SSL CipherSpecs and CipherSuites

 

Table 1 lists the CipherSpecs supported by WebSphere MQ and their equivalent CipherSuites. The table also indicates whether a WebSphere MQ Java application can establish a connection to a queue manager if a CipherSpec is specified at the server end of the MQI channel and the equivalent CipherSuite is specified at the client end.

For each combination of CipherSpec and CipherSuite, whether a WebSphere MQ base Java application can connect to a queue manager depends on the value of the sslFipsRequired field in the MQEnvironment class, or on the value of the environment property MQC.SSL_FIPS_REQUIRED_PROPERTY. Similarly, whether a WebSphere MQ JMS application can connect to a queue manager depends on the value of the SSLFIPSREQUIRED property of the ConnectionFactory object.

At the server end of an MQI channel, the name of a CipherSpec can be specified as the value of the SSLCIPH parameter on a DEFINE CHANNEL CHLTYPE(SVRCONN) command. At the client end of an MQI channel, the name of a CipherSuite can be specified in the following ways:

• A WebSphere MQ base Java application can set the sslCipherSuite field in the MQEnvironment class, or set the environment property MQC.SSL_CIPHER_SUITE_PROPERTY.

• A WebSphere MQ JMS application can call the setSSLCipherSuite() method of a ConnectionFactory object.

• Using the WebSphere MQ JMS administration tool, we can set the SSLCIPHERSUITE property of a ConnectionFactory object.

CipherSpecs supported by WebSphere MQ and their equivalent CipherSuites

CipherSpec	Equivalent CipherSuite	Connection possible if SFIPS1 is set to NO?	Connection possible if SFIPS1 is set to YES?
NULL_MD5	SSL_RSA_WITH_NULL_MD5	Yes	No
NULL_SHA	SSL_RSA_WITH_NULL_SHA	Yes	No
RC4_MD5_EXPORT	SSL_RSA_EXPORT_WITH_RC4_40_MD5	Yes	No
RC4_MD5_US	SSL_RSA_WITH_RC4_128_MD5	Yes	No
RC4_SHA_US	SSL_RSA_WITH_RC4_128_SHA	Yes	No
RC2_MD5_EXPORT	SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	Yes	No
DES_SHA_EXPORT	SSL_RSA_WITH_DES_CBC_SHA	Yes	No
RC4_56_SHA_EXPORT1024	SSL_RSA_EXPORT1024_WITH_RC4_56_SHA	No	No
DES_SHA_EXPORT1024	SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA	No	No
TRIPLE_DES_SHA_US	SSL_RSA_WITH_3DES_EDE_CBC_SHA	Yes	No
TLS_RSA_WITH_AES_128_CBC_SHA	SSL_RSA_WITH_AES_128_CBC_SHA	No	Yes
TLS_RSA_WITH_AES_256_CBC_SHA	SSL_RSA_WITH_AES_256_CBC_SHA	No	Yes
AES_SHA_US2
TLS_RSA_WITH_DES_CBC_SHA	SSL_RSA_WITH_DES_CBC_SHA	No	Yes
TLS_RSA_WITH_3DES_EDE_CBC_SHA	SSL_RSA_WITH_3DES_EDE_CBC_SHA	No	Yes
FIPS_WITH_DES_CBC_SHA	SSL_RSA_FIPS_WITH_DES_CBC_SHA	Yes	No
FIPS_WITH_3DES_EDE_CBC_SHA	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA	Yes	No

Notes:

1. When using the WebSphere MQ JMS administration tool, SFIPS is the short name of the ConnectionFactory property SSLFIPSREQUIRED. In a WebSphere MQ base Java application, setting the sslFipsRequired field in the MQEnvironment class to false is equivalent to setting SSLFIPSREQUIRED to NO, and setting the sslFipsRequired field to true is equivalent to setting SSLFIPSREQUIRED to YES. Alternatively, a WebSphere MQ base Java application can set the environment property MQC.SSL_FIPS_REQUIRED_PROPERTY.

2. This CipherSpec has no equivalent CipherSuite.

uj34740_