Enabling CipherSpecs

Enable a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.

Note: On UNIX, Linux®, and Windows, IBM® MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.

Some of the CipherSpecs that you can use with IBM MQ are FIPS compliant. Some of the FIPS compliant CipherSpecs are also Suite B compliant although others, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated), are not.

All Suite B compliant CipherSpecs are also FIPS compliant. All Suite B compliant CipherSpecs fall into two groups: 128 bit (for example, ECDHE_ECDSA_AES_128_GCM_SHA256) and 192 bit (for example, ECDHE_ECDSA_AES_256_GCM_SHA384),

The following diagram illustrates the relationship between these subsets:

Diagram representing the relationship between FIPS compliant CipherSpecs and Suite B compliant CipherSpecs.

[V8.0.0.3 Jun 2015]From IBM MQ Version 8.0.0, Fix Pack 3 the number of supported CipherSpecs has been reduced. See CipherSpec values supported in IBM MQ for more information on the list of supported CipherSpecs and how you can enable deprecated CipherSpecs.

See Deprecated CipherSpecs for a list of CipherSpecs that you must re-enable to use with IBM MQ.

Cipher specifications that you can use with the IBM MQ queue manager automatically are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table.

Platform support 1 CipherSpec name Protocol used MAC algorithm Encryption algorithm Encryption bits FIPS 2 Suite B

[Linux][Windows][z/OS][UNIX]

TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0 SHA-1 AES 128 Yes No

[Linux][Windows][z/OS][UNIX]

TLS_RSA_WITH_AES_256_CBC_SHA3 TLS 1.0 SHA-1 AES 256 Yes No
All ECDHE_ECDSA_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No
All ECDHE_ECDSA_AES_256_CBC_SHA384 3 TLS 1.2 SHA-384 AES 256 Yes No

Distributed

ECDHE_ECDSA_AES_128_GCM_SHA256 4 TLS 1.2 AEAD AES-128 GCM AES 128 Yes 128 bit

Distributed

ECDHE_ECDSA_AES_256_GCM_SHA384 3 4 TLS 1.2 AEAD AES-128 GCM AES 256 Yes 192 bit
All ECDHE_RSA_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No
All ECDHE_RSA_AES_256_CBC_SHA384 3 TLS 1.2 SHA-384 AES 256 Yes No

All

ECDHE_RSA_AES_128_GCM_SHA256 4 TLS 1.2 AEAD AES-128 GCM AES 128 Yes No

All

ECDHE_RSA_AES_256_GCM_SHA384 3 4 TLS 1.2 AEAD AES-128 GCM AES SHA384 Yes No

[IBMi]

5
ECDHE_ECDSA_RC4_128_SHA256 TLS 1.2 AEAD AES-128 GCM AES SHA256 Yes No

[IBMi]

ECDHE_ECDSA_3DES_EDE_CBC_SHA256 TLS 1.2 AEAD AES-128 GCM 3DES SHA256 Yes No

[IBMi]

ECDHE_RSA_3DES_EDE_CBC_SHA256 TLS 1.2 AEAD AES-128 GCM 3DES SHA256 Yes No

[IBMi]

ECDHE_RSA_RC4_128_SHA256 TLS 1.2 AEAD AES-128 GCM RSA SHA256 Yes No

[IBMi]

ECDHE_RSA_NULL_SHA256 TLS 1.2 AEAD AES-128 GCM RSA SHA256 Yes No

[IBMi]

ECDHE_ECDSA_NULL_SHA256 TLS 1.2 AEAD AES-128 GCM ECDSA SHA256 Yes No

[IBMi]

ECDHE_ECDSA_AES_256_GCM_SHA3843 4 TLS 1.2 AEAD AES-128 GCM AES SHA384 Yes No

[Linux][Windows][z/OS][UNIX]

TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No

[Linux][Windows][z/OS][UNIX]

TLS_RSA_WITH_AES_256_CBC_SHA256 3 TLS 1.2 SHA-256 AES 256 Yes No

Distributed

TLS_RSA_WITH_AES_128_GCM_SHA256 4 TLS 1.2 AEAD AES-128 GCM AES 128 Yes No

Distributed

TLS_RSA_WITH_AES_256_GCM_SHA3843 4 TLS 1.2 AEAD AES-128 GCM AES 256 Yes No
Notes:
  1. If no specific platform is noted, the CipherSpec is available on all platforms.
  2. Specifies whether the CipherSpec is FIPS-certified on a FIPS-certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
  3. This CipherSpec cannot be used to secure a connection from the MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.
  4. Following a recommendation by NIST, GCM CipherSpecs have a restriction which means that after 2ˆ32 TLS records are sent, using the same session key, the connection is terminated with message AMQ9288.
    To prevent this error from happening: avoid using GCM Ciphers, enable secret key reset, or start your IBM MQ queue manager with the environment variable GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE set.
    Important: The GCM restriction is active, regardless of the FIPS mode being used.
  5. The CipherSpecs listed as supported on IBM i apply to Versions 7.2 and 7.3 of IBM i.