Specifying CipherSpecs
You specify the CipherSpec in the SSLCIPH parameter using either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.
We can choose from the CipherSpecs listed in Table 1:
CipherSpecs that can be used with WebSphere MQ SSL and TLS support CipherSpec name Protocol used Hash algorithm Encryption algorithm Encryption bits FIPS on Windows and UNIX platforms 1 NULL_MD5 Available on all platforms
SSL MD5 None 0 No NULL_SHA Available on all platforms
SSL SHA-1 None 0 No RC4_MD5_EXPORT Available on all platforms
SSL MD5 RC4 40 No RC4_MD5_US Available on all platforms
SSL MD5 RC4 128 No RC4_SHA_US Available on all platforms
SSL SHA-1 RC4 128 No RC2_MD5_EXPORT Available on all platforms
SSL MD5 RC2 40 No DES_SHA_EXPORT Available on all platforms
SSL SHA-1 DES 56 No RC4_56_SHA_EXPORT1024
- Not available for z/OS or i5/OS
- Specifies a 1024–bit handshake key size
SSL SHA-1 RC4 56 No DES_SHA_EXPORT1024
- Not available for z/OS or i5/OS
- Specifies a 1024–bit handshake key size
SSL SHA-1 DES 56 No TRIPLE_DES_SHA_US Not available for i5/OS
SSL SHA-1 3DES 168 No TLS_RSA_WITH_AES_128_CBC_SHA Not available for i5/OS
TLS SHA-1 AES 128 Yes TLS_RSA_WITH_AES_256_CBC_SHA Not available for i5/OS
TLS SHA-1 AES 256 Yes AES_SHA_US Available on i5/OS only
SSL SHA-1 AES 128 No TLS_RSA_WITH_DES_CBC_SHA Not available for z/OS or i5/OS
TLS SHA-1 DES 56 Yes TLS_RSA_WITH_3DES_EDE_CBC_SHA Not available for z/OS or i5/OS
TLS SHA-1 3DES 168 Yes FIPS_WITH_DES_CBC_SHA Available only on Windows and UNIX platforms
SSL SHA-1 DES 56 Yes FIPS_WITH_3DES_EDE_CBC_SHA Available only on Windows and UNIX platforms
SSL SHA-1 3DES 168 Yes TLS_RSA_WITH_NULL_MD5 Available on i5/OS only
TLS MD5 None 0 No TLS_RSA_WITH_NULL_SHA Available on i5/OS only
TLS SHA-1 None 0 No TLS_RSA_EXPORT_WITH_RC4_40_MD5 Available on i5/OS only
TLS MD5 RC4 40 No TLS_RSA_WITH_RC4_128_MD5 Available on i5/OS only
TLS MD5 RC4 128 No TLS_RSA_WITH_RC4_40_MD5 Available on i5/OS only
TLS MD5 RC4 40 No
- Is the CipherSpec FIPS-certified on a FIPS-certified platform? See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
On i5/OS, installation of AC3 is a prerequisite of the use of SSL.
When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake can depend on the size stored in the certificate and on the CipherSpec:
- On UNIX systems, Windows systems, and z/OS, when a CipherSpec name includes _EXPORT, the maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
- On UNIX and Windows systems, when a CipherSpec name includes _EXPORT1024, the handshake key size is 1024 bits.
- Otherwise the handshake key size is the size stored in the certificate.
- Obtaining information about CipherSpecs using WebSphere MQ Explorer
- Alternatives for specifying CipherSpecs
- Specifying a CipherSpec for a WebSphere MQ client
- Specifying a CipherSuite with the Java client and JMS
Parent topic:
Working with CipherSpecs
sy12870_