+

Search Tips | Advanced Search

Alternatives for specifying CipherSpecs

For those platforms where the operating system provides the TLS support, the system might support new CipherSpecs that are not included in Enable CipherSpecs.

We can specify a new CipherSpec with the SSLCIPH parameter, but the value you supply depends on the platform. In all cases the specification must correspond to an TLS CipherSpec that is both valid and supported by the version of TLS the system is running. Note: This section does not apply to UNIX, Linux or Windows systems, because the CipherSpecs are provided with the IBM MQ product, so new CipherSpecs do not become available after shipment.

    IBM i
    A two-character string representing a hexadecimal value.

    For more information about the permitted values, see point three in the Usage Notes section of Set character information for a secure session.

    Attention: We should not specify hexadecimal cipher values in SSLCIPH, because it is unclear from the value which cipher will be used, and the choice of which protocol to be used is indeterminate. Using hexadecimal cipher values can lead to CipherSpec mismatch errors. We can use either the CHGMQMCHL or the CRTMQMCHL command to specify the value, for example: 
    CRTMQMCHL CHLNAME(' channel name ') SSLCIPH(' hexadecimal value ')
    We can also use the ALTER QMGR MQSC command to set the SSLCIPH parameter.

    z/OS
    A four-character string representing a hexadecimal value. The hexadecimal codes correspond to the values defined in the TLS protocol.

    For more information, refer to Cipher Suite Definitions in z/OS Cryptographic Services System SSL Programming where there is a list of all the supported TLS 1.0, TLS 1.2, and TLS 1.3 cipher specifications in the form of 4-digit hexadecimal codes.


Considerations for IBM MQ clusters

With IBM MQ clusters it is safest to use the CipherSpec names in Enable CipherSpecs. If we use an alternative specification, be aware that the specification might not be valid on other platforms. For more information, refer to SSL/TLS and clusters.

Parent topic: Enable CipherSpecs

Last updated: 2020-10-04