Details of WebSphere MQ SHA-2 Support

Technote (FAQ)


Question

I want to use SHA-2 with WebSphere MQ, what versions and fixpack levels do I need?

Answer

WebSphere MQ Distributed Platforms Support (AIX, HP-UX, Linux, Solaris, Windows)
SHA-2 CipherSpecs are supported in WebSphere MQ 7.0.1.4 and later releases. To use SHA-2 support in 7.0.1.x use the alternate GSKit capability.
The WebSphere MQ Information Center link for using SHA-2 in MQ 7.0.1 is:
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/com.ibm.mq.csqzas.doc/sy13850_.htm

    From WebSphere MQ 7.1 onwards, SHA-2 became a standard part of the GSKit-based queue manager and client features, because the product moved up to using GSKit version 8 which has SHA-2 as standard. No special action is required for SHA-2 support in the MQ 7.1 and MQ 7.5 releases: simply configure your channel to use one of the SHA-2 CipherSpecs described in the "Specifying CipherSpecs" topic:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/sy12870_.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q014260_.htm

    WebSphere MQ z/OS Support
    SHA-2 CipherSpecs are supported on z/OS when running WebSphere MQ 7.1 on z/OS V1R13 with MQ APAR PM77341 and System SSL APAR OA39422.
    The requirements for z/OS are described here:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/sy12870_.htm

    WebSphere MQ IBM i Support
    WebSphere MQ SHA-2 Support is available from IBM i 7.1 and from WebSphere MQ 7.1.0.3 .
    The pre-req for IBM i SHA-2 for WebSphere MQ 7.1.0.3 server and C client is IBM® i 7.1 Technology Refresh 6 (TR6) and PTF SI48659.

    Here is a link to using TLSv1.2 with SSL on IBMi: http://www.ibm.com/developerworks/ibmi/library/i-system-ssl-ibmi/
    The hardware and software requirements for IBM i are described in the WebSphere MQ Information Center here:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zi00770_.htm

    WebSphere MQ Client for HP Integrity NonStop Server Support:
    SHA-2 is supported in the MQ Client for HP Integrity NonStop Server from V7.1.0.0.

    This Infocentre topic describes how OpenSSL is used and should be enabled:
    MQ7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/q113360_.htm
    MQ 7.5
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q113360_.htm

    This MQ Information Center topic describes how to set up Certificates and CipherSpecs:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/q114070_.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q114070_.htm


    WebSphere MQ Components:

    Java/JMS Support:
    SHA-2 is supported in the Java/JMS component for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ 7.5.0.2.

    For full support, including FIPS-compatibility, a user application needs to run on a suitable IBM JRE - Java 6 SR13 FP2 or Java 7 SR4 FP2, and later JRE's will contain appropriate support.

    WebSphere MQ support for SSL and TLS overall is summarised here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/sy10920_.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q010080_.htm

    Specifying CipherSpecs on Queue Manager channels, including details of FIPS-1402 and Suite B compliance, is discussed here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/sy12870_.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q014260_.htm

    The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for Java is discussed here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/ja34740_.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.dev.doc/q031290_.htm

    The relationship of Queue Manager CipherSpecs and Java CipherSuites, together with details of how to configure CipherSuites in WebSphere MQ Classes for JMS is discussed here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/jm34740_.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.dev.doc/q032470_.htm

    Application Server Support
    SHA-2 functionality is available within supported Java EE application servers on condition that:
    - The Java Runtime Environment executing the application server supports the SHA-2 Cipher Specs, as described in the list in the Java/JMS section
    - The version of WebSphere MQ Resource Adapter deployed into the application server is one of the versions listed in the Java/JMS section

    This Technote displays which version of WebSphere MQ is shipped with WebSphere Application Server: http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg21248089

    Users of WebSphere Application Server may need to manually install a version of the WebSphere MQ Resource Adapter that provides SHA-2 support. This process is documented in the WebSphere Application Server Information Center:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-express-dist&topic=tmj_mqwra_updating

    MQ Explorer Support:
    SHA-2 is supported in the MQ Explorer (GUI) component for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ V7.5.0.2 and the MS0T SupportPac.

    The instructions for 'Installing into Eclipse environments' are described here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.explorer.doc/e_install_in_eclipse.htm

    The instructions for 'Showing a remote queue manager' are described here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.explorer.doc/e_qmanager_showremote.htm

    MQXR Support:
    SHA-2 is supported in the MQXR Service and MQTT Clients for all Distributed platforms from WebSphere MQ 7.1.0.3 and WebSphere MQ 7.5.0.2.

    System requirements for using SHA-2 cipher suites with MQTT channels and clients are described here:
    MQ7.1
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/q039371_.htm
    MQ7.5
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.tro.doc/q039371_.htm

    AMS Support:
    AMS on Distributed platforms support SHA-2 algorithms from AMS 7.0.1.1 and later releases, as described in this Fixpack description:
    http://www-01.ibm.com/support/docview.wss?uid=swg24029612
    AMS on z/OS supports SHA-2 algorithms with PTF PM55963, as described in this APAR description: http://www-01.ibm.com/support/docview.wss?uid=isg1PM55963

    Managed File Transfer (FTE/MFT) Support:
    SHA-2 is supported in the MFT component for all Distributed platforms from WebSphere MQ 7.5.0.2.
    SHA-2 is supported in the FTE component for IBM i and z/OS via FTE 7.0.4.3 with APAR IC93851 applied.

    If you are using Managed File Transfer, the CipherSpecs and CipherSuites supported for connecting to a WebSphere MQ queue manager are identical to those supported by the WebSphere MQ Java classes for Java. Refer to the following link for more information about this support:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.dev.doc/q031290_.htm

    IBM Message Service Client
    SHA-2 is supported from WebSphere MQ 7.1 (XMS V2.1) in unmanaged mode only.
    The list of supported CipherSpecs is listed in the WebSphere MQ Information Center here:
    MQ 7.1:
    http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.html
    MQ 7.5:
    http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.msc.doc/prx_wmq_ssl_cipher_spec.html

    Product Alias/Synonym

    WMQ MQ

    Rate this page:

    (0 users)Average rating

    Add comments

    Document information


    More support for:

    WebSphere MQ
    Security

    Software version:

    7.0.1, 7.0.4, 7.1, 7.5

    Operating system(s):

    AIX, HP Itanium, HP NonStop, HP-UX, IBM i, Linux, Linux Red Hat - i/p Series, Linux Red Hat - xSeries, Linux Red Hat - zSeries, Linux SUSE - xSeries, Linux SUSE - zSeries, Linux SuSE - i/p Series, Linux iSeries, Linux on Power, Linux zSeries, OS/400, Solaris, Tandem NSK, UNIX, Windows, i5/OS, iSeries, z/OS

    Reference #:

    1639606

    Modified date:

    2013-08-09

    Translate my page

    Machine Translation

    Content navigation