SSL CipherSpecs and CipherSuites in WebSphere MQ classes for Java

Whether a IBM® WebSphere® MQ classes for Java application can establish a connection to a queue manager depends on the CipherSpec specified at the server end of the MQI channel and the CipherSuite specified at the client end.

For each combination of CipherSpec and CipherSuite, whether a IBM WebSphere MQ classes for Java application can connect to a queue manager depends on the value of the sslFipsRequired field in the MQEnvironment class, or on the value of the environment property CMQC.SSL_FIPS_REQUIRED_PROPERTY.

At the server end of an MQI channel, the name of a CipherSpec can be specified as the value of the SSLCIPH parameter on a DEFINE CHANNEL CHLTYPE(SVRCONN) command. At the client end of an MQI channel, a IBM WebSphere MQ classes for Java application can set the sslCipherSuite field in the MQEnvironment class, or set the environment property CMQC.SSL_CIPHER_SUITE_PROPERTY.

Configuring your application to use IBM Java or Oracle Java CipherSuite mappings

From IBM WebSphere MQ Version 7.5.0, Fix Pack 5, you can configure whether your application uses the default IBM Java CipherSuite to WebSphere MQ CipherSpec mappings, or the Oracle CipherSuite to WebSphere MQ CipherSpec mappings. Therfore, you can use TLS CipherSuites whether your application uses an IBM JRE or an Oracle JRE. The Java System Property com.ibm.mq.cfg.useIBMCipherMappings controls which mappings are used. The property can be one of the following values:
true
Use the IBM Java CipherSuite to WebSphere MQ CipherSpec mappings.
This value is the default value.
false
Use the Oracle CipherSuite to WebSphere MQ CipherSpec mappings.

The following table lists the CipherSpecs supported by IBM WebSphere MQ and their equivalent CipherSuites. The table also indicates whether a IBM WebSphere MQ classes for Java application can establish a connection to a queue manager if a CipherSpec is specified at the server end of the MQI channel and the equivalent CipherSuite is specified at the client end.

Table 1. CipherSpecs supported by WebSphere MQ and their equivalent CipherSuites
CipherSpec Equivalent CipherSuite Connection possible if SFIPS 1 is set to YES?
NULL_MD5 SSL_RSA_WITH_NULL_MD5 No
NULL_SHA SSL_RSA_WITH_NULL_SHA No
RC4_MD5_EXPORT
SSL_RSA_EXPORT_WITH_RC4_40_MD5 (IBM JRE)
No equivalent for Oracle JRE.
 No
RC4_MD5_US SSL_RSA_WITH_RC4_128_MD5 No
RC4_SHA_US
SSL_RSA_WITH_RC4_128_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No
RC2_MD5_EXPORT
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (IBM JRE)
SSL_RSA_EXPORT_WITH_RC4_40_MD5 (Oracle JRE)
 No
DES_SHA_EXPORT
SSL_RSA_WITH_DES_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No
RC4_56_SHA_EXPORT1024
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No
DES_SHA_EXPORT1024
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No
TRIPLE_DES_SHA_US
SSL_RSA_WITH_3DES_EDE_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No
TLS_RSA_WITH_NULL_SHA256
SSL_RSA_WITH_NULL_SHA256 (IBM JRE)
TLS_RSA_WITH_NULL_SHA256 (Oracle JRE)
 No 7
TLS_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA (IBM JRE)
TLS_RSA_WITH_AES_128_CBC_SHA (Oracle JRE)
 Yes 5 7
TLS_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256 (IBM JRE)
TLS_RSA_WITH_AES_128_CBC_SHA256 (Oracle JRE)
 Yes 5 7
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA (IBM JRE)
TLS_RSA_WITH_AES_256_CBC_SHA (Oracle JRE)
 Yes 5 7
TLS_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA256 (IBM JRE)
TLS_RSA_WITH_AES_256_CBC_SHA256 (Oracle JRE)
 Yes 5 7
AES_SHA_US2    
TLS_RSA_WITH_DES_CBC_SHA8 SSL_RSA_WITH_DES_CBC_SHA No3
TLS_RSA_WITH_3DES_EDE_CBC_SHA8 9 SSL_RSA_WITH_3DES_EDE_CBC_SHA Yes
FIPS_WITH_DES_CBC_SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No4
FIPS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE.
 No6
Notes:
  1. In a IBM WebSphere MQ classes for Java application, indicate that only FIPS-certified algorithms are to be used by setting the sslFipsRequired field in the MQEnvironment class to true and indicate that non-FIPS-certified algorithms can also be used by setting the sslFipsRequired field to false. Alternatively, set the environment property CMQC.SSL_FIPS_REQUIRED_PROPERTY.
  2. This CipherSpec has no equivalent CipherSuite.
  3. This CipherSpec was FIPS 140-2 certified before 19th May 2007.
  4. This CipherSpec was FIPS 140-2 certified before 19th May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
  5. These CipherSpecs (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256) cannot be used to secure a connection from the WebSphere MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.

    See Security information for further information on policy files.

  6. The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
  7. These CipherSpecs (TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256) require IBM JREs 6.0 SR13 FP2 , 7.0 SR4 FP2 or later.
  8. These CipherSpecs (TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA256) can use either SSLv3 or TLS. By default, when FIPS is not enabled, SSLv3 is used. To use TLS, set the Java System Property com.ibm.mq.cfg.preferTLS to true.
  9. This CipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA is deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, you need to either avoid using triple DES, or enable secret key reset when using this CipherSpec.