Details of WebSphere MQ SHA-2 Support

Technote (FAQ)


Question

I want to use SHA-2 CipherSpecs with WebSphere MQ. What versions and Fix Pack levels do I need?

Answer


WebSphere MQ Distributed Platforms Support (AIX, HP-UX, Linux, Solaris, Windows)
SHA-2 CipherSpecs are supported in WebSphere MQ 7.0.1.4 and later releases. To use SHA-2 support in 7.0.1.x use the alternate GSKit capability.
The IBM Knowledge Center link for using SHA-2 in WebSphere MQ 7.0.1 is:
http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzas.doc/sy13850_.htm

    From WebSphere MQ 7.1 onwards, SHA-2 became a standard part of the GSKit-based queue manager and client features, because the product moved up to using GSKit version 8 which has SHA-2 as standard. No special action is required for SHA-2 support in these releases: simply configure your channel to use one of the SHA-2 CipherSpecs described in the "Specifying CipherSpecs" topic:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy12870_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014260_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

    On Windows platforms, the WebSphere MQ programs and libraries are digitally signed to verify their authenticity. In WebSphere MQ releases up to MQ 7.5.x they are signed using SHA-1 with RSA; in MQ 8.0 they are signed using SHA-256 with RSA. The new signature algorithm is supported by all Windows versions where MQ 8.0 is supported.

    WebSphere MQ z/OS Support
    SHA-2 CipherSpecs are supported on z/OS when running WebSphere MQ 8.0.
    SHA-2 CipherSpecs are also supported on z/OS from when running WebSphere MQ 7.1 on z/OS V1R13 with MQ APAR PM77341 and System SSL APAR OA39422 applied.
    The requirements for z/OS are described in the "Specifying CipherSpecs" topic:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy12870_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

    WebSphere MQ IBM i Support
    SHA-2 CipherSpecs are supported on IBM i from WebSphere MQ 7.1.0.3 and later product releases and maintenance levels. The CipherSpecs supported on IBM i are listed in the "Specifying CipherSpecs" topics as shown in the z/OS section above.

    WebSphere MQ Client for HP Integrity NonStop Server Support:
    SHA-2 is supported in the MQ Client for HP Integrity NonStop Server from V7.1.0.0.

    This IBM Knowledge Center topic describes how OpenSSL is used and should be enabled:
    MQ7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/q113360_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q113360_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q113360_.htm

    This IBM Knowledge Center topic describes how to set up Certificates and CipherSpecs:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/q114070_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q114070_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q114070_.htm


    WebSphere MQ Components:

    Java/JMS Support:
    SHA-2 is supported in the Java/JMS component for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ 7.5.0.2.

    For full support, including FIPS-compatibility, a user application needs to run on a suitable IBM JRE - Java 6 SR13 FP2 or Java 7 SR4 FP2, and later JRE's will contain appropriate support.

    In MQ 8.0, changes have been made to CipherSuite/CipherSpec support. See the following IBM Knowledge Center MQ 8.0 topics:
    Changes to WebSphere MQ classes for Java:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q115900_.htm
    Changes to WebSphere MQ classes for JMS:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q115970_.htm

    WebSphere MQ support for SSL and TLS overall is summarized here:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10920_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q010080_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q010070_.htm

    Specifying CipherSpecs on Queue Manager channels, including details of FIPS-1402 and Suite B compliance, is discussed here:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy12870_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014260_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_.htm

    The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for Java is discussed here:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/ja34740_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031290_.htm
    MQ 8.0
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm

    The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for JMS is discussed here:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/jm34740_.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q032470_.htm
    MQ 8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm

    In addition, users may need to apply unrestricted SDK policy files to their IBM JRE if not using the JRE supplied with MQ. This is documented in the Java Knowledge Center here:
    http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/sdkpolicyfiles.html?lang=en

    Application Server Support
    SHA-2 functionality is available within supported Java EE application servers on condition that:
    - The Java Runtime Environment executing the application server supports the SHA-2 Cipher Specs, as described in the list in the Java/JMS section
    - The version of WebSphere MQ Resource Adapter deployed into the application server is one of the versions listed in the Java/JMS section

    This Technote displays which version of WebSphere MQ is shipped with WebSphere Application Server: http://www.ibm.com/support/docview.wss?rs=171&uid=swg21248089

    Users of WebSphere Application Server may need to manually install a version of the WebSphere MQ Resource Adapter that provides SHA-2 support. This process is documented in the WebSphere Application Server Knowledge Center:
    http://www.ibm.com/support/knowledgecenter/SS7JFU_8.0.0/com.ibm.websphere.express.doc/info/exp/ae/tmj_wmqra_updating.html?lang=en

    MQ Explorer Support:
    SHA-2 is supported in the MQ Explorer (GUI) component for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ V7.5.0.2 and the MS0T SupportPac.

    The instructions for 'Installing into Eclipse environments' are described here:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
    MQ8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
    In addition, users may need to apply unrestricted SDK policy files to their IBM JRE if not using the JRE supplied with MQ. This is documented in the Java Knowledge Center here:
    http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/sdkpolicyfiles.html?lang=en

    The instructions for creating a security-enabled connection are described on this page:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm
    MQ8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm

    MQXR Support:
    SHA-2 is supported in the MQXR Service and MQTT Clients for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ 7.5.0.2 and later releases.

    System requirements for using SHA-2 cipher suites with MQTT channels and clients are described here:
    MQ7.1
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/q039371_.htm
    MQ7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q039371_.htm
    MQ8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.tro.doc/q039371_.htm

    AMS Support:
    AMS on Distributed platforms support SHA-2 algorithms from AMS 7.0.1.1 and later releases, as described in this Fix Pack description:
    http://www.ibm.com/support/docview.wss?uid=swg24029612
    AMS on z/OS supports SHA-2 algorithms with PTF PM55963, as described in this APAR description: http://www.ibm.com/support/docview.wss?uid=isg1PM55963

    Managed File Transfer (FTE/MFT) Support:
    For all of the following SHA2-enabled communication options for MFT agents, the MFT component must use IBM JRE's Java 6.0 SR13 FP2, Java 7.0 SR4 FP2, or later.

    Use of SHA-2 cipher specifications and cipher suites on connections between agents and WebSphere MQ queue managers:

    Supported on all platforms from WebSphere MQ 8.0. For more information about cipher specifications and cipher suites that are available at this release level, see MQ 8.0 SSL CipherSpecs and CipherSuites.

    WebSphere MQ 7.5.0.2 or later supports SHA-2-enabled communication for agents on distributed platforms. For more information about cipher specifications and cipher suites that are available at this release level, see MQ 7.5 topic SSL CipherSpecs and CipherSuites.

    Support is also present in WebSphere MQ File Transfer Edition V7.0.4.4 for agents on IBM I or z/OS platforms. For more information about cipher specifications and cipher suites that are available at this release level, see MQ 7.1 topic SSL CipherSpecs and CipherSuites.

    Use of SHA-2 cipher specifications and cipher suites on connections between agents and protocol servers:

    To comply with SP 800-131A for communications between MFT or FTE agents and protocol servers, you must satisfy the following requirements:

    - You must use FTPS, which you have configured appropriately; SFTP is not supported.

    – The remote server must send SP 800-131A-compliant cipher suites only.

    For a list of valid cipher suite values for communications between MFT or FTE agents and FTPS protocol servers, see Cipher suites in the IBM SDK and Runtime Environment Java™ Technology Edition Version 7 Information Center.

    Use of SHA-2 cipher specifications and cipher suites to connect to an FTPS server using the protocol bridge in FTPS mode is supported on all platforms in WebSphere MQ 8.0. For more information about configuring cipher suites in MQ 8.0 topics FTPS server support by the protocol bridge and Protocol bridge properties file format.

    Support is also present in WebSphere MQ File Transfer Edition V7.0.4.4 for protocol bridge agents on z/OS and IBM I platforms. For more information about configuring cipher suites in this release see FTE 7.0.4 topics FTPS server support by the protocol bridge and Protocol bridge properties file format


    IBM Message Service Client
    SHA-2 is supported from WebSphere MQ 7.1 (XMS V2.1) in unmanaged mode only.
    The list of supported CipherSpecs is listed in the WebSphere MQ Information Center here:
    MQ 7.1:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.html
    MQ 7.5:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.html
    MQ8.0:
    http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.htm

    Product Alias/Synonym

    WMQ MQ

    Rate this page:

    (0 users)Average rating

    Document information


    More support for:

    WebSphere MQ
    Security

    Software version:

    7.0.1, 7.0.4, 7.1, 7.5, 8.0

    Operating system(s):

    AIX, HP Itanium, HP NonStop, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

    Reference #:

    1639606

    Modified date:

    2014-08-04

    Translate my page

    Machine Translation

    Content navigation