CipherSpecs and CipherSuites
Cryptographic security protocols must agree on the algorithms used by a secure connection. CipherSpecs and CipherSuites define specific combinations of algorithms.
A CipherSpec identifies a combination of encryption algorithm and Message Authentication Code (MAC) algorithm. Both ends of a TLS connection must agree on the same CipherSpec to be able to communicate.
IBM MQ supports the TLS 1.2 protocol. However, you can enable deprecated CipherSpecs, if we need to do so.
See Enable CipherSpecs for information on:
- CipherSpecs supported by IBM MQ
- How you enable deprecated SSL 3.0 and TLS 1.0 CipherSpecs
Important: When dealing with IBM MQ channels, we use a CipherSpec. When dealing with Java channels, JMS channels, or MQTT channels you specify a CipherSuite.
For more information about CipherSpecs, see Enable CipherSpecs.
A CipherSuite is a suite of cryptographic algorithms used by a TLS connection. A suite comprises three distinct algorithms:
- The key exchange and authentication algorithm, used during the handshake
- The encryption algorithm, used to encipher the data
- The MAC (Message Authentication Code) algorithm, used to generate the message digest
There are several options for each component of the suite, but only certain combinations are valid when specified for a TLS connection. The name of a valid CipherSuite defines the combination of algorithms used. For example, the CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA specifies:
- The RSA key exchange and authentication algorithm
- The AES encryption algorithm, using a 128-bit key and cipher block chaining (CBC) mode
- The SHA-1 Message Authentication Code (MAC)
Parent topic: Cryptographic security protocols: TLS