Another in the series of bitesize blog posts about features in MQ V8. Check out the whole series here.
MQ V8 has added support for many new MQ CipherSpecs and the corresponding Java CipherSuites. However, a few CipherSpecs are no longer supported with MQ Classes for Java and MQ Classes for JMS (though they are still supported in other contexts). This blog post briefly discusses the additions, outlines some dependencies and explains the unsupported CipherSpecs.
In this post the term CipherSuite refers to a named set of "parameters" defining the client end of a secure connection - in this case an application using MQ Classes for Java or MQ Classes for JMS - and the term CipherSpec refers to a corresponding set of parameters (with a different name) used to configure the Queue Manager Channel to which the client is connecting.
What's new, and what prerequisites are there?
We now support to the full set of SHA-2 CipherSuites including those utilising Elliptical Curve cryptography.
Support for these CipherSuites in MQ Classes for Java and MQ Classes for JMS requires an appropriate JSSE (Java Secure Sockets Extension) provider as part of the Java Runtime Environment - IBM® Java 7 Service Refresh 4 Fix Pack 2 or a higher level of IBM JRE provides the appropriate support.
What's gone away?
MQ Classes for Java and MQ Classes for JMS no longer support access to channels configured with the following CipherSpecs:-
in the first case, the removal of support is because the prerequisite JSSE provider has discontinued support for the SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 CipherSuite , which naturally means that the the corresponding RC2_MD5_EXPORT CipherSpec is no longer available.
The remaining CipherSpecs are affected by rationalisation of support for three CipherSuites :-
Historically each of these CipherSuites could interoperate with 2 different CipherSpecs - one for SSL connections, one for TLS connections. We now only support use of these CipherSuites with TLS connections, so only the CipherSpec which utilises TLS is supported in MQ Classes for Java and MQ Classes for JMS, the SSL-based CipherSpec is not.
Where can I look for more information?
Tables showing the compatible combinations of CipherSuites and CipherSpecs are found at here (MQ Classes for Java) and here (MQ Classes for JMS) - these pages also discuss the JSSE/JRE requirement and the removal of support for some CipherSpecs.