XMSC_WMQ_SSL_CIPHER_SPEC

Data type:
String
Property of:
ConnectionFactory

[V7.5.0.2 Jul 2013]The name of the CipherSpec to be used on a secure connection to a queue manager.

Cipher specifications that you can use with IBM® WebSphere® MQ SSL and TLS support are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the SSL handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table. By default, this property is not set.

CipherSpec name Protocol used Hash algorithm Encryption algorithm Encryption bits FIPS1 Suite B 128 bit Suite B 192 bit
NULL_MD5 SSL 3.0 8 MD5 None 0 No No No
NULL_SHA SSL 3.0 8 SHA-1 None 0 No No No
RC4_MD5_EXPORT 2 SSL 3.0 8 MD5 RC4 40 No No No
RC4_MD5_US SSL 3.0 8 MD5 RC4 128 No No No
RC4_SHA_US SSL 3.0 8 SHA-1 RC4 128 No No No
RC2_MD5_EXPORT2 SSL 3.0 8 MD5 RC2 40 No No No
DES_SHA_EXPORT 2 SSL 3.0 8 SHA-1 DES 56 No No No
RC4_56_SHA_EXPORT10243 SSL 3.0 8 SHA-1 RC4 56 No No No
DES_SHA_EXPORT1024 3 SSL 3.0 8 SHA-1 DES 56 No No No
TRIPLE_DES_SHA_US SSL 3.0 8 SHA-1 3DES 168 No No No
TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0 SHA-1 AES 128 Yes No No
TLS_RSA_WITH_AES_256_CBC_SHA4 TLS 1.0 SHA-1 AES 256 Yes No No
TLS_RSA_WITH_DES_CBC_SHA TLS 1.0 SHA-1 DES 56 No5 No No
TLS_RSA_WITH_3DES_EDE_CBC_SHA8 TLS 1.0 SHA-1 3DES 168 Yes No No
FIPS_WITH_DES_CBC_SHA SSL 3.0 SHA-1 DES 56 No6 No No
FIPS_WITH_3DES_EDE_CBC_SHA SSL 3.0 SHA-1 3DES 168 No7 No No
TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 SHA-256 AES 128 Yes No No
TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 SHA-384 AES 256 Yes No No
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No No
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2 SHA-256 AES 256 Yes No No
ECDHE_ECDSA_RC4_128_SHA256 TLS 1.2 SHA-256 RC4 128 No No No
ECDHE_ECDSA_3DES_EDE_CBC_SHA256 TLS 1.2 SHA-256 3DES 168 Yes No No
ECDHE_RSA_RC4_128_SHA256 TLS 1.2 SHA-256 RC4 128 No No No
ECDHE_RSA_3DES_EDE_CBC_SHA256 TLS 1.2 SHA-256 3DES 168 Yes No No
ECDHE_ECDSA_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_ECDSA_AES_256_CBC_SHA384 TLS 1.2 SHA-384 AES 256 Yes No No
ECDHE_RSA_AES_128_CBC_SHA256 TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_RSA_AES_256_CBC_SHA384 TLS 1.2 SHA-384 AES 256 Yes No No
ECDHE_ECDSA_AES_128_GCM_SHA256 TLS 1.2 SHA-256 AES 128 Yes Yes No
ECDHE_ECDSA_AES_256_GCM_SHA384 TLS 1.2 SHA-384 AES 256 Yes No Yes
ECDHE_RSA_AES_128_GCM_SHA256 TLS 1.2 SHA-256 AES 128 Yes No No
ECDHE_RSA_AES_256_GCM_SHA384 TLS 1.2 SHA-384 AES 256 Yes No No
TLS_RSA_WITH_NULL_SHA256 TLS 1.2 SHA-256 None 0 No No No
ECDHE_RSA_NULL_SHA256 TLS 1.2 SHA-256 None 0 No No No
ECDHE_ECDSA_NULL_SHA256 TLS 1.2 SHA-256 None 0 No No No
TLS_RSA_WITH_NULL_NULL TLS 1.2 None None 0 No No No
TLS_RSA_WITH_RC4_128_SHA256 TLS 1.2 SHA-256 RC4 128 No No No
Notes:
  1. Specifies whether the CipherSpec complies with Federal Information Processing Standards (FIPS) 140-2. For an explanation of FIPS and information about how to configure WebSphere MQ for FIPS 140-2 compliant operation, see Federal Information Processing Standards (FIPS) in the online IBM IBM WebSphere MQ product documentation.
  2. The maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
  3. The handshake key size is 1024 bits.
  4. This CipherSpec cannot be used to secure a connection from the WebSphere MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.
  5. This CipherSpec was FIPS 140-2 certified before 19 May 2007.
  6. This CipherSpec was FIPS 140-2 certified before 19 May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated.
  7. The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. The use of this CipherSpec is deprecated.
  8. When WebSphere MQ is configured for FIPS 140-2 compliant operation, this CipherSpec can be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, either avoid using triple DES (which is deprecated), or enable secret key reset when using this CipherSpec in a FIPS 140-2 configuration.