Working with SSL or TLS on HP Integrity NonStop Server

Describes the IBM® WebSphere® MQ client for HP Integrity NonStop Server OpenSSL security implementation, including security services, components, supported protocol versions, supported CipherSpecs, and unsupported security functionality.

IBM WebSphere MQ SSL & TLS support provides the following security services for client channels:
  • Authentication of the server and, optionally, authentication of the client.
  • Encryption and decryption of the data that is flowing across a channel.
  • Integrity checks on the data that is flowing across a channel.
The SSL and TLS support supplied with the IBM WebSphere MQ client for HP Integrity NonStop Server comprises the following components:
  • OpenSSL libraries and the openssl command.
  • IBM WebSphere MQ password stash command, amqrsslc.
The following required components for SSL or TLS client channel operation are not provided with the IBM WebSphere MQ client for HP Integrity NonStop Server:
  • An entropy daemon to provide a source of random data for OpenSSL cryptography.

Supported protocol versions

The IBM WebSphere MQ client for HP Integrity NonStop Server supports the following protocol versions:
  • SSL 3.0
  • TLS 1.0
  • TLS 1.2

Supported CipherSpecs

The IBM WebSphere MQ client for HP Integrity NonStop Server supports the following CipherSpecs versions:
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • RC4_SHA_US
  • RC4_MD5_US
  • TRIPLE_DES_SHA_US
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated)
  • DES_SHA_EXPORT1024
  • RC4_56_SHA_EXPORT1024
  • RC4_MD5_EXPORT
  • RC2_MD5_EXPORT
  • DES_SHA_EXPORT
  • TLS_RSA_WITH_DES_CBC_SHA
  • NULL_SHA
  • NULL_MD5
  • FIPS_WITH_DES_CBC_SHA
  • FIPS_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_NULL_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE_ECDSA_AES_128_CBC_SHA256
  • ECDHE_ECDSA_AES_256_CBC_SHA384
  • ECDHE_RSA_AES_128_CBC_SHA256
  • ECDHE_RSA_AES_256_CBC_SHA384
  • ECDHE_ECDSA_AES_128_GCM_SHA256
  • ECDHE_ECDSA_AES_256_GCM_SHA384
  • ECDHE_RSA_AES_128_GCM_SHA256
  • ECDHE_RSA_AES_256_GCM_SHA384

Unsupported security functionality

The IBM WebSphere MQ client for HP Integrity NonStop Server does not currently support:
  • PKCS#11 Cryptographic hardware support
  • LDAP Certificate Revocation List checking
  • OCSP Online Certificate Status Protocol checking
  • FIPS 140-2, NSA SUITE B cipher suite controls