IBM Support

IT44498: Unable to specify a TLS 1.2 cipher when using the MQ Explorer tocreate a remote connection to a queue maanger

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When configuring the IBM MQ 9.3.3.0 or 9.3.3.1 Explorer to
administer a remote queue manager, the "Specify SSL options
details" panel in the "Add Queue Manager" wizard does not allow
users to specify a TLS 1.2 cipher.

The "SSL CipherSpec" drop down on the panel only contains:

- The TLS 1.3 CipherSpecs.
- The TLS 1.3 alias CipherSpecs.
- And some TLS 1.0/SSLV3 CipherSpecs.

There are no entries for any TLS 1.2 CipherSpecs.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
This issue affects users of:

- The IBM MQ 9.3.3.0 Explorer.
- The IBM MQ 9.3.3.1 Explorer.

who want to use the user interface to administer a remote queue
manager using a secure (TLS/SSL) channel.


Platforms affected:
Windows, Linux on x86-64

****************************************************************
PROBLEM DESCRIPTION:
When adding a remote queue manager to the MQ Explorer using the
"Add Queue Manager" wizard, the "SSL CipherSpec:" drop down on
the "Specify SSL Options Details" panel is used to set the
CipherSpec that should be used to secure the connection between
the user interface and the queue manager. The list of
CipherSpecs shown in the drop down is provided by the Java
Message Queueing Interface (JMQI), which is an internal
component that handles all of the communication to the queue
manager.

In MQ 9.3.3, the way in which the JMQI handled CipherSpecs and
CipherSuites was changed. As part of this rework, the JMQI was
updated to maintain two lists of ciphers:

- A list containing TLS 1.2 ciphers.
- A list containing TLS 1.3 ciphers, TLS 1.3 alias ciphers and
some SSLv3/TLS ciphers.

When the MQ Explorer requested the CipherSpecs to display in the
"SSL CipherSpec:" drop down, the JMQI returned the second list.
As a result, the drop down did not include any of the TLS 1.2
ciphers that were stored in the first list.

    



Problem conclusion


    

  • To resolve this issue, the two lists maintained by the JMQI have
been modified so that they now contain:

- A list of all ciphers.
- And a list of all FIPS certified ciphers.

The first list (containing all of the ciphers) is then passed to
the MQ Explorer, which ensures that the "SSL CipherSpec:" drop
down contains all of the possible CipherSpecs that can be used

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.x CD    9.3.4

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT44498
    • 

  • Reported component name
    MQ BASE V9.3
    • 

  • Reported component ID
    5724H7291
    • 

  • Reported release
    933
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-09-11
    • 

  • Closed date
    2023-10-09
    • 

  • Last modified date
    2023-10-09
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MQ BASE V9.3
    • 

  • Fixed component ID
    5724H7291
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"933","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 October 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback