WebSphere MQ Suite - Security Considerations

For better security, TLS 1.2 is set as the default security protocol in Sterling B2B Integrator for all WebSphere MQ Suite services and adapters.

To use Sterling B2B Integrator in a secure manner, consider the following items before using the WebSphere MQ Suite services and adapters:

  • In Sterling B2B Integrator, the TLS level is determined by the cipher chosen. There are three parameters in wsmq.properties that control the ciphers used for each TLS version:
    • tls1Ciphers - list of ciphers for TLS 1.0
    • tls1.1Ciphers - list of ciphers for TLS 1.1
    • tls1.2Ciphers - list of ciphers for TLS 1.2
  • All ciphers supported by TLS1.2 are not listed in DefaultCipherSuite in wsmq.properties. You can add any supported ciphers, but read the WebSphere MQ documentation first so that you add them to the appropriate property file for each TLS level.
  • When setting SSLProtocol in wsmq.properties to the desired TLS level for the Dashboard and GPM, consider that there are no supported WebSphere MQ ciphers for TLS 1.1. You should not set SSLProtocol to TLS 1.1 if you are using WebSphere MQ. The valid values for SSLProtocol are listed below:
    • TLS1-TLS1.2 - for TLS1.0, TLS1.1, and TLS1.2
    • TLS1 - for TLS1.0 only
    • TLS1.1 - for TLS 1.1 only
    • TLS1.2 - for TLS1.2 only
  • Any service or adapter configured prior to V5.2.6 to use a cipher that does not match the value of SSLProtocol in wsmq.properties, runs but logs an error message for the insecure cipher. If you edit the service or adapter after upgrading to V5.2.6, you only have ciphers to select from that match the TLS level configured in SSLProtocol .
  • WebSphere MQ version prior to V7.5 FP2 do not have ciphers that support TLS 1.2. If you use WebSphere MQ V7.5 FP2 or lower, you must set SSLProtocol in wsmq.properties to TLS1.