Working with SSL/TLS on HP Integrity NonStop Server
Describes the IBM MQ client for HP Integrity NonStop Server OpenSSL security implementation, including security services, components, supported protocol versions, supported CipherSpecs, and unsupported security functionality.
IBM MQ TLS support provides the following security services for client channels:The TLS support supplied with the IBM MQ client for HP Integrity NonStop Server comprises the following components:
- Authentication of the server and, optionally, authentication of the client.
- Encryption and decryption of the data that is flowing across a channel.
- Integrity checks on the data that is flowing across a channel.
The following required components for TLS client channel operation are not provided with the IBM MQ client for HP Integrity NonStop Server:
- OpenSSL libraries and the openssl command.
- IBM MQ password stash command, amqrsslc.
- An entropy daemon to provide a source of random data for OpenSSL cryptography.
Supported protocol versions
The IBM MQ client for HP Integrity NonStop Server supports the following protocol versions:
- TLS 1.0
- TLS 1.2
Supported CipherSpecs
The IBM MQ client for HP Integrity NonStop Server supports the following CipherSpecs versions:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated)
- TLS_RSA_WITH_DES_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_NULL_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_ECDSA_AES_128_CBC_SHA256
- ECDHE_ECDSA_AES_256_CBC_SHA384
- ECDHE_RSA_AES_128_CBC_SHA256
- ECDHE_RSA_AES_256_CBC_SHA384
- ECDHE_ECDSA_AES_128_GCM_SHA256
- ECDHE_ECDSA_AES_256_GCM_SHA384
- ECDHE_RSA_AES_128_GCM_SHA256
- ECDHE_RSA_AES_256_GCM_SHA384
Unsupported security functionality
The IBM MQ client for HP Integrity NonStop Server does not currently support:
- PKCS#11 Cryptographic hardware support
- LDAP Certificate Revocation List checking
- OCSP Online Certificate Status Protocol checking
- FIPS 140-2, NSA SUITE B cipher suite controls