Details of WebSphere MQ SHA-2 Support

Answer

WebSphere MQ Distributed Platforms Support (AIX, HP-UX, Linux, Solaris, Windows)
SHA-2 CipherSpecs are supported in WebSphere MQ 7.0.1.4 and later releases. To use SHA-2 support in 7.0.1.x use the alternate GSKit capability.
The IBM Knowledge Center link for using SHA-2 in WebSphere MQ 7.0.1 is:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzas.doc/sy13850_.htm

From WebSphere MQ 7.1 onwards, SHA-2 became a standard part of the GSKit-based queue manager and client features, because the product moved up to using GSKit version 8 which has SHA-2 as standard. No special action is required for SHA-2 support in these releases: simply configure your channel to use one of the SHA-2 CipherSpecs described in the "Specifying CipherSpecs" topic:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy12870_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014260_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

On Windows platforms, the WebSphere MQ programs and libraries are digitally signed to verify their authenticity. In WebSphere MQ releases up to MQ 7.5.x they are signed using SHA-1 with RSA; in MQ 8.0 they are signed using SHA-256 with RSA. The new signature algorithm is supported by all Windows versions where MQ 8.0 is supported.

WebSphere MQ z/OS Support
SHA-2 CipherSpecs are supported on z/OS when running WebSphere MQ 8.0.
SHA-2 CipherSpecs are also supported on z/OS from when running WebSphere MQ 7.1 on z/OS V1R13 with MQ APAR PM77341 and System SSL APAR OA39422 applied.
The requirements for z/OS are described in the "Specifying CipherSpecs" topic:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy12870_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

WebSphere MQ IBM i Support
SHA-2 CipherSpecs are supported on IBM i from WebSphere MQ 7.1.0.3 and later product releases and maintenance levels. The CipherSpecs supported on IBM i are listed in the "Specifying CipherSpecs" topics as shown in the z/OS section above.

WebSphere MQ Client for HP NonStop Server Support:
SHA-2 is supported in the WebSphere MQ Client for HP NonStop Server from V7.1.0.0.

This IBM Knowledge Center topic describes how OpenSSL is used and should be enabled:
MQ7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/q113360_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q113360_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q113360_.htm

This IBM Knowledge Center topic describes how to set up Certificates and CipherSpecs:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/q114070_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q114070_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q114070_.htm

WebSphere MQ Server for HP NonStop Server Support:
SHA-2 is supported in the WebSphere MQ Server for HP NonStop Server from MQ V 5.3.1.10 and later releases.
The document 'SSLupdate.pdf' has been updated and contains a list of all the presently supported ciphers.

WebSphere MQ Components:

Java/JMS Support:
SHA-2 is supported in the Java/JMS component for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ 7.5.0.2.

For full support, including FIPS-compatibility, a user application needs to run on a suitable IBM JRE - Java 6 SR13 FP2 or Java 7 SR4 FP2, and later JRE's will contain appropriate support.

In MQ 8.0, changes have been made to CipherSuite/CipherSpec support. See the following IBM Knowledge Center MQ 8.0 topics:
Changes to WebSphere MQ classes for Java:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q115900_.htm
Changes to WebSphere MQ classes for JMS:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q115970_.htm

WebSphere MQ support for SSL and TLS overall is summarized here:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10920_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q010080_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q010070_.htm

Specifying CipherSpecs on Queue Manager channels, including details of FIPS-1402 and Suite B compliance, is discussed here:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy12870_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014260_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for Java is discussed here:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/ja34740_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031290_.htm
MQ 8.0
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm

The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for JMS is discussed here:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/jm34740_.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q032470_.htm
MQ 8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm

In addition, users may need to apply unrestricted SDK policy files to their IBM JRE if not using the JRE supplied with MQ. This is documented in the Java Knowledge Center here:
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/sdkpolicyfiles.html?lang=en

Application Server Support
SHA-2 functionality is available within supported Java EE application servers on condition that:
- The Java Runtime Environment executing the application server supports the SHA-2 Cipher Specs, as described in the list in the Java/JMS section
- The version of WebSphere MQ Resource Adapter deployed into the application server is one of the versions listed in the Java/JMS section

This Technote displays which version of WebSphere MQ is shipped with WebSphere Application Server: http://www.ibm.com/support/docview.wss?rs=171&uid=swg21248089

Users of WebSphere Application Server may need to manually install a version of the WebSphere MQ Resource Adapter that provides SHA-2 support. This process is documented in the WebSphere Application Server Knowledge Center:
http://www.ibm.com/support/knowledgecenter/SS7JFU_8.0.0/com.ibm.websphere.express.doc/info/exp/ae/tmj_wmqra_updating.html?lang=en

MQ Explorer Support:
SHA-2 is supported in the MQ Explorer (GUI) component for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ V7.5.0.2 and the MS0T SupportPac.

The instructions for 'Installing into Eclipse environments' are described here:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
MQ8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
In addition, users may need to apply unrestricted SDK policy files to their IBM JRE if not using the JRE supplied with MQ. This is documented in the Java Knowledge Center here:
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/sdkpolicyfiles.html?lang=en

The instructions for creating a security-enabled connection are described on this page:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm
MQ8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm

MQXR Support:
SHA-2 is supported in the MQXR Service and MQTT Clients for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ 7.5.0.2 and later releases.

System requirements for using SHA-2 cipher suites with MQTT channels and clients are described here:
MQ7.1
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/q039371_.htm
MQ7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q039371_.htm
MQ8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.tro.doc/q039371_.htm

AMS Support:
AMS on Distributed platforms support SHA-2 algorithms from AMS 7.0.1.1 and later releases, as described in this Fix Pack description:
http://www.ibm.com/support/docview.wss?uid=swg24029612
AMS on z/OS supports SHA-2 algorithms with PTF PM55963, as described in this APAR description: http://www.ibm.com/support/docview.wss?uid=isg1PM55963

Managed File Transfer (FTE/MFT) Support:
For all of the following SHA2-enabled communication options for MFT agents, the MFT component must use IBM JRE's Java 6.0 SR13 FP2, Java 7.0 SR4 FP2, or later.

Use of SHA-2 cipher specifications and cipher suites on connections between agents and WebSphere MQ queue managers:

Supported on all platforms from WebSphere MQ 8.0. For more information about cipher specifications and cipher suites that are available at this release level, see MQ 8.0 SSL CipherSpecs and CipherSuites.

WebSphere MQ 7.5.0.2 or later supports SHA-2-enabled communication for agents on distributed platforms. For more information about cipher specifications and cipher suites that are available at this release level, see MQ 7.5 topic SSL CipherSpecs and CipherSuites.

Support is also present in WebSphere MQ File Transfer Edition V7.0.4.4 for agents on IBM I or z/OS platforms. For more information about cipher specifications and cipher suites that are available at this release level, see MQ 7.1 topic SSL CipherSpecs and CipherSuites.

Use of SHA-2 cipher specifications and cipher suites on connections between agents and protocol servers:

To comply with SP 800-131A for communications between MFT or FTE agents and protocol servers, you must satisfy the following requirements:

- You must use FTPS, which you have configured appropriately; SFTP is not supported.

– The remote server must send SP 800-131A-compliant cipher suites only.

For a list of valid cipher suite values for communications between MFT or FTE agents and FTPS protocol servers, see Cipher suites in the IBM SDK and Runtime Environment Java™ Technology Edition Version 7 Information Center.

Use of SHA-2 cipher specifications and cipher suites to connect to an FTPS server using the protocol bridge in FTPS mode is supported on all platforms in WebSphere MQ 8.0. For more information about configuring cipher suites in MQ 8.0 topics FTPS server support by the protocol bridge and Protocol bridge properties file format.

Support is also present in WebSphere MQ File Transfer Edition V7.0.4.4 for protocol bridge agents on z/OS and IBM I platforms. For more information about configuring cipher suites in this release see FTE 7.0.4 topics FTPS server support by the protocol bridge and Protocol bridge properties file format

IBM Message Service Client
SHA-2 is supported from WebSphere MQ 7.1 (XMS V2.1) in unmanaged mode only.
The list of supported CipherSpecs is listed in the WebSphere MQ Information Center here:
MQ 7.1:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.html
MQ 7.5:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.htm
MQ8.0:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.htm