Enabling CipherSpecs

You enable a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL or ALTER CHANNEL MQSC command.

Note: On AIX®, Linux® s390x, and Windows, IBM® MQ provides FIPS 140-2 compliance through the GSKit 8 IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.

[MQ 9.4.4 Oct 2025] From IBM MQ 9.4.4, on Linux for x86-64 and Linux on Power® Systems - Little Endian, IBM MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.

[MQ 9.4.2 Feb 2025] The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.

For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending. [MQ 9.4.4 Oct 2025] If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.

Some of the CipherSpecs that you can use with IBM MQ are FIPS compliant. Some of the FIPS compliant CipherSpecs are also Suite B compliant although others, such as ECDHE_ECDSA_AES_128_CBC_SHA256, are not.

All Suite B compliant CipherSpecs are also FIPS compliant. All Suite B compliant CipherSpecs fall into two groups: 128 bit (for example, ECDHE_ECDSA_AES_128_GCM_SHA256) and 192 bit (for example, ECDHE_ECDSA_AES_256_GCM_SHA384),

The following diagram illustrates the relationship between these subsets:

Diagram representing the relationship between FIPS compliant CipherSpecs and Suite B compliant CipherSpecs.

IBM MQ supports the TLS 1.3 security protocol on all platforms.

The CipherSpecs that you can use for each of these platforms are listed in Table 1. For information about using these CipherSpecs, see Using TLS 1.3 in IBM MQ and IBM MQ MQI client and TLS 1.3.

For ease of configuration and future migration, IBM MQ also provides a set of alias CipherSpecs. Migrating existing security configurations to use an alias CipherSpec means that you can adapt to cipher additions and deprecations without needing to make further invasive configuration changes in the future. These alias CipherSpecs are listed in the Alias CipherSpecs section in Table 1. For more information about migrating to use an alias CipherSpec, see Migrating existing security configurations to use an alias CipherSpec.

You can configure the default CipherSpecs as described in Default CipherSpec values enabled in IBM MQ. You can also provide an alternative set of CipherSpecs that are enabled for use with channels on:

IBM MQ for Multiplatforms, as described in Providing a custom list of ordered and enabled CipherSpecs on IBM MQ for Multiplatforms.
IBM MQ for z/OS®, as described in Providing a custom list of ordered and enabled CipherSpecs on IBM MQ for z/OS.

Deprecated CipherSpecs that you can re-enable to use with IBM MQ if necessary are listed in Deprecated and removed CipherSpecs.

[MQ 9.4.4 Oct 2025] Removed CipherSpecs that cannot be used with IBM MQ are also listed in Deprecated and removed CipherSpecs.

CipherSpecs that you can use with IBM MQ TLS support

CipherSpecs that you can use with the IBM MQ queue manager automatically are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the TLS handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table.

Table 1. CipherSpecs you can use with IBM MQ TLS support
Platform support¹	CipherSpec name	Hex code	Protocol used	MAC algorithm	Encryption algorithm (encryption bits)	FIPS²	Suite B
Alias CipherSpecs
All	ANY_TLS13_OR_HIGHER ³ ⁴	N/A	Negotiated	Negotiated	Negotiated	Negotiated	Negotiated
All	ANY_TLS13 ⁴ ⁵	N/A	TLS 1.3	Negotiated	Negotiated	Negotiated	Negotiated
All	ANY_TLS12_OR_HIGHER ⁴ ⁶	N/A	Negotiated	Negotiated	Negotiated	Negotiated	Negotiated
All	ANY_TLS12 ⁷	N/A	TLS 1.2	Negotiated	Negotiated	Negotiated	Negotiated
All	ANY ⁸	N/A	Negotiated	Negotiated	Negotiated	Negotiated	Negotiated
CipherSpecs for TLS 1.3
All	TLS_AES_128_GCM_SHA256	1301	TLS 1.3	GCM	AES-128 with GCM (128)	Yes	No
All	TLS_AES_256_GCM_SHA384	1302	TLS 1.3	GCM	AES-256 with GCM (256)	Yes	No
All	TLS_CHACHA20_POLY1305_SHA256	1303	TLS 1.3	POLY1305	CHACHA20 (256)	No	No
	TLS_AES_128_CCM_SHA256	1304	TLS 1.3	CBC-MAC	AES-128 with CTR (128)	No Yes	No
	TLS_AES_128_CCM_8_SHA256 ¹⁰	1305	TLS 1.3	CBC-MAC	AES-128 with CTR (128)	No Yes	No
CipherSpecs for TLS 1.2
All	TLS_RSA_WITH_AES_128_CBC_SHA256^9 ¹³	003C	TLS 1.2	SHA-256	AES (128)	No Yes	No
All	TLS_RSA_WITH_AES_256_CBC_SHA256 ⁹ ¹¹¹³	003D	TLS 1.2	SHA-256	AES (256)	No Yes	No
All	TLS_RSA_WITH_AES_128_GCM_SHA256 ⁹ ¹²¹³	009C	TLS 1.2	SHA-256 and AEAD GCM	AES (128)	No Yes	No
All	TLS_RSA_WITH_AES_256_GCM_SHA384 ⁹ ¹¹ ¹²¹³	009D	TLS 1.2	SHA-384 and AEAD GCM	AES (256)	No Yes	No
All	ECDHE_ECDSA_AES_128_CBC_SHA256 ⁹	C023	TLS 1.2	SHA-256	AES (128)	Yes	No
All	ECDHE_ECDSA_AES_256_CBC_SHA384 ⁹ ¹¹	C024	TLS 1.2	SHA-384	AES (256)	Yes	No
All	ECDHE_RSA_AES_128_CBC_SHA256 ⁹	C027	TLS 1.2	SHA-256	AES (128)	Yes	No
All	ECDHE_RSA_AES_256_CBC_SHA384 ⁹ ¹¹	C028	TLS 1.2	SHA-384	AES (256)	Yes	No
	ECDHE_ECDSA_AES_128_GCM_SHA256 ¹¹ ¹²	C02B	TLS 1.2	SHA-256 and AEAD GCM	AES (SHA384)	Yes	128 bit
	ECDHE_ECDSA_AES_256_GCM_SHA384 ¹¹ ¹²	C02C	TLS 1.2	SHA-384 and AEAD GCM	AES (SHA384)	Yes	192 bit
All	ECDHE_RSA_AES_128_GCM_SHA256 ¹²	C02F	TLS 1.2	SHA-256 and AEAD GCM	AES (128)	Yes	No
All	ECDHE_RSA_AES_256_GCM_SHA384 ¹¹ ¹²	C030	TLS 1.2	AEAD AES-128 GCM	AES (SHA384)	Yes	No
	ECDHE_RSA_CHACHA20_POLY1305	CCA8	TLS 1.2	POLY1305	CHACHA20 (256)	No	No
	ECDHE_ECDSA_CHACHA20_POLY1305	CCA9	TLS 1.2	POLY1305	CHACHA20 (256)	No	No
	ECDHE_ECDSA_AES128_CCM8 ¹⁰	C0AE	TLS 1.2	CBC-MAC	AES-128 with CTR (128)	Yes	No
Notes: For a list of platforms covered by each platform icon, see Icons used in the product documentation. Specifies whether the CipherSpec is FIPS certified on a FIPS certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS. The ANY_TLS13_OR_HIGHER alias CipherSpec negotiates the highest level of security that the remote end will allow but will only connect using a TLS 1.3 or higher protocol. To use TLS 1.3, or the ANY CipherSpec, on IBM i the underlying operating system version must support TLS 1.3. See System TLS support for TLSv1.3 for more information. The ANY_TLS13 alias CipherSpec represents a subset of acceptable CipherSpecs that use the TLS 1.3 protocol, as listed in this table for each platform. The ANY_TLS12_OR_HIGHER alias CipherSpec negotiates the highest level of security that the remote end will allow but will only connect using a TLS 1.2 or higher protocol. The ANY_TLS12 CipherSpec represents a subset of acceptable CipherSpecs that use the TLS 1.2 protocol, as listed in this table for each platform. The ANY alias CipherSpec negotiates the highest level of security that the remote end will allow. These CipherSpecs are not enabled on IBM i 7.4 systems that have System Value QSSLCSLCTL set to *OPSSYS. These CipherSpecs use an 8-octet Integrity Check Value (ICV) instead of a 16-octet ICV. This CipherSpec cannot be used to secure a connection from the IBM MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer. Following a recommendation by GSKit, TLS 1.2 GCM CipherSpecs have a restriction which means that after 2ˆ24.5 TLS records are sent, using the same session key, the connection is terminated with message AMQ9288E. This GCM restriction is active, regardless of the FIPS mode being used. To prevent this error from happening, avoid using TLS 1.2 GCM Ciphers, enable secret key reset, or start your IBM MQ queue manager or client with the environment variable `GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE` set. For GSKit libraries, you must set this environment variable on both sides of the connection, and apply it to both client to queue manager connections and queue manager to queue manager connections. Note that this setting affects unmanaged .NET clients, but not Java or managed .NET clients. For more information, see AES-GCM cipher restriction. This restriction does not apply to IBM MQ for z/OS. For Continuous Delivery, these CipherSpecs are deprecated and disabled by default from IBM MQ 9.4.1.

Using TLS 1.3 in IBM MQ

The product supports TLS 1.3 on all platforms.

Queue managers that are created at IBM MQ 9.2.0 or later support TLS 1.3 by default. Queue managers migrated from earlier versions of IBM MQ need to have TLS 1.3 enabled. You can enable TLS 1.3 on migrated queue managers by setting the AllowTLSV13=TRUE property:

For IBM MQ for Multiplatforms queue managers, edit the qm.ini file and add the AllowTLSV13=TRUE property under the SSL stanza (link to
```
SSL:   
  AllowTLSV13=TRUE 
```
For IBM MQ for z/OS queue managers, edit the QMINI data set specified in the queue manager startup JCL and add the AllowTLSV13=TRUE property under the TransportSecurity stanza
```
TransportSecurity: 
    AllowTLSV13=TRUE
```

When TLS 1.3 is enabled, and in accordance with the TLS 1.3 specification, any attempt to communicate with a weak CipherSpec, regardless of whether they are enabled in IBM MQ or not, is rejected. The CipherSpecs that TLS 1.3 considers weak are CipherSpecs that meet one or more of the following criteria:

Uses the SSL 3.0 protocol.
Uses RC4 or RC2 as the Encryption algorithm.
Has a encryption key size (bit) equal to or less than 112.
If RSA certificates are used, the key size (bit) must be equal to or greater than 2048.

These restrictions are flagged with Note ^[3] in Table 1 of Deprecated and removed CipherSpecs.

If you need to continue using such CipherSpecs, then you must disable TLS 1.3 mode:

Edit the queue manager's qm.ini file and change the setting of the AllowTLSV13 property to:
```
SSL:   
  AllowTLSV13=FALSE
```
Edit the QMINI data set of the queue manager and change the setting of the AllowTLSV13 property to:
```
TransportSecurity: 
    AllowTLSV13=FALSE
```

IBM MQ MQI client and TLS 1.3

When using the IBM MQ MQI client, the value of AllowTLSV13 is inferred unless it is explicitly specified in the SSL stanza of the mqclient.ini file that is being used by the application.

If any weak CipherSpecs are enabled, AllowTLSV13 is set to FALSE and no TLS 1.3 CipherSpecs can be used.
Otherwise, AllowTLSV13 is set to TRUE and the new TLS 1.3 CipherSpecs and alias CipherSpecs can be used.

Default CipherSpec values enabled in IBM MQ

Attention: With IBM Semeru Runtime 21, only FIPS 140-3 compliant Ciphersuites can be used, regardless of configuration. If you configure FIPS 140-2 compliance for the application and attempt to use other Ciphersuites, it results in an error.

In default configuration for a new IBM MQ queue manager, IBM MQ provides support for the TLS 1.2 and TLS 1.3 protocols and various cryptographic algorithms using CipherSpecs. For compatibility purposes, IBM MQ can also be configured to use SSL 3.0 and TLS 1.0 protocols and a number of cryptographic algorithms that are known to be weak or susceptible to security vulnerabilities. The list of CipherSpecs that are enabled in default configuration might change by applying maintenance.

[MQ 9.4.4 Oct 2025] Support for the SSL 3.0 and TLS 1.0 protocols has been removed and cannot be re-enabled via the associated .ini stanza attributes or environment variables.

You can configure IBM MQ to restrict or permit the use of CipherSpecs using the following controls:

Only permit FIPS 140-2 compliant CipherSpecs using SSLFIPS.
From IBM MQ 9.4.2, the connection factory property SSLFIPSREQUIRED is not supported in IBM Semeru Runtime Java. For more information, see SSLFIPSREQUIRED.
Only permit NSA Suite B compliant CipherSpecs using SUITEB.
Permit a custom list of CipherSpecs using AllowedCipherSpecs.
Permit a custom list of CipherSpecs using the AMQ_ALLOWED_CIPHERS environment variable.
Permit the use of deprecated CipherSpecs using AllowWeakCipher or the AMQ_SSL_WEAK_CIPHER_ENABLE environment variable.
Permit the use of deprecated CipherSpecs using DD statements in the CHINIT JCL.

Note: If you specify a custom list of CipherSpecs using AllowedCipherSpecs or AMQ_ALLOWED_CIPHERS this overrides enablement of any deprecated CipherSpecs. Note that when using either NSA Suite B or FIPS 140-2 restrictions in combination with a custom CipherSpec list, you must ensure the custom list only contains CipherSpecs permitted by the Suite B or FIPS 140-2 settings.