[V8.0.0.3 Jun 2015]

CipherSpec values supported in IBM MQ

The set of default CipherSpecs allows only the following values:

TLS 1.0
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.2
  • ECDHE_ECDSA_AES_128_CBC_SHA256
  • ECDHE_ECDSA_AES_256_CBC_SHA384
  • ECDHE_ECDSA_AES_128_GCM_SHA256
  • ECDHE_ECDSA_AES_256_GCM_SHA384
  • ECDHE_RSA_AES_128_CBC_SHA256
  • ECDHE_RSA_AES_256_CBC_SHA384
  • ECDHE_RSA_AES_128_GCM_SHA256
  • ECDHE_RSA_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
[IBMi]The default set of CipherSpecs for IBM® MQ for IBM i Version 7.2 and Version 7.3 allows only the following values:
  • *TLS_RSA_WITH_AES_128_GCM_SHA256
  • *TLS_RSA_WITH_AES_256_GCM_SHA384
  • *ECDHE_ECDSA_RC4_128_SHA256
  • *ECDHE_RSA_RC4_128_SHA256
  • *ECDHE_RSA_3DES_EDE_CBC_SHA256
  • *ECDHE_ECDSA_AES_128_CBC_SHA256
  • *ECDHE_ECDSA_AES_256_CBC_SHA384
  • *ECDHE_RSA_AES_128_CBC_SHA256
  • *ECDHE_RSA_AES_256_CBC_SHA384
  • *ECDHE_ECDSA_AES_128_GCM_SHA256
  • *ECDHE_ECDSA_AES_256_GCM_SHA384
  • *ECDHE_RSA_AES_128_GCM_SHA256
  • *ECDHE_RSA_AES_256_GCM_SHA384
  • *ECDHE_RSA_NULL_SHA256
  • *ECDHE_ECDSA_NULL_SHA256

Enabling deprecated TLS CipherSpecs

By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec, you receive message AMQ8242: SSLCIPH definition wrong, and PCF returns MQRCCF_SSL_CIPHER_SPEC_ERROR.

You cannot start a channel with a deprecated CipherSpec. If you attempt to do so with a deprecated CipherSpec, the system returns MQCC_FAILED (2), together with a Reason of MQRC_SSL_INITIALIZATION_ERROR (2393) to the client.

It is possible for you to re-enable one or more of the deprecated CipherSpecs for defining channels, at runtime on the server, by setting the environment variable AMQ_SSL_WEAK_CIPHER_ENABLE.

The AMQ_SSL_WEAK_CIPHER_ENABLE environment variable accepts:
  • A single CipherSpec name, or
  • A comma separated list of IBM MQ CipherSpec names to re-enable, or
  • The special value of ALL, representing all CipherSpecs.
For example, if you want to re-enable ECDHE_RSA_RC4_128_SHA256, set the following environment variable:

AMQ_SSL_WEAK_CIPHER_ENABLE=ECDHE_RA_RC4_128_SHA256
or, alternatively change the SSL stanza in the qm.ini file, by setting:

SSL
AllowWeakCipherSpec=ECDHE_RA_RC4_128_SHA256

Enabling deprecated SSL CipherSpecs

In addition to issuing AMQ_SSL_WEAK_CIPHER_ENABLE, or AllowWeakCipherSpec, as described in Enabling deprecated TLS CipherSpecs, you must set the environment variable AMQ_SSL_V3_ENABLE=1 or issue AllowSSLV3=Y as described in Deprecation:SSLV3 protocol.

For example, if you want to re-enable RC4_MD5_US, set the following environment variables:

AMQ_SSL_V3_ENABLE=1
AMQ_SSL_WEAK_CIPHER_ENABLE=RC4_MD5_US
or, alternatively, change the SSL stanza in the qm.ini file, by setting:

SSL
AllowSSLV3=Y
AllowWeakCipherSpec=RC4_MD5_US
Attention: The following information concerning TLS_V1 applies from IBM MQ Version 8.0.0, Fix Pack 9 only.

In addition to issuing AMQ_TLS_WEAK_CIPHER_ENABLE, or AllowWeakCipherSpec, you must set the environment variable AMQ_TLS_V1_ENABLE=1 or set AllowTLSV1=Y, to continue using deprecated TLSv1 CipherSpecs.

For example, if you want to re-enable TLS_RSA_WITH_AES_128_CBC_SHA, set the following environment variables:

AMQ_TLS_V1_ENABLE=1
AMQ_TLS_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_AES_128_CBC_SHA
or, alternatively, change the SSL stanza in the qm.ini file, by setting:

SSL
AllowTLSV1=Y
AllowWeakCipherSpec=TLS_RSA_WITH_AES_128_CBC_SHA
[z/OS]

Enabling deprecated CipherSpecs on z/OS

By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec on z/OS®, you receive message CSQM102E or message CSQX674E.

To enable weak (deprecated) cipherspecs, you need to define the following DD statement in the CHINIT JCL:
//DD CSQXWEAK DUMMY 
To enable the deprecated SSLv3 protocol, you also need to define the following DD statement in the CHINIT JCL:
//DD CSQXSSL3 DUMMY 
To enable the deprecated TLSv1 protocol, you also need to define the following DD statement in the CHINIT JCL:
//DD CSQXTLS1 DUMMY