APAR status
Closed as program error.
Error description
When configuring the IBM MQ 9.3.3.0 or 9.3.3.1 Explorer to administer a remote queue manager, the "Specify SSL options details" panel in the "Add Queue Manager" wizard does not allow users to specify a TLS 1.2 cipher. The "SSL CipherSpec" drop down on the panel only contains: - The TLS 1.3 CipherSpecs. - The TLS 1.3 alias CipherSpecs. - And some TLS 1.0/SSLV3 CipherSpecs. There are no entries for any TLS 1.2 CipherSpecs.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of: - The IBM MQ 9.3.3.0 Explorer. - The IBM MQ 9.3.3.1 Explorer. who want to use the user interface to administer a remote queue manager using a secure (TLS/SSL) channel. Platforms affected: Windows, Linux on x86-64 **************************************************************** PROBLEM DESCRIPTION: When adding a remote queue manager to the MQ Explorer using the "Add Queue Manager" wizard, the "SSL CipherSpec:" drop down on the "Specify SSL Options Details" panel is used to set the CipherSpec that should be used to secure the connection between the user interface and the queue manager. The list of CipherSpecs shown in the drop down is provided by the Java Message Queueing Interface (JMQI), which is an internal component that handles all of the communication to the queue manager. In MQ 9.3.3, the way in which the JMQI handled CipherSpecs and CipherSuites was changed. As part of this rework, the JMQI was updated to maintain two lists of ciphers: - A list containing TLS 1.2 ciphers. - A list containing TLS 1.3 ciphers, TLS 1.3 alias ciphers and some SSLv3/TLS ciphers. When the MQ Explorer requested the CipherSpecs to display in the "SSL CipherSpec:" drop down, the JMQI returned the second list. As a result, the drop down did not include any of the TLS 1.2 ciphers that were stored in the first list.
Problem conclusion
To resolve this issue, the two lists maintained by the JMQI have been modified so that they now contain: - A list of all ciphers. - And a list of all FIPS certified ciphers. The first list (containing all of the ciphers) is then passed to the MQ Explorer, which ensures that the "SSL CipherSpec:" drop down contains all of the possible CipherSpecs that can be used --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.x CD 9.3.4 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT44498
Reported component name
MQ BASE V9.3
Reported component ID
5724H7291
Reported release
933
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-09-11
Closed date
2023-10-09
Last modified date
2023-10-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.3
Fixed component ID
5724H7291
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"933","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
10 October 2023