Skip to main content

SSL - Specifying CipherSpecs - IBM Websphere MQ - Middleware News

Specifying CipherSpecs

Specify a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL MQSC command or the ALTER CHANNEL MQSC command.
Some of the CipherSpecs that you can use with WebSphere® MQ are FIPS compliant. Others, such as NULL_MD5, are not. Similarly, some of the FIPS compliant CipherSpecs are also Suite B compliant although others, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, are not. All Suite B compliant CipherSpecs are also FIPS compliant. All Suite B compliant CipherSpecs fall into two groups: 128 bit (for example, ECDHE_ECDSA_AES_128_GCM_SHA256) and 192 bit (for example, ECDHE_ECDSA_AES_256_GCM_SHA384),
The following diagram illustrates the relationship between these subsets:
Cipher specifications that you can use with WebSphere MQ SSL and TLS support are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table.

A table describing the CipherSpecs you can use with WebSphere MQ SSL and TLS support.

CipherSpec name Protocol used Data integrity Encryption algorithm Encryption bits FIPS1 Suite B 128 bit Suite B 192 bit
NULL_MD5 a SSL 3.0 MD5 None 0 No No No
NULL_SHA a SSL 3.0 SHA-1 None 0 No No No
RC4_MD5_EXPORT 2 a SSL 3.0 MD5 RC4 40 No No No
RC4_MD5_US a SSL 3.0 MD5 RC4 128 No No No
RC4_SHA_US a SSL 3.0 SHA-1 RC4 128 No No No
RC2_MD5_EXPORT 2 a SSL 3.0 MD5 RC2 40 No No No
DES_SHA_EXPORT 2 a SSL 3.0 SHA-1 DES 56 No No No
RC4_56_SHA_EXPORT1024 3 b SSL 3.0 SHA-1 RC4 56 No No No
DES_SHA_EXPORT1024 3 b SSL 3.0 SHA-1 DES 56 No No No
TRIPLE_DES_SHA_US a SSL 3.0 SHA-1 3DES 168 No No No
TLS_RSA_WITH_AES_128_CBC_SHA a TLS 1.0 SHA-1 AES 128 Yes No No
TLS_RSA_WITH_AES_256_CBC_SHA 4 a TLS 1.0 SHA-1 AES 256 Yes No No
TLS_RSA_WITH_DES_CBC_SHA a TLS 1.0 SHA-1 DES 56 No5 No No
TLS_RSA_WITH_3DES_EDE_CBC_SHA a 8 TLS 1.0 SHA-1 3DES 168 Yes No No
FIPS_WITH_DES_CBC_SHA b SSL 3.0 SHA-1 DES 56 No6 No No
FIPS_WITH_3DES_EDE_CBC_SHA b SSL 3.0 SHA-1 3DES 168 No7 No No
TLS_RSA_WITH_AES_128_GCM_SHA256 b TLS 1.2 AEAD AES-128 GCM AES 128 Yes No No
TLS_RSA_WITH_AES_256_GCM_SHA384 b TLS 1.2 AEAD AES-256 GCM AES 256 Yes No No
TLS_RSA_WITH_AES_128_CBC_SHA256 b TLS 1.2 SHA-256 AES 128 Yes No No
TLS_RSA_WITH_AES_256_CBC_SHA256 b TLS 1.2 SHA-256 AES 256 Yes No No
ECDHE_ECDSA_RC4_128_SHA256 b TLS 1.2 SHA-1 RC4 128 No No No
ECDHE_ECDSA_3DES_EDE_CBC_SHA256 b 8 TLS 1.2 SHA-1 3DES 168 Yes No No
ECDHE_RSA_RC4_128_SHA256 b TLS 1.2 SHA_1 RC4 128 No No No
ECDHE_RSA_3DES_EDE_CBC_SHA256 b 8 TLS 1.2 SHA-1 3DES 168 Yes No No
ECDHE_ECDSA_AES_128_CBC_SHA256 b TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_ECDSA_AES_256_CBC_SHA384 b TLS 1.2 SHA-384 AES 256 Yes No No
ECDHE_RSA_AES_128_CBC_SHA256 b TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_RSA_AES_256_CBC_SHA384 b TLS 1.2 SHA-384 AES 256 Yes No No
ECDHE_ECDSA_AES_128_GCM_SHA256 b TLS 1.2 AEAD AES-128 GCM AES 128 Yes Yes No
ECDHE_ECDSA_AES_256_GCM_SHA384 b TLS 1.2 AEAD AES-256 GCM AES 256 Yes No Yes
ECDHE_RSA_AES_128_GCM_SHA256 b TLS 1.2 AEAD AES-128 GCM AES 128 Yes No No
ECDHE_RSA_AES_256_GCM_SHA384 b TLS 1.2 AEAD AES-256 GCM AES 256 Yes No No
TLS_RSA_WITH_NULL_SHA256 b TLS 1.2 SHA-256 None 0 No No No
ECDHE_RSA_NULL_SHA256 b TLS 1.2 SHA-1 None 0 No No No
ECDHE_ECDSA_NULL_SHA256 b TLS 1.2 SHA-1 None 0 No No No
TLS_RSA_WITH_NULL_NULL b TLS 1.2 None None 0 No No No
TLS_RSA_WITH_RC4_128_SHA256 b TLS 1.2 SHA-1 RC4 128 No No No
Notes:
  1. Specifies whether the CipherSpec is FIPS-certified on a FIPS-certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
  2. The maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
  3. The handshake key size is 1024 bits.
  4. This CipherSpec cannot be used to secure a connection from the WebSphere MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.
  5. This CipherSpec was FIPS 140-2 certified before 19 May 2007.
  6. This CipherSpec was FIPS 140-2 certified before 19 May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
  7. The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. The use of this CipherSpec is deprecated.
  8. When WebSphere MQ is configured for FIPS 140-2 compliant operation, this CipherSpec can be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, either avoid using triple DES, or enable secret key reset when using this CipherSpec in a FIPS 140-2 configuration.
Platform support:

a  Available on all supported platforms.
b  Available only on UNIX, Linux, and Windows platforms.
  Available only on IBM® i platforms.

Labels:

Comments

  1. rohitDecember 24, 2018 at 1:51 AM

    You are totally right. This post actually made my day. You can not imagine just how much time I
    had spent for this info! Thanks!
    KissAnime alternatives

    ReplyDelete

Post a Comment

adsrerrapop

Popular posts from this blog

IBM Websphere MQ interview Questions Part 5

MQ Series: - It is an IBM web sphere product which is evolved in 1990’s. MQ series does transportation from one point to other. It is an EAI tool (Middle ware) VERSIONS:-5.0, 5.1, 5.3, 6.0, 7.0(new version). The currently using version is 6.2 Note: – MQ series supports more than 35+ operating systems. It is platform Independent. For every OS we have different MQ series software’s. But the functionality of MQ series Default path for installing MQ series is:- C: programfiles\BM\clipse\SDK30 C: programfiles\IBM\WebsphereMQ After installation it will create a group and user. Some middleware technologies are Tibco, SAP XI. MQ series deals with two things, they are OBJECTS, SERVICES. In OBJECTS we have • QUEUES • CHANNELS • PROCESS • AUTHENTICATION • QUERY MANAGER. In SERVICES we have LISTENERS. Objects: – objects are used to handle the transactions with the help of services. QUEUE MANAGER maintains all the objects and services. QUEUE: – it is a database structure
136 comments
Read more

IBM Websphere MQ Reason code list / mq reason codes / websphere mq error codes / mq error messages

Reason code list ================= The following is a list of reason codes, in numeric order, providing detailed information to help you understand them, including: * An explanation of the circumstances that have caused the code to be raised * The associated completion code * Suggested programmer actions in response to the code * 0 (0000) (RC0): MQRC_NONE * 900 (0384) (RC900): MQRC_APPL_FIRST * 999 (03E7) (RC999): MQRC_APPL_LAST * 2001 (07D1) (RC2001): MQRC_ALIAS_BASE_Q_TYPE_ERROR * 2002 (07D2) (RC2002): MQRC_ALREADY_CONNECTED * 2003 (07D3) (RC2003): MQRC_BACKED_OUT * 2004 (07D4) (RC2004): MQRC_BUFFER_ERROR * 2005 (07D5) (RC2005): MQRC_BUFFER_LENGTH_ERROR * 2006 (07D6) (RC2006): MQRC_CHAR_ATTR_LENGTH_ERROR * 2007 (07D7) (RC2007): MQRC_CHAR_ATTRS_ERROR * 2008 (07D8) (RC2008): MQRC_CHAR_ATTRS_TOO_SHORT * 2009 (07D9) (RC2009): MQRC_CONNECTION_BROKEN * 2010 (07DA) (RC2010): MQRC_DATA_LENGTH_ERROR * 2011 (07DB) (RC2011): MQRC_DYNAMIC_Q_NAME_ERROR * 2012 (07DC) (RC201
2 comments
Read more

IBM WebSphere MQ – Common install/uninstall issues for MQ Version on Windows - Middleware News

Creating a log file when you install or uninstall WebSphere MQ WebSphere MQ for Windows is installed using the Microsoft Installer (MSI). If you install the MQ server or client through launchpad , MQPARMS or setup.exe , then a log file is automatically generated in %temp% during installation. Alternatively you can supply parameters on the installation MSI command msiexec to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). If you uninstall through the Windows Add/Remove programs option, no log file is generated. You should either uninstall from the MSI command line and supply parameters to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). For details on how to enable MSI logging, see the following article in the WebSphere MQ product documentation: Advanced installation using msiexec For details on how to enable system-w
Post a Comment
Read more