I want to use SHA-2 with WebSphere MQ, what versions and fixpack levels do I need?
WebSphere MQ Distributed Platforms Support (AIX, HP-UX, Linux, Solaris, Windows)
SHA-2 CipherSpecs are supported in WebSphere MQ 18.104.22.168 and later releases. To use SHA-2 support in 7.0.1.x use the alternate GSKit capability.
The WebSphere MQ Information Center link for using SHA-2 in MQ 7.0.1 is:
WebSphere MQ z/OS Support
SHA-2 CipherSpecs are supported on z/OS when running WebSphere MQ 7.1 on z/OS V1R13 with MQ APAR PM77341 and System SSL APAR OA39422.
The requirements for z/OS are described here:
WebSphere MQ IBM i Support
WebSphere MQ SHA-2 Support is available from IBM i 7.1 and from WebSphere MQ 22.214.171.124 .
The pre-req for IBM i SHA-2 for WebSphere MQ 126.96.36.199 server and C client is IBM® i 7.1 Technology Refresh 6 (TR6) and PTF SI48659.
Here is a link to using TLSv1.2 with SSL on IBMi: http://www.ibm.com/developerworks/ibmi/library/i-system-ssl-ibmi/
The hardware and software requirements for IBM i are described in the WebSphere MQ Information Center here:
WebSphere MQ Client for HP Integrity NonStop Server Support:
SHA-2 is supported in the MQ Client for HP Integrity NonStop Server from V188.8.131.52.
This Infocentre topic describes how OpenSSL is used and should be enabled:
This MQ Information Center topic describes how to set up Certificates and CipherSpecs:
WebSphere MQ Components:
SHA-2 is supported in the Java/JMS component for all Distributed platforms from WebSphere MQ 184.108.40.206 and WebSphere MQ 220.127.116.11.
For full support, including FIPS-compatibility, a user application needs to run on a suitable IBM JRE - Java 6 SR13 FP2 or Java 7 SR4 FP2, and later JRE's will contain appropriate support.
WebSphere MQ support for SSL and TLS overall is summarised here:
Specifying CipherSpecs on Queue Manager channels, including details of FIPS-1402 and Suite B compliance, is discussed here:
The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for Java is discussed here:
The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for JMS is discussed here:
Application Server Support
SHA-2 functionality is available within supported Java EE application servers on condition that:
- The Java Runtime Environment executing the application server supports the SHA-2 Cipher Specs, as described in the list in the Java/JMS section
- The version of WebSphere MQ Resource Adapter deployed into the application server is one of the versions listed in the Java/JMS section
This Technote displays which version of WebSphere MQ is shipped with WebSphere Application Server: http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg21248089
Users of WebSphere Application Server may need to manually install a version of the WebSphere MQ Resource Adapter that provides SHA-2 support. This process is documented in the WebSphere Application Server Information Center:
MQ Explorer Support:
SHA-2 is supported in the MQ Explorer (GUI) component for all Distributed platforms from WebSphere MQ 18.104.22.168 and WebSphere MQ V22.214.171.124 and the MS0T SupportPac.
The instructions for 'Installing into Eclipse environments' are described here:
The instructions for 'Showing a remote queue manager' are described here:
SHA-2 is supported in the MQXR Service and MQTT Clients for all Distributed platforms from WebSphere MQ 126.96.36.199 and WebSphere MQ 188.8.131.52.
System requirements for using SHA-2 cipher suites with MQTT channels and clients are described here:
AMS on Distributed platforms support SHA-2 algorithms from AMS 184.108.40.206 and later releases, as described in this Fixpack description:
AMS on z/OS supports SHA-2 algorithms with PTF PM55963, as described in this APAR description: http://www-01.ibm.com/support/docview.wss?uid=isg1PM55963
Managed File Transfer (FTE/MFT) Support:
SHA-2 is supported in the MFT component for all Distributed platforms from WebSphere MQ 220.127.116.11.
SHA-2 is supported in the FTE component for IBM i and z/OS via FTE 18.104.22.168 with APAR IC93851 applied.
If you are using Managed File Transfer, the CipherSpecs and CipherSuites supported for connecting to a WebSphere MQ queue manager are identical to those supported by the WebSphere MQ Java classes for Java. Refer to the following link for more information about this support:
IBM Message Service Client
SHA-2 is supported from WebSphere MQ 7.1 (XMS V2.1) in unmanaged mode only.
The list of supported CipherSpecs is listed in the WebSphere MQ Information Center here: