SSL CipherSpecs and CipherSuites in JMS
CipherSpecs supported by WebSphere® MQ and their equivalent CipherSuites.
Table 1 lists the CipherSpecs supported by WebSphere MQ and their equivalent CipherSuites. If the ConnectionFactory property SSLFIPSREQUIRED is set to NO, a WebSphere MQ classes for JMS application can connect to a queue manager if any supported CipherSpec is specified at the server end of the MQI channel and the equivalent CipherSuite is specified at the client end. If SSLFIPSREQUIRED is set to YES, the combination of CipherSpec and CipherSuite determines whether the application can connect to the queue manager.
At the server
end of an MQI channel, the name of a CipherSpec can be specified as
the value of the SSLCIPH parameter on a DEFINE CHANNEL CHLTYPE(SVRCONN)
command. At the client end of an MQI channel, the name of a CipherSuite
can be specified in the following ways:
- An application can call the setSSLCipherSuite() method of a ConnectionFactory object.
- Using the WebSphere MQ JMS administration tool, you can set the SSLCIPHERSUITE property of a ConnectionFactory object.
| CipherSpec | Equivalent CipherSuite | Connection possible if SFIPS 1 is set to YES? |
|---|---|---|
| NULL_MD5 | SSL_RSA_WITH_NULL_MD5 | No |
| NULL_SHA | SSL_RSA_WITH_NULL_SHA | No |
| RC4_MD5_EXPORT | SSL_RSA_EXPORT_WITH_RC4_40_MD5 | No |
| RC4_MD5_US | SSL_RSA_WITH_RC4_128_MD5 | No |
| RC4_SHA_US | SSL_RSA_WITH_RC4_128_SHA | No |
| RC2_MD5_EXPORT | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | No |
| DES_SHA_EXPORT | SSL_RSA_WITH_DES_CBC_SHA | No |
| RC4_56_SHA_EXPORT1024 | SSL_RSA_EXPORT1024_WITH_RC4_56_SHA | No |
| DES_SHA_EXPORT1024 | SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA | No |
| TRIPLE_DES_SHA_US | SSL_RSA_WITH_3DES_EDE_CBC_SHA | No |
| TLS_RSA_WITH_NULL_SHA256 | SSL_RSA_WITH_NULL_SHA256 | No 7 |
| TLS_RSA_WITH_AES_128_CBC_SHA | SSL_RSA_WITH_AES_128_CBC_SHA | Yes 5 7 |
| TLS_RSA_WITH_AES_256_CBC_SHA | SSL_RSA_WITH_AES_256_CBC_SHA | Yes 5 7 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | SSL_RSA_WITH_AES_256_CBC_SHA256 | Yes 5 7 |
| AES_SHA_US2 | ||
| TLS_RSA_WITH_DES_CBC_SHA8 9 | SSL_RSA_WITH_DES_CBC_SHA | No3 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA8 | SSL_RSA_WITH_3DES_EDE_CBC_SHA | Yes |
| FIPS_WITH_DES_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | No4 |
| FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | No6 |
Notes:
- When using the WebSphere MQ JMS administration tool, SFIPS is the short name of the ConnectionFactory property SSLFIPSREQUIRED.
- This CipherSpec has no equivalent CipherSuite.
- This CipherSpec was FIPS 140-2 certified before 19th May 2007.
- This CipherSpec was FIPS 140-2 certified before 19th May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
- These CipherSpecs (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256) cannot be used to secure a connection from the WebSphere MQ
Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE
used by the Explorer.
See Security information for further information on policy files.
- The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
- These CipherSpecs (TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256) require IBM JREs 6.0 SR13 FP2 , 7.0 SR4 FP2 or later.
- These CipherSpecs (TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA256) can use either SSLv3 or TLS. By default, when FIPS is not enabled,
SSLv3 is used. To use TLS, set the Java System Property
com.ibm.mq.cfg.preferTLS to
true. - This CipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA is deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, you need to either avoid using triple DES, or enable secret key reset when using this CipherSpec.