+

Search Tips | Advanced Search

Work with SSL/TLS on HP Integrity NonStop Server

Describes the IBM MQ client for HP Integrity NonStop Server OpenSSL security implementation, including security services, components, supported protocol versions, supported CipherSpecs, and unsupported security functionality.

IBM MQ TLS support provides the following security services for client channels:

  • Authentication of the server and, optionally, authentication of the client.
  • Encryption and decryption of the data that is flowing across a channel.
  • Integrity checks on the data that is flowing across a channel.

The TLS support supplied with the IBM MQ client for HP Integrity NonStop Server comprises the following components:

  • OpenSSL libraries and the openssl command.
  • IBM MQ password stash command, amqrsslc.

The following required components for TLS client channel operation are not provided with the IBM MQ client for HP Integrity NonStop Server:

  • An entropy daemon to provide a source of random data for OpenSSL cryptography.


Supported protocol versions

The IBM MQ client for HP Integrity NonStop Server supports the following protocol versions:

  • TLS 1.0
  • TLS 1.2


Supported CipherSpecs

The IBM MQ client for HP Integrity NonStop Server supports the following CipherSpecs versions:

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated)
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_NULL_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE_ECDSA_AES_128_CBC_SHA256
  • ECDHE_ECDSA_AES_256_CBC_SHA384
  • ECDHE_RSA_AES_128_CBC_SHA256
  • ECDHE_RSA_AES_256_CBC_SHA384
  • ECDHE_ECDSA_AES_128_GCM_SHA256
  • ECDHE_ECDSA_AES_256_GCM_SHA384
  • ECDHE_RSA_AES_128_GCM_SHA256
  • ECDHE_RSA_AES_256_GCM_SHA384


Unsupported security functionality

The IBM MQ client for HP Integrity NonStop Server does not currently support:

  • PKCS#11 Cryptographic hardware support
  • LDAP Certificate Revocation List checking
  • OCSP Online Certificate Status Protocol checking
  • FIPS 140-2, NSA SUITE B cipher suite controls

  • Certificate management
    Use a set of files to store digital certificate and certificate revocation information.

Parent topic: Work with SSL/TLS

Last updated: 2020-10-04