SSL CipherSpecs and CipherSuites in WebSphere MQ classes for Java
Whether a IBM® WebSphere® MQ classes for Java application can establish a connection to a queue manager depends on the CipherSpec specified at the server end of the MQI channel and the CipherSuite specified at the client end.
For each combination of CipherSpec and CipherSuite, whether a IBM WebSphere MQ classes for Java application can connect to a queue manager depends on the value of the sslFipsRequired field in the MQEnvironment class, or on the value of the environment property CMQC.SSL_FIPS_REQUIRED_PROPERTY.
At the server end of an MQI channel, the name of a CipherSpec can be specified as the value of the SSLCIPH parameter on a DEFINE CHANNEL CHLTYPE(SVRCONN) command. At the client end of an MQI channel, a IBM WebSphere MQ classes for Java application can set the sslCipherSuite field in the MQEnvironment class, or set the environment property CMQC.SSL_CIPHER_SUITE_PROPERTY.
Configuring your application to use IBM Java or Oracle Java CipherSuite mappings
com.ibm.mq.cfg.useIBMCipherMappings
controls which mappings are used. The property
can be one of the following values: - true
- Use the IBM Java CipherSuite to WebSphere MQ CipherSpec mappings.
- false
- Use the Oracle CipherSuite to WebSphere MQ CipherSpec mappings.
The following table lists the CipherSpecs supported by IBM WebSphere MQ and their equivalent CipherSuites. The table also indicates whether a IBM WebSphere MQ classes for Java application can establish a connection to a queue manager if a CipherSpec is specified at the server end of the MQI channel and the equivalent CipherSuite is specified at the client end.
CipherSpec | Equivalent CipherSuite | Connection possible if SFIPS 1 is set to YES? |
---|---|---|
NULL_MD5 | SSL_RSA_WITH_NULL_MD5 | No |
NULL_SHA | SSL_RSA_WITH_NULL_SHA | No |
RC4_MD5_EXPORT | SSL_RSA_EXPORT_WITH_RC4_40_MD5 (IBM JRE)
No equivalent for Oracle JRE. |
No |
RC4_MD5_US | SSL_RSA_WITH_RC4_128_MD5 | No |
RC4_SHA_US | SSL_RSA_WITH_RC4_128_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No |
RC2_MD5_EXPORT | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (IBM JRE)
SSL_RSA_EXPORT_WITH_RC4_40_MD5 (Oracle JRE) |
No |
DES_SHA_EXPORT | SSL_RSA_WITH_DES_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No |
RC4_56_SHA_EXPORT1024 | SSL_RSA_EXPORT1024_WITH_RC4_56_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No |
DES_SHA_EXPORT1024 | SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No |
TRIPLE_DES_SHA_US | SSL_RSA_WITH_3DES_EDE_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No |
TLS_RSA_WITH_NULL_SHA256 | SSL_RSA_WITH_NULL_SHA256 (IBM JRE)
TLS_RSA_WITH_NULL_SHA256 (Oracle JRE) |
No 7 |
TLS_RSA_WITH_AES_128_CBC_SHA | SSL_RSA_WITH_AES_128_CBC_SHA (IBM JRE)
TLS_RSA_WITH_AES_128_CBC_SHA (Oracle JRE) |
Yes 5 7 |
TLS_RSA_WITH_AES_128_CBC_SHA256 | SSL_RSA_WITH_AES_128_CBC_SHA256 (IBM JRE)
TLS_RSA_WITH_AES_128_CBC_SHA256 (Oracle JRE) |
Yes 5 7 |
TLS_RSA_WITH_AES_256_CBC_SHA | SSL_RSA_WITH_AES_256_CBC_SHA (IBM JRE)
TLS_RSA_WITH_AES_256_CBC_SHA (Oracle JRE) |
Yes 5 7 |
TLS_RSA_WITH_AES_256_CBC_SHA256 | SSL_RSA_WITH_AES_256_CBC_SHA256 (IBM JRE)
TLS_RSA_WITH_AES_256_CBC_SHA256 (Oracle JRE) |
Yes 5 7 |
AES_SHA_US2 | ||
TLS_RSA_WITH_DES_CBC_SHA8 | SSL_RSA_WITH_DES_CBC_SHA | No3 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA8 9 | SSL_RSA_WITH_3DES_EDE_CBC_SHA | Yes |
FIPS_WITH_DES_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No4 |
FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (IBM JRE)
No equivalent for Oracle JRE. |
No6 |
- In a IBM WebSphere MQ classes for Java application,
indicate that only FIPS-certified algorithms are to be used by setting the sslFipsRequired field in
the MQEnvironment class to
true
and indicate that non-FIPS-certified algorithms can also be used by setting the sslFipsRequired field tofalse
. Alternatively, set the environment property CMQC.SSL_FIPS_REQUIRED_PROPERTY. - This CipherSpec has no equivalent CipherSuite.
- This CipherSpec was FIPS 140-2 certified before 19th May 2007.
- This CipherSpec was FIPS 140-2 certified before 19th May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
- These CipherSpecs (TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256)
cannot be used to secure a connection from the WebSphere MQ Explorer to a queue manager unless the
appropriate unrestricted policy files are applied to the JRE used by the Explorer.
See Security information for further information on policy files.
- The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
- These CipherSpecs (TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256) require IBM JREs 6.0 SR13 FP2 , 7.0 SR4 FP2 or later.
- These CipherSpecs (TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA256) can use either SSLv3 or TLS. By default, when FIPS is not enabled,
SSLv3 is used. To use TLS, set the Java System Property
com.ibm.mq.cfg.preferTLS to
true
. - This CipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA is deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, you need to either avoid using triple DES, or enable secret key reset when using this CipherSpec.