Enabling CipherSpecs

Enable a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.

Note: On UNIX, Linux®, and Windows, IBM® MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.

Some of the CipherSpecs that you can use with IBM MQ are FIPS compliant. Some of the FIPS compliant CipherSpecs are also Suite B compliant although others, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated), are not.

All Suite B compliant CipherSpecs are also FIPS compliant. All Suite B compliant CipherSpecs fall into two groups: 128 bit (for example, ECDHE_ECDSA_AES_128_GCM_SHA256) and 192 bit (for example, ECDHE_ECDSA_AES_256_GCM_SHA384),

The following diagram illustrates the relationship between these subsets:

Diagram representing the relationship between FIPS compliant CipherSpecs and Suite B compliant CipherSpecs.

[V8.0.0.3 Jun 2015] From IBM MQ Version 8.0.0, Fix Pack 3 the number of supported CipherSpecs has been reduced. See CipherSpec values supported in IBM MQ for more information on the list of supported CipherSpecs and how you can enable deprecated CipherSpecs.

See Deprecated CipherSpecs for a list of CipherSpecs that you must re-enable to use with IBM MQ.

Cipher specifications that you can use with the IBM MQ queue manager automatically are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table.

Platform support¹	CipherSpec name	Protocol used	MAC algorithm	Encryption algorithm	Encryption bits	FIPS²	Suite B
	`TLS_RSA_WITH_AES_128_CBC_SHA`	TLS 1.0	SHA-1	AES	128	Yes	No
	`TLS_RSA_WITH_AES_256_CBC_SHA`³	TLS 1.0	SHA-1	AES	256	Yes	No
All	`ECDHE_ECDSA_AES_128_CBC_SHA256`	TLS 1.2	SHA-256	AES	128	Yes	No
All	`ECDHE_ECDSA_AES_256_CBC_SHA384` 3	TLS 1.2	SHA-384	AES	256	Yes	No
	`ECDHE_ECDSA_AES_128_GCM_SHA256` ⁴	TLS 1.2	AEAD AES-128 GCM	AES	128	Yes	128 bit
	`ECDHE_ECDSA_AES_256_GCM_SHA384` ^3 4	TLS 1.2	AEAD AES-128 GCM	AES	256	Yes	192 bit
All	`ECDHE_RSA_AES_128_CBC_SHA256`	TLS 1.2	SHA-256	AES	128	Yes	No
All	`ECDHE_RSA_AES_256_CBC_SHA384` 3	TLS 1.2	SHA-384	AES	256	Yes	No
All	`ECDHE_RSA_AES_128_GCM_SHA256` ⁴	TLS 1.2	AEAD AES-128 GCM	AES	128	Yes	No
All	`ECDHE_RSA_AES_256_GCM_SHA384` ^3 4	TLS 1.2	AEAD AES-128 GCM	AES	SHA384	Yes	No
⁵	`ECDHE_ECDSA_RC4_128_SHA256`	TLS 1.2	AEAD AES-128 GCM	AES	SHA256	Yes	No
	`ECDHE_ECDSA_3DES_EDE_CBC_SHA256`	TLS 1.2	AEAD AES-128 GCM	3DES	SHA256	Yes	No
	`ECDHE_RSA_3DES_EDE_CBC_SHA256`	TLS 1.2	AEAD AES-128 GCM	3DES	SHA256	Yes	No
	`ECDHE_RSA_RC4_128_SHA256`	TLS 1.2	AEAD AES-128 GCM	RSA	SHA256	Yes	No
	`ECDHE_RSA_NULL_SHA256`	TLS 1.2	AEAD AES-128 GCM	RSA	SHA256	Yes	No
	`ECDHE_ECDSA_NULL_SHA256`	TLS 1.2	AEAD AES-128 GCM	ECDSA	SHA256	Yes	No
	`ECDHE_ECDSA_AES_256_GCM_SHA384`3 ⁴	TLS 1.2	AEAD AES-128 GCM	AES	SHA384	Yes	No
	`TLS_RSA_WITH_AES_128_CBC_SHA256`	TLS 1.2	SHA-256	AES	128	Yes	No
	`TLS_RSA_WITH_AES_256_CBC_SHA256` 3	TLS 1.2	SHA-256	AES	256	Yes	No
	`TLS_RSA_WITH_AES_128_GCM_SHA256` ⁴	TLS 1.2	AEAD AES-128 GCM	AES	128	Yes	No
	`TLS_RSA_WITH_AES_256_GCM_SHA384`³ ⁴	TLS 1.2	AEAD AES-128 GCM	AES	256	Yes	No
Notes: If no specific platform is noted, the CipherSpec is available on all platforms. Specifies whether the CipherSpec is FIPS-certified on a FIPS-certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS. This CipherSpec cannot be used to secure a connection from the MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer. Following a recommendation by NIST, GCM CipherSpecs have a restriction which means that after 2ˆ32 TLS records are sent, using the same session key, the connection is terminated with message AMQ9288. To prevent this error from happening: avoid using GCM Ciphers, enable secret key reset, or start your IBM MQ queue manager with the environment variable GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE set. Important: The GCM restriction is active, regardless of the FIPS mode being used. The CipherSpecs listed as supported on IBM i apply to Versions 7.2 and 7.3 of IBM i.