ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » Mainframe, CICS, TXSeries » CipherSpecs not available on MQ for zOS (v8.0)

Post new topic  Reply to topic
 CipherSpecs not available on MQ for zOS (v8.0) « View previous topic :: View next topic » 
Author Message
saurabh25281
PostPosted: Wed Jul 10, 2019 8:42 am    Post subject: CipherSpecs not available on MQ for zOS (v8.0) Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi All,

I am trying to create a SVRCONN channel with SSL CipherSpec as "TLS_RSA_WITH_AES_128_GCM_SHA256" on z/OS platform hosting a v8.0 Queue Manager.

As per the IBM Documentation, the above CipherSpec is a supported one, but I do not see the option of setting this CipherSpec through MQ Explorer. When I try to run MQSC command i get the message "CSQM100I: CSQMACHL SSLCIPH(TLS_RSA_WITH_AES_128_GCM_SHA256) VALUE INVALID OR OUT OF RANGE"

Can someone point me to a documentation which shares this restriction on z/OS?

Regards
Saurabh
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Wed Jul 10, 2019 3:42 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

This page, in the V8 MQ Knowledge Center, shows that TLS_RSA_WITH_AES_128_GCM_SHA256 is a Distributed only CipherSpec at that version.

Changing the version of the page to the V9.1.x version, you see that the platform tag has been removed suggesting it now applies to all platforms. I cannot find a page in the "What's New" section to say when it appeared though.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Wed Jul 10, 2019 4:50 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

Make sure to note point 4 in the document that Morag referenced about Galois/Counter Mode (GCM) ciphers:

Quote:

Following a recommendation by NIST, GCM CipherSpecs have a restriction which means that after 2ˆ22 TLS records are sent, using the same session key, the connection is terminated with message AMQ9288.
To prevent this error from happening: avoid using GCM Ciphers, enable secret key reset, or start your IBM MQ queue manager with the environment variable GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE set.


I like one of the recommendations, just don't use it.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » Mainframe, CICS, TXSeries » CipherSpecs not available on MQ for zOS (v8.0)
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.