TLS CipherSpecs and CipherSuites in IBM MQ classes for Java
The ability of IBM® MQ classes for Java applications to establish connections to a queue manager, depends on the CipherSpec specified at the server end of the MQI channel and the CipherSuite specified at the client end.
The following table lists the CipherSpecs supported by IBM MQ and their equivalent CipherSuites.
You should review the topic Deprecated CipherSpecs to see if any of the
CipherSpecs, listed in the following table, have been deprecated by IBM MQ and, if so, at which update the CipherSpec was
deprecated.
The IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance is currently pending and its status can be viewed by searching for "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider" in the NIST CMVP modules in process list.
Ciphersuites denoted as FIPS 140-2 compliant can be used if the application has not been configured to enforce FIPS 140-2 compliance, but if FIPS 140-2 compliance has been configured for the application (see the following notes on configuration) only those CipherSuites which are marked as FIPS 140-2 compatible can be configured; attempting to use other CipherSuites results in an error.
For more information about FIPS 140-2 and Suite-B compliance for CipherSpecs and CipherSuites, see Specifying CipherSpecs. You might also need to be aware of information that concerns US Federal Information Processing Standards.
To be able to use TLS 1.3 Ciphers, the JRE running your application must support TLS 1.3.
CipherSpec 1 | Equivalent CipherSuite (IBM JRE) | Equivalent CipherSuite (Oracle JRE) | Protocol | FIPS 140-2 compatible |
---|---|---|---|---|
ECDHE_ECDSA_3DES_EDE_CBC_SHA256 | SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | TLS 1.2 | yes |
ECDHE_ECDSA_AES_128_CBC_SHA256 | SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 | yes |
ECDHE_ECDSA_AES_128_GCM_SHA256 | SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 | yes |
ECDHE_ECDSA_AES_256_CBC_SHA384 | SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | TLS 1.2 | yes |
ECDHE_ECDSA_AES_256_GCM_SHA384 | SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 | yes |
ECDHE_ECDSA_NULL_SHA256 | SSL_ECDHE_ECDSA_WITH_NULL_SHA | TLS_ECDHE_ECDSA_WITH_NULL_SHA | TLS 1.2 | no |
ECDHE_ECDSA_RC4_128_SHA256 | SSL_ECDHE_ECDSA_WITH_RC4_128_SHA | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | TLS 1.2 | no |
ECDHE_RSA_3DES_EDE_CBC_SHA256 | SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.2 | yes |
ECDHE_RSA_AES_128_CBC_SHA256 | SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 | yes |
ECDHE_RSA_AES_128_GCM_SHA256 | SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 | yes |
ECDHE_RSA_AES_256_CBC_SHA384 | SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | TLS 1.2 | yes |
ECDHE_RSA_AES_256_GCM_SHA384 | SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 | yes |
ECDHE_RSA_NULL_SHA256 | SSL_ECDHE_RSA_WITH_NULL_SHA | TLS_ECDHE_RSA_WITH_NULL_SHA | TLS 1.2 | no |
ECDHE_RSA_RC4_128_SHA256 | SSL_ECDHE_RSA_WITH_RC4_128_SHA | TLS_ECDHE_RSA_WITH_RC4_128_SHA | TLS 1.2 | no |
TLS_RSA_WITH_3DES_EDE_CBC_SHA 2 | SSL_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS 1.0 | no 4 |
TLS_RSA_WITH_AES_128_CBC_SHA | SSL_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS 1.0 | no 4 |
TLS_RSA_WITH_AES_128_CBC_SHA256 | SSL_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 | no 4 |
TLS_RSA_WITH_AES_128_GCM_SHA256 | SSL_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 | no 4 |
TLS_RSA_WITH_AES_256_CBC_SHA | SSL_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS 1.0 | no 4 |
TLS_RSA_WITH_AES_256_CBC_SHA256 | SSL_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS 1.2 | no 4 |
TLS_RSA_WITH_AES_256_GCM_SHA384 | SSL_RSA_WITH_AES_256_GCM_SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 | no 4 |
TLS_RSA_WITH_DES_CBC_SHA | SSL_RSA_WITH_DES_CBC_SHA | SSL_RSA_WITH_DES_CBC_SHA | TLS 1.0 | no |
TLS_RSA_WITH_NULL_SHA256 | SSL_RSA_WITH_NULL_SHA256 | TLS_RSA_WITH_NULL_SHA256 | TLS 1.2 | no |
TLS_RSA_WITH_RC4_128_SHA256 | SSL_RSA_WITH_RC4_128_SHA | SSL_RSA_WITH_RC4_128_SHA | TLS 1.2 | no |
ANY_TLS12 | *TLS12 | *TLS12 | TLS 1.2 | yes |
TLS_AES_128_GCM_SHA256 3 | TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 | TLS V1.3 | no |
TLS_AES_256_GCM_SHA384 3 | TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 | TLS V1.3 | no |
TLS_CHACHA20_POLY1305_SHA256 3 | TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 | TLS V1.3 | no |
TLS_AES_128_CCM_SHA256 3 | TLS_AES_128_CCM_SHA256 | TLS_AES_128_CCM_SHA256 | TLS V1.3 | no |
TLS_AES_128_CCM_8_SHA256 3 | TLS_AES_128_CCM_8_SHA256 | TLS_AES_128_CCM_8_SHA256 | TLS V1.3 | no |
ANY 3 | *ANY | *ANY | Multiple | no |
ANY_TLS13 3 | *TLS13 | *TLS13 | TLS V13 | no |
ANY_TLS12_OR_HIGHER 3 | *TLS12ORHIGHER | *TLS12ORHIGHER | TLS 1.2 and above | no |
ANY_TLS13_OR_HIGHER 3 | *TLS13ORHIGHER | *TLS13ORHIGHER | TLS 1.3 and above | no |
- This is the value configured on a channel in IBM MQ, including in a CCDT (binary or JSON).
CipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA is deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, you need to either avoid using triple DES, or enable secret key reset when using this CipherSpec.
- To be able to use TLS v1.3 Ciphers, the Java runtime environment (JRE) running your application must support TLS v1.3.
From IBM MQ 9.4.0, the IBM Java 8 JRE removes support for RSA key exchange when operating in FIPS mode.
Configuring Ciphersuites and FIPS-compliance in an IBM MQ classes for Java application
- An application that uses IBM MQ classes for Java can use either
of two methods to set the CipherSuite for a connection:
- Set the sslCipherSuite field in the MQEnvironment class to the CipherSuite name.
- Set the property CMQC.SSL_CIPHER_SUITE_PROPERTY in the properties hashtable passed to the MQQueueManager constructor to the CipherSuite name.
- An application that uses IBM MQ classes for Java can use either
of two methods to enforce FIPS 140-2 compliance:
- Set the sslFipsRequired field to true in the MQEnvironment class.
- Set the property CMQC.SSL_FIPS_REQUIRED_PROPERTYin the properties hash table passed to the MQQueueManager constructor to true.
Configuring your application to use IBM Java or Oracle Java CipherSuite mappings
From IBM MQ 9.4.0, a Cipher can be
defined as either the CipherSpec or CipherSuite name and is handled correctly by IBM MQ.
![[Removed]](ngremoved.gif)
com.ibm.mq.cfg.useIBMCipherMappings
, which controlled which mappings were used in
earlier versions of IBM MQ, is no longer needed and is
removed from the product at IBM MQ 9.4.0.Interoperability limitations
Certain CipherSuites might be compatible with more than one IBM MQ CipherSpec, depending on the protocol in use. However, only the CipherSuite/CipherSpec combination that uses the TLS version specified in Table 1 is supported. Attempting to use the unsupported combinations of CipherSuites and CipherSpecs will fail with an appropriate exception. Installations using any of these CipherSuite/CipherSpec combinations should move to a supported combination.
The following table shows the CipherSuites to which this limitation applies.
CipherSuite | Supported TLS CipherSpec | Unsupported SSL CipherSpec |
---|---|---|
SSL_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA 1 | TRIPLE_DES_SHA_US |
SSL_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_DES_CBC_SHA | DES_SHA_EXPORT |
SSL_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_RC4_128_SHA256 | RC4_SHA_US |
This CipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA is deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, you need to either avoid using triple DES, or enable secret key reset when using this CipherSpec.