Skip to main content
Sign in

Search

DOKA-SaaS

How can we help?

Specifying MQ CipherSpecs

Sandhyaselvi Kalaivanan
  • Updated

mceclip0.png

Specify a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.

A table describing the CipherSpecs you can use with WebSphere MQ SSL and TLS support.

CipherSpec name
Protocol used
Data integrity
Encryption algorithm
Encryption bits
FIPS1
Suite B 128 bit
Suite B 192 bit
NULL_MD5 a SSL 3.0 MD5 None 0 No No No
NULL_SHA a SSL 3.0 SHA-1 None 0 No No No
RC4_MD5_EXPORT 2 a SSL 3.0 MD5 RC4 40 No No No
RC4_MD5_US a SSL 3.0 MD5 RC4 128 No No No
RC4_SHA_US a SSL 3.0 SHA-1 RC4 128 No No No
RC2_MD5_EXPORT 2 a SSL 3.0 MD5 RC2 40 No No No
DES_SHA_EXPORT 2 a SSL 3.0 SHA-1 DES 56 No No No
RC4_56_SHA_EXPORT1024 3 b SSL 3.0 SHA-1 RC4 56 No No No
DES_SHA_EXPORT1024 3 b SSL 3.0 SHA-1 DES 56 No No No
TLS_RSA_WITH_AES_128_CBC_SHA a TLS 1.0 SHA-1 AES 128 Yes No No
TLS_RSA_WITH_AES_256_CBC_SHA 4 a TLS 1.0 SHA-1 AES 256 Yes No No
TLS_RSA_WITH_DES_CBC_SHA a TLS 1.0 SHA-1 DES 56 No5 No No
FIPS_WITH_DES_CBC_SHA b SSL 3.0 SHA-1 DES 56 No6 No No
TLS_RSA_WITH_AES_128_GCM_SHA256 b TLS 1.2 AEAD AES-128 GCM AES 128 Yes No No
TLS_RSA_WITH_AES_256_GCM_SHA384 b TLS 1.2 AEAD AES-256 GCM AES 256 Yes No No
TLS_RSA_WITH_AES_128_CBC_SHA256 b TLS 1.2 SHA-256 AES 128 Yes No No
TLS_RSA_WITH_AES_256_CBC_SHA256 b TLS 1.2 SHA-256 AES 256 Yes No No
ECDHE_ECDSA_RC4_128_SHA256 b TLS 1.2 SHA-1 RC4 128 No No No
ECDHE_RSA_RC4_128_SHA256 b TLS 1.2 SHA_1 RC4 128 No No No
ECDHE_ECDSA_AES_128_CBC_SHA256 b TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_ECDSA_AES_256_CBC_SHA384 b TLS 1.2 SHA-384 AES 256 Yes No No
ECDHE_RSA_AES_128_CBC_SHA256 b TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_RSA_AES_256_CBC_SHA384 b TLS 1.2 SHA-384 AES 256 Yes No No
ECDHE_ECDSA_AES_128_GCM_SHA256 b TLS 1.2 AEAD AES-128 GCM AES 128 Yes Yes No
ECDHE_ECDSA_AES_256_GCM_SHA384 b TLS 1.2 AEAD AES-256 GCM AES 256 Yes No Yes
ECDHE_RSA_AES_128_GCM_SHA256 b TLS 1.2 AEAD AES-128 GCM AES 128 Yes No No
ECDHE_RSA_AES_256_GCM_SHA384 b TLS 1.2 AEAD AES-256 GCM AES 256 Yes No No
TLS_RSA_WITH_NULL_SHA256 b TLS 1.2 SHA-256 None 0 No No No
ECDHE_RSA_NULL_SHA256 b TLS 1.2 SHA-1 None 0 No No No
ECDHE_ECDSA_NULL_SHA256 b TLS 1.2 SHA-1 None 0 No No No
TLS_RSA_WITH_NULL_NULL b TLS 1.2 None None 0 No No No
TLS_RSA_WITH_RC4_128_SHA256 b TLS 1.2 SHA-1 RC4 128 No No No
Notes:
  1. Specifies whether the CipherSpec is FIPS-certified on a FIPS-certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
  2. The maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
  3. The handshake key size is 1024 bits.
  4. This CipherSpec cannot be used to secure a connection from the WebSphere MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.
  5. This CipherSpec was FIPS 140-2 certified before 19 May 2007.
  6. This CipherSpec was FIPS 140-2 certified before 19 May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
  7. This CipherSpec can be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, either avoid using triple DES, or enable secret key reset when using this CipherSpec.
Platform support:
  • a Available on all supported platforms.
  • b Available only on UNIX, Linux®, and Windows platforms.

Comments

0 comments

Please sign in to leave a comment.