SSLCIPHERSUITE object property

Set SSLCIPHERSUITE to enable TLS encryption on a ConnectionFactory object.

To enable TLS encryption on a ConnectionFactory object, use JMSAdmin to set the SSLCIPHERSUITE property to a CipherSuite supported by your JSSE provider. This must match the CipherSpec set on the target channel. However, CipherSuites are distinct from CipherSpecs and therefore have different names. TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS contains a table mapping the CipherSpecs supported by IBM MQ to their equivalent CipherSuites as known to JSSE. For more information about CipherSpecs and CipherSuites with IBM MQ, see Securing.

For example, to set up a ConnectionFactory object that can be used to create a connection over an TLS enabled MQI channel with a CipherSpec of TLS_RSA_WITH_AES_128_CBC_SHA, issue the following command to JMSAdmin:

ALTER CF(my.cf) SSLCIPHERSUITE(SSL_RSA_WITH_AES_128_CBC_SHA)

This can also be set from an application, using the setSSLCipherSuite() method on an MQConnectionFactory object.

For convenience, if a CipherSpec is specified on the SSLCIPHERSUITE property, JMSAdmin attempts to map the CipherSpec to an appropriate CipherSuite and issues a warning. This attempt to map is not made if the property is specified by an application.

Alterantively, use the Client Channel Definition Table (CCDT). For more information, see Use a client channel definition table with IBM MQ classes for JMS.

Parent topic: Use TLS with IBM MQ classes for JMS