CipherSpecs and CipherSuites
Cryptographic security protocols must agree on the algorithms used by a secure connection. CipherSpecs and CipherSuites define specific combinations of algorithms.
A CipherSpec identifies a combination of encryption algorithm and Message Authentication Code (MAC) algorithm. Both ends of a TLS connection must agree on the same CipherSpec to be able to communicate.
From IBM MQ Version 9.0.0, Fix Pack 3 and IBM MQ Version 9.0.5, IBM MQ supports the TLSv1.2 protocol. However, we can enable deprecated CipherSpecs, if you need to do so.
See Enabling CipherSpecs for information on:Important: When dealing with IBM MQ channels, we use a CipherSpec. When dealing with Java channels, JMS channels, or MQTT channels you specify a CipherSuite. A CipherSuite is a suite of cryptographic algorithms used by a TLS connection. A suite comprises three distinct algorithms:
- CipherSpecs supported by IBM MQ
- How you enable deprecated SSLv3 and TLSv1.0 CipherSpecs.
There are several options for each component of the suite, but only certain combinations are valid when specified for a TLS connection. The name of a valid CipherSuite defines the combination of algorithms used. For example, the CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA specifies:
- The key exchange and authentication algorithm, used during the handshake
- The encryption algorithm, used to encipher the data
- The MAC (Message Authentication Code) algorithm, used to generate the message digest
- The RSA key exchange and authentication algorithm
- The AES encryption algorithm, using a 128-bit key and cipher block chaining (CBC) mode
- The SHA-1 Message Authentication Code (MAC)