Alternatives for specifying CipherSpecs
For those platforms where the operating system provides the TLS support, your system might support new CipherSpecs. We can specify a new CipherSpec with the SSLCIPH parameter, but the value you supply depends on your platform.
Note: This section does not apply to UNIX, Linux or Windows systems, because the CipherSpecs are provided with the IBM MQ product, so new CipherSpecs do not become available after shipment.For those platforms where the operating system provides the TLS support, your system might support new CipherSpecs that are not included in Enabling CipherSpecs. We can specify a new CipherSpec with the SSLCIPH parameter, but the value you supply depends on your platform. In all cases the specification must correspond to an TLS CipherSpec that is both valid and supported by the version of TLS your system is running.
- IBM i
- A two-character string representing a hexadecimal value.
For more information about the permitted values, see point three in the Usage Notes section of Set character information for a secure session.
Attention: You should not specify hexadecimal cipher values in SSLCIPH, because it is unclear from the value which cipher will be used, and the choice of which protocol to be used is indeterminate. Using hexadecimal cipher values can lead to CipherSpec mismatch errors. We can use either the CHGMQMCHL or the CRTMQMCHL command to specify the value, for example:CRTMQMCHL CHLNAME(' channel name ') SSLCIPH(' hexadecimal value ')We can also use the ALTER QMGR MQSC command to set the SSLCIPH parameter.- z/OSĀ®
- A four-character string representing a hexadecimal value. The hexadecimal codes correspond to the values defined in the TLS protocol.
For more information, refer to the Cipher Suite Definitions in z/OS Cryptographic Services System SSL Programming where there is a list of all the supported TLS V1.0 and TLS V1.2 cipher specifications in the form of 4-digit hexadecimal codes.
Considerations for IBM MQ clusters
With IBM MQ clusters it is safest to use the CipherSpec names in Enabling CipherSpecs. If we use an alternative specification, be aware that the specification might not be valid on other platforms. For more information, refer to SSL/TLS and clusters.