Thursday, November 17, 2016

Weak or broken cipher spec's are blocked - PTF UI29471 - MQ V8.0

Let's talk about cipher spec's......

For MQ V8 on z/OS...a PTF was released (UI29471 - Oct. 8th 2015) that when installed...will prohibit the use of weak or broken ciphers as well as SSLv3.

The following ciphers will be affected:

RC4_SHA_US                 (SSL 3.0)
RC4_MD5_US                 (SSL 3.0)
TRIPLE_DES_SHA_US          (SSL 3.0)
RC4_MD5_EXPORT             (SSL 3.0)
RC2_MD5_EXPORT             (SSL 3.0)
DES_SHA_EXPORT             (SSL 3.0)
NULL_SHA                   (SSL 3.0)
NULL_MD5                   (SSL 3.0)
TLS_RSA_WITH_DES_CBC_SHA   (TLS 1.0)

In order to check if you have any of these ciphers running in your z/OS environment, the following commands can be issued:

DISPLAY CHL(*) WHERE(SSLCIPH EQ RC4_SHA_US)
DISPLAY CHL(*) WHERE(SSLCIPH EQ RC4_MD5_US)
DISPLAY CHL(*) WHERE(SSLCIPH EQ TRIPLE_DES_SHA_US)
DISPLAY CHL(*) WHERE(SSLCIPH EQ RC4_MD5_EXPORT)
DISPLAY CHL(*) WHERE(SSLCIPH EQ RC2_MD5_EXPORT)
DISPLAY CHL(*) WHERE(SSLCIPH EQ DES_SHA_EXPORT)
DISPLAY CHL(*) WHERE(SSLCIPH EQ NULL_SHA)
DISPLAY CHL(*) WHERE(SSLCIPH EQ NULL_MD5)
DISPLAY CHL(*) WHERE(SSLCIPH EQ TLS_RSA_WITH_DES_CBC_SHA)


In the event that you have one of these installed and still want to install the current set of z/OS MQ maintenance....there is a work around.

To allow weak cipher spec's, the following DD statement can be added to your CHIN address space PROC:

//CSQXWEAK  DD DUMMY

To allow SSLv3 based cipher spec's, the following DD statement can be added to you CHIN address space:

//CSQXSSL3  DD DUMMY

If you are wanting to allow both weak as well as SSLv3 ciphers, both of these DD statements need to be added to the CHIN PROC.

Once these have been added, and your channel initiator has been restarted....you will see the following messages in the JESOUT:

CSQX691I +MQQM CSQXSSLI Cipher specifications based on the SSLv3 protocol are enabled    
                                                
CSQX693I +MQQM CSQXSSLI Weak or broken SSL cipher specifications are enabled  


Please remember.....it is better to get all of your channels using the current stronger ciphers, but it some cases with older version of MQ...using these cannot be avoided.

Happy messaging!!