Alternatives for specifying CipherSpecs
For those platforms where the operating system provides the TLS support, your system might support new CipherSpecs that are not included in Enabling CipherSpecs.
You can specify a new CipherSpec with the SSLCIPH parameter, but the value you supply depends on
your platform. In all cases the specification must correspond to an TLS CipherSpec that is both
valid and supported by the version of TLS your system is running.
Note: This section does not apply
to AIX®, Linux®, and Windows systems, because the CipherSpecs are provided with the IBM® MQ product, so new CipherSpecs do not become available after
shipment.
- IBM i
- A two-character string representing a hexadecimal value.
For more information about the permitted values, see point three in the Usage Notes section of Set character information for a secure session.
Attention: You should not specify hexadecimal cipher values in SSLCIPH, because it is unclear from the value which cipher will be used, and the choice of which protocol to be used is indeterminate. Using hexadecimal cipher values can lead to CipherSpec mismatch errors.You can use either the CHGMQMCHL or the CRTMQMCHL command to specify the value, for example:
You can also use the ALTER QMGR MQSC command to set the SSLCIPH parameter.CRTMQMCHL CHLNAME(' channel name ') SSLCIPH(' hexadecimal value ')
- z/OS®
- A four-character string representing a hexadecimal value. The hexadecimal codes correspond to
the values defined in the TLS protocol. For more information, refer to Cipher Suite Definitions where there is a list of all the supported TLS 1.0, TLS 1.2, and TLS 1.3 cipher specifications in the form of 4-digit hexadecimal codes.Note: In order to use a weak CipherSpec, or a CipherSpec belonging to a deprecated protocol, such as SSL V3.0 or TLS 1.0, you must specify the relevant DD card in the channel initiator startup JCL. See Deprecated CipherSpecs for more information.
Considerations for IBM MQ clusters
With IBM MQ clusters it is safest to use the CipherSpec names in Enabling CipherSpecs. If you use an alternative specification, be aware that the specification might not be valid on other platforms. For more information, refer to SSL/TLS and clusters.