Thursday, November 17, 2016

Weak or broken cipher spec's are blocked - PTF UI29471 - MQ V8.0

Let's talk about cipher spec's......

For MQ V8 on z/OS...a PTF was released (UI29471 - Oct. 8th 2015) that when installed...will prohibit the use of weak or broken ciphers as well as SSLv3.

The following ciphers will be affected:

RC4_SHA_US                 (SSL 3.0)
RC4_MD5_US                 (SSL 3.0)
TRIPLE_DES_SHA_US          (SSL 3.0)
RC4_MD5_EXPORT             (SSL 3.0)
RC2_MD5_EXPORT             (SSL 3.0)
DES_SHA_EXPORT             (SSL 3.0)
NULL_SHA                   (SSL 3.0)
NULL_MD5                   (SSL 3.0)
TLS_RSA_WITH_DES_CBC_SHA   (TLS 1.0)

In order to check if you have any of these ciphers running in your z/OS environment, the following commands can be issued:

DISPLAY CHL(*) WHERE(SSLCIPH EQ RC4_SHA_US)
DISPLAY CHL(*) WHERE(SSLCIPH EQ RC4_MD5_US)
DISPLAY CHL(*) WHERE(SSLCIPH EQ TRIPLE_DES_SHA_US)
DISPLAY CHL(*) WHERE(SSLCIPH EQ RC4_MD5_EXPORT)
DISPLAY CHL(*) WHERE(SSLCIPH EQ RC2_MD5_EXPORT)
DISPLAY CHL(*) WHERE(SSLCIPH EQ DES_SHA_EXPORT)
DISPLAY CHL(*) WHERE(SSLCIPH EQ NULL_SHA)
DISPLAY CHL(*) WHERE(SSLCIPH EQ NULL_MD5)
DISPLAY CHL(*) WHERE(SSLCIPH EQ TLS_RSA_WITH_DES_CBC_SHA)


In the event that you have one of these installed and still want to install the current set of z/OS MQ maintenance....there is a work around.

To allow weak cipher spec's, the following DD statement can be added to your CHIN address space PROC:

//CSQXWEAK  DD DUMMY

To allow SSLv3 based cipher spec's, the following DD statement can be added to you CHIN address space:

//CSQXSSL3  DD DUMMY

If you are wanting to allow both weak as well as SSLv3 ciphers, both of these DD statements need to be added to the CHIN PROC.

Once these have been added, and your channel initiator has been restarted....you will see the following messages in the JESOUT:

CSQX691I +MQQM CSQXSSLI Cipher specifications based on the SSLv3 protocol are enabled    
                                                
CSQX693I +MQQM CSQXSSLI Weak or broken SSL cipher specifications are enabled  


Please remember.....it is better to get all of your channels using the current stronger ciphers, but it some cases with older version of MQ...using these cannot be avoided.

Happy messaging!!

4 comments:

  1. Great site for these post and i am seeing the most of contents have useful for my Carrier.Thanks to such a useful information.Any information are commands like to share him.

    digital marketing company in india

    ReplyDelete

  2. Wonderful blog.. Thanks for sharing informative Post. Its very useful to me.

    Installment loans
    Payday loans
    Title loans

    ReplyDelete

  3. Its a wonderful post and very helpful, thanks for all this information. You are including better information regarding this topic in an effective way.Thank you so much

    Personal Installment Loans
    Payday Cash Advance loan
    Title Car loan
    Cash Advance Loan

    ReplyDelete
  4. Bosan dengan menghasilkan uang yang membosankan? kami akan membantu anda untuk mencari uang tambahan dengan mudah,Anda bisa Klik di agen s128
    Dapatkan informasi penting dalam dunia sabung ayam di website bawah ini
    https://siswaburung.tumblr.com/post/176441311821/lihat-lebih-dekat-ayam-filipina-yang-spartan

    ReplyDelete