CipherSuite and CipherSpec name mappings for connections to a IBM WebSphere MQ queue manager

The InitialContext translates between the JMSAdmin Connection Factory property SSLCIPHERSUITE and the XMS near-equivalent XMSC_WMQ_SSL_CIPHER_SPEC. A similar translation is necessary if you specify a value for XMSC_WMQ_SSL_CIPHER_SUITE but omit value for XMSC_WMQ_SSL_CIPHER_SPEC.

Table 1 lists the available CipherSpecs and their JSSE CipherSuite equivalents.

Table 1. Available CipherSpecs and their JSSE CipherSuite equivalents
CipherSpec Equivalent JSSE CipherSuite
DES_SHA_EXPORT SSL_RSA_WITH_DES_CBC_SHA
DES_SHA_EXPORT1024 SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA
NULL_MD5 SSL_RSA_WITH_NULL_MD5
NULL_SHA SSL_RSA_WITH_NULL_SHA
RC2_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
RC4_56_SHA_EXPORT1024 SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
RC4_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC4_40_MD5
RC4_MD5_US SSL_RSA_WITH_RC4_128_MD5
RC4_SHA_US SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA
TRIPLE_DES_SHA_US SSL_RSA_WITH_3DES_EDE_CBC_SHA
Note: A one-to-one mapping for the CipherSuite name SSL_RSA_WITH_3DES_EDE_CBC_SHA or SSL_RSA_WITH_DES_CBC_SHA must account for the setting of the property XMSC_WMQ_SSL_FIPSREQUIRED and apply a heuristic.

If you specify SSL_RSA_WITH_3DES_EDE_CBC_SHA or SSL_RSA_WITH_DES_CBC_SHA for the property XMSC_WMQ_SSL_CIPHER_SUITE, and there is no value for XMSC_WMQ_SSL_CIPHER_SPEC, a value for XMSC_WMQ_SSL_CIPHER_SPEC is chosen according to the following tables.

The values used for XMSC_WMQ_SSL_CIPHER_SPEC when you specify SSL_RSA_WITH_3DES_EDE_CBC_SHA for the XMSC_WMQ_SSL_CIPHER_SUITE property are shown in the following table:

Table 2. Values used for XMSC_WMQ_SSL_CIPHER_SPEC when you specify SSL_RSA_WITH_3DES_EDE_CBC_SHA for the XMSC_WMQ_SSL_CIPHER_SUITE property
Input: XMSC_WMQ_SSL_FIPSREQUIRED value Output: XMSC_WMQ_SSL_CIPHER_SPEC chosen
false (that is, MQSSL_FIPS_NO) TRIPLE_DES_SHA_US
true (that is, MQSSL_FIPS_YES) TLS_RSA_WITH_3DES_EDE_CBC_SHA
Note:
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA is deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, you need to either avoid using triple DES, or enable secret key reset when using this CipherSpec.

The values used for XMSC_WMQ_SSL_CIPHER_SPEC when you specify SSL_RSA_WITH_DES_CBC_SHA for the XMSC_WMQ_SSL_CIPHER_SUITE property are shown in the following table:

Table 3. Values used for XMSC_WMQ_SSL_CIPHER_SPEC when you specify SSL_RSA_WITH_DES_CBC_SHA for the XMSC_WMQ_SSL_CIPHER_SUITE property
Input: XMSC_WMQ_SSL_FIPSREQUIRED value Output: XMSC_WMQ_SSL_CIPHER_SPEC chosen
false (that is, MQSSL_FIPS_NO) DES_SHA_EXPORT
true (that is, MQSSL_FIPS_YES) TLS_RSA_WITH_DES_CBC_SHA