Enabling CipherSpecs
Enable a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.
IBM Crypto for Ccryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.
Some of the CipherSpecs that you can use with IBM MQ
are FIPS compliant. Some of the FIPS compliant CipherSpecs are also Suite B compliant although
others, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated), are not.
All Suite B compliant CipherSpecs are also FIPS compliant. All Suite B compliant CipherSpecs fall
into two groups: 128 bit (for example, ECDHE_ECDSA_AES_128_GCM_SHA256) and 192 bit
(for example, ECDHE_ECDSA_AES_256_GCM_SHA384),
The following diagram illustrates the relationship between these subsets:
![[V8.0.0.3 Jun 2015]](ng8003.gif)
From IBM MQ
Version 8.0.0, Fix Pack 3 the number of supported CipherSpecs has been
reduced. See CipherSpec values supported in IBM MQ for more information on the list of supported CipherSpecs
and how you can enable deprecated CipherSpecs.
See Deprecated CipherSpecs for a list of CipherSpecs that you must re-enable to use with IBM MQ.
Cipher specifications that you can use with the IBM MQ queue manager automatically are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table.
| Platform support 1 | CipherSpec name | Protocol used | MAC algorithm | Encryption algorithm | Encryption bits | FIPS 2 | Suite B |
|---|---|---|---|---|---|---|---|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
TLS 1.0 | SHA-1 | AES | 128 | Yes | No |
|
|
TLS_RSA_WITH_AES_256_CBC_SHA3
|
TLS 1.0 | SHA-1 | AES | 256 | Yes | No |
| All | ECDHE_ECDSA_AES_128_CBC_SHA256
|
TLS 1.2 | SHA-256 | AES | 128 | Yes | No |
| All | ECDHE_ECDSA_AES_256_CBC_SHA384
3
|
TLS 1.2 | SHA-384 | AES | 256 | Yes | No |
|
|
ECDHE_ECDSA_AES_128_GCM_SHA256
4
|
TLS 1.2 | AEAD AES-128 GCM | AES | 128 | Yes | 128 bit |
|
|
ECDHE_ECDSA_AES_256_GCM_SHA384
3
4 |
TLS 1.2 | AEAD AES-128 GCM | AES | 256 | Yes | 192 bit |
| All | ECDHE_RSA_AES_128_CBC_SHA256
|
TLS 1.2 | SHA-256 | AES | 128 | Yes | No |
| All | ECDHE_RSA_AES_256_CBC_SHA384
3
|
TLS 1.2 | SHA-384 | AES | 256 | Yes | No |
|
All |
ECDHE_RSA_AES_128_GCM_SHA256
4 |
TLS 1.2 | AEAD AES-128 GCM | AES | 128 | Yes | No |
|
All |
ECDHE_RSA_AES_256_GCM_SHA384
3
4 |
TLS 1.2 | AEAD AES-128 GCM | AES | SHA384 | Yes | No |
|
ECDHE_ECDSA_RC4_128_SHA256
|
TLS 1.2 | AEAD AES-128 GCM | AES | SHA256 | Yes | No |
|
|
ECDHE_ECDSA_3DES_EDE_CBC_SHA256
|
TLS 1.2 | AEAD AES-128 GCM | 3DES | SHA256 | Yes | No |
|
|
ECDHE_RSA_3DES_EDE_CBC_SHA256
|
TLS 1.2 | AEAD AES-128 GCM | 3DES | SHA256 | Yes | No |
|
|
ECDHE_RSA_RC4_128_SHA256
|
TLS 1.2 | AEAD AES-128 GCM | RSA | SHA256 | Yes | No |
|
|
ECDHE_RSA_NULL_SHA256
|
TLS 1.2 | AEAD AES-128 GCM | RSA | SHA256 | Yes | No |
|
|
ECDHE_ECDSA_NULL_SHA256
|
TLS 1.2 | AEAD AES-128 GCM | ECDSA | SHA256 | Yes | No |
|
|
ECDHE_ECDSA_AES_256_GCM_SHA3843
4 |
TLS 1.2 | AEAD AES-128 GCM | AES | SHA384 | Yes | No |
|
|
TLS_RSA_WITH_AES_128_CBC_SHA256
|
TLS 1.2 | SHA-256 | AES | 128 | Yes | No |
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256
3
|
TLS 1.2 | SHA-256 | AES | 256 | Yes | No |
|
|
TLS_RSA_WITH_AES_128_GCM_SHA256
4
|
TLS 1.2 | AEAD AES-128 GCM | AES | 128 | Yes | No |
|
|
TLS_RSA_WITH_AES_256_GCM_SHA3843
4 |
TLS 1.2 | AEAD AES-128 GCM | AES | 256 | Yes | No |
|
Notes:
|
|||||||
![[Linux]](../common/../com.ibm.mq.sec.doc/nglinux.gif)
![[Windows]](../common/../com.ibm.mq.sec.doc/ngwin.gif)
![[z/OS]](../common/../com.ibm.mq.sec.doc/ngzos.gif)
![[UNIX]](../common/../com.ibm.mq.sec.doc/ngunix.gif)
![[IBMi]](../common/../com.ibm.mq.sec.doc/ngibmi.gif)