in the queue manager qm.ini and a channel
with SSLCIPH(TLS_CHACHA20_POLY1305_SHA256) or an Alias
CipherSpec.  (ANY, ANY_TLS12_OR_HIGHER, ANY_TLS13,
ANY_TLS13_OR_HIGHER).


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
TLS_CHACHA20_POLY1305_SHA256 was incorrectly included in the
internal list of ciphers to enable when SSLFIPS(YES) was
configured, which caused MQ's cryptographic provider to fail to
initialize due to the presence of this non-FIPS CipherSpec in
the list.

As a result, any TLS communications that were attempted to be
started when FIPS was enabled on the queue manager object and a
channel specified the TLS_CHACHA20_POLY1305_SHA256 or Alias
CipherSpecs for communication failed because
TLS_CHACHA20_POLY1305_SHA256 is not a valid FIPS CipherSpec.

The following Alias CipherSpecs are affected: ANY,
ANY_TLS12_OR_HIGHER, ANY_TLS13 and ANY_TLS13_OR_HIGHER.

TLS_CHACHA20_POLY1305_SHA256 is only available if TLS 1.3 is
enabled.

Problem conclusion

  • The TLS_CHACHA20_POLY1305_SHA256 has been removed from IBM MQ's
list of FIPS CipherSpecs which prevents it from being selected
during the TLS Handshake, when FIPS is enabled.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.2 LTS   9.2.0.15
v9.3 LTS   9.3.0.10
v9.x CD    9.3.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT43650
    • 

  • Reported component name
    MQ BASE V9.3
    • 

  • Reported component ID
    5724H7291
    • 

  • Reported release
    930
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-04-27
    • 

  • Closed date
    2023-05-19
    • 

  • Last modified date
    2023-05-19
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ BASE V9.3
    • 

  • Fixed component ID
    5724H7291
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.3","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            20 May 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback