Enable deprecated protocols and CipherSuites

By default, secure sockets protocols and cipher suites that are considered insecure are disabled in the Java runtime environment (JRE) supplied with MQIPT. These deprecated protocols and cipher suites must be enabled before they can be used.


About this task

If we are aware of the potential hazards, but still need to use one of the protocols or cipher suites that are considered insecure in MQIPT, follow this procedure to enable the protocol or cipher suite that we need to use. Note: Deprecated protocols and cipher suites cannot be used with the TLS command port.


Procedure

  1. Edit the java.security file, found in the mqipt_path/java/jre/lib/security directory, where mqipt_path is the location where MQIPT is installed.
  2. Add support to the JRE for a protocol or algorithm by removing the corresponding entry from the list of disabled algorithms in the jdk.tls.disabledAlgorithms property.

    • To add support for a protocol, remove the protocol from the list of disabled algorithms. For example, to add support for TLS 1.0, remove TLSv1 from the list.
    • To add support for a cipher suite, remove the corresponding algorithms from the list of disabled algorithms. For example, to add support for the SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA cipher suite, remove 3DES_EDE_CBC and DESede from the list.

  3. To enable SSL 3.0 in the JRE, you also need to set the system property com.ibm.jsse2.disableSSLv3=false. We can set the property by using the environment variable MQIPT_JVM_OPTIONS. For example:
    set MQIPT_JVM_OPTIONS=-Dcom.ibm.jsse2.disableSSLv3=false
  4. To enable SSL 3.0, TLS 1.0, or TLS 1.1 on a MQIPT route, add the corresponding protocol to the SSLServerProtocols or SSLClientProtocols route property.
  5. Restart MQIPT for the changes to the JRE properties to come into effect.

Parent topic: SSL/TLS support