Enabling deprecated protocols and CipherSuites in MQIPT

By default, secure sockets protocols and cipher suites that are considered insecure are disabled in the Java runtime environment (JRE) supplied with MQIPT. These deprecated protocols and cipher suites must be enabled before they can be used.

About this task

If you are aware of the potential hazards, but still need to use one of the protocols or cipher suites that are considered insecure in MQIPT, follow this procedure to enable the protocol or cipher suite that you need to use.
[MQ 9.2.0 Jul 2020][MQ 9.2.0 Jul 2020]Note: Deprecated protocols and cipher suites cannot be used with the TLS command port.

Procedure

  1. Edit the java.security file, found in the mqipt_path/java/jre/lib/security directory, where mqipt_path is the location where MQIPT is installed.
  2. Add support to the JRE for a protocol or algorithm by removing the corresponding entry from the list of disabled algorithms in the jdk.tls.disabledAlgorithms property.
    • [MQ 9.2.0 Jul 2020]To add support for a protocol, remove the protocol from the list of disabled algorithms. For example, to add support for TLS 1.0, remove TLSv1 from the list.
    • To add support for a cipher suite, remove the corresponding algorithms from the list of disabled algorithms. For example, to add support for the SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA cipher suite, remove 3DES_EDE_CBC and DESede from the list.
  3. [MQ 9.2.0 Jul 2020]To enable SSL 3.0 in the JRE, you also need to set the system property com.ibm.jsse2.disableSSLv3=false.
    If you are starting MQIPT from the command line using the mqipt command, you can set the property by using the environment variable MQIPT_JVM_OPTIONS. For example:
    set MQIPT_JVM_OPTIONS=-Dcom.ibm.jsse2.disableSSLv3=false
    [MQ 9.2.4 Nov 2021][Windows][MQ 9.2.0.4 Nov 2021]If MQIPT is installed as a Windows service, you can set the property by defining a string value in the Windows registry under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MQInternetPassThru key. The value should have the following attributes:
    Name
    MqiptJvmOptions
    Value data
    -Dcom.ibm.jsse2.disableSSLv3=false
  4. To enable SSL 3.0, TLS 1.0, or TLS 1.1 on a MQIPT route, add the corresponding protocol to the SSLServerProtocols or SSLClientProtocols route property.
  5. Restart MQIPT for the changes to the JRE properties to come into effect.