Specifying CipherSpecs

 

You specify the CipherSpec in the SSLCIPH parameter using either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.

You can choose from the CipherSpecs listed in Table 1:

Table 1. CipherSpecs that can be used with WebSphere MQ SSL support

CipherSpec name Hash algorithm Encryption algorithm Encryption bits
NULL_MD51 MD5 None 0
NULL_SHA1 SHA None 0
RC4_MD5_EXPORT1 MD5 RC4 40
RC4_MD5_US2 MD5 RC4 128
RC4_SHA_US2 SHA RC4 128
RC2_MD5_EXPORT1 MD5 RC2 40
DES_SHA_EXPORT1 SHA DES 56
RC4_56_SHA_EXPORT10243,4,5 SHA RC4 56
DES_SHA_EXPORT10243,4,5,6 SHA DES 56
TRIPLE_DES_SHA_US4 SHA 3DES 168
TLS_RSA_WITH_AES_128_CBC_SHA7 SHA AES 128
TLS_RSA_WITH_AES_256_CBC_SHA7 SHA AES 256
AES_SHA_US8 SHA AES 128

Notes:

  1. On OS/400, available when either AC2 or AC3 are installed

  2. On OS/400, available only when AC3 is installed

  3. Not available for z/OS

  4. Not available for OS/400

  5. Specifies a 1024-bit handshake key size

  6. Not available for Windows

  7. Available for AIX, HP-UX, and Linux for Intel platforms only

  8. Available for OS/400, AC3 only

When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake can depend on the size stored in the certificate and on the CipherSpec:

  • On UNIX systems and z/OS, when a CipherSpec name includes _EXPORT, the maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.

  • On UNIX systems, when a CipherSpec name includes _EXPORT1024, the handshake key size is 1024 bits. Refer to note (CS1NOTE1024) in Table 1.

  • Otherwise the handshake key size is the size stored in the certificate.

 

Obtaining information about CipherSpecs using WebSphere MQ Explorer

When you are working on a Windows system, use the following procedure to obtain information about the CipherSpecs in Table 1:

  1. Open WebSphere MQ Explorer and expand the Queue Managers folder.

  2. Ensure that you have started the queue manager.

  3. Select the queue manager you want to work with and click Advanced -> Channels.

  4. Right-click the channel you want to work with and select Properties.

  5. Select the SSL property page.

  6. Select from the list the CipherSpec you want to work with. A description appears in the window below the list.

 

Alternatives for specifying CipherSpecs

Note:
This section does not apply to UNIX systems, because the CipherSpecs are provided with the WebSphere MQ product, so new CipherSpecs do not become available after shipment.

For those platforms where the operating system provides the SSL support, the system might support new CipherSpecs that are not included in Table 1. You can specify a new CipherSpec with the SSLCIPH parameter, but the value you supply depends on the platform. In all cases the specification must correspond to an SSL CipherSpec that is both valid and supported by the version of SSL the system is running.

OS/400
A two-character string representing a hexadecimal value.

For more information about the permitted values, refer to the iSeries Information Center at http://publib.boulder.ibm.com/html/as400/infocenter.html

You can use either the CHGMQMCHL or the CRTMQMCHL command to specify the value, for example: 

CRTMQMCHL CHLNAME('channnel name') SSLCIPH('hexadecimal value')

You can also use the ALTER QMGR MQSC command to set the SSLCIPH parameter.

Windows
A string of three values, separated by commas, and in the order:

  1. A character string representing a hexadecimal value that defines the encryption algorithm

  2. A number that specifies the strength of the encryption algorithm

  3. A character string representing a hexadecimal value that defines the hash function

For example, 0x6801,128,0x8004 would specify the RC4_SHA_US CipherSpec.

You can derive the numeric values for the encryption algorithm and the hash function from the ALG_ID data types provided by Microsoft. These data types represent algorithm identifiers and are described in the Microsoft "Platform SDK: Security" documentation.

z/OS
A two-character string representing a hexadecimal value. The hexadecimal codes correspond to the SSL protocol values defined at http://home.netscape.com/eng/ssl3/ssl-toc.html

For more information, refer to the z/OS System SSL Programming, SC24-5901 book.

 

Considerations for WebSphere MQ clusters

With WebSphere MQ clusters try to use the CipherSpec names in Table 1. If you use an alternative specification, be aware that the specification might not be valid on other platforms. For more information, refer to the WebSphere MQ Queue Manager Clusters book.

 

Specifying a CipherSpec for a WebSphere MQ client

You have three options for specifying a CipherSpec for a WebSphere MQ client:

  • Using a channel definition table

  • Using the SSL configuration options structure, MQSCO, on an MQCONNX call

  • Using the Active Directory (on Windows systems with Active Directory support)

For more information, refer to the WebSphere MQ Clients book and the WebSphere MQ Application Programming Reference.

 

Specifying a CipherSuite with the Java client and JMS

Refer to WebSphere MQ Using Java for information about specifying a CipherSuite with the Java client and JMS.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.