Versions Compared

Old Version 8

changes.mady.by.user Admin

Saved on

compared with

New Version 9

changes.mady.by.user Admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Navigate to the 'Queue Managers' tab and enter the required Cipher Suite into the Cipher input box. Note the Cipher Suite used needs to match the Cipher Spec on the MQ channel.

Compatible Cipher Suites

SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java

Info

Depending on your MQ versions, the additional Java option below may be required to use other Cipher Suites.

-Dcom.ibm.mq.cfg.useIBMCipherMappings=false

To Import a Trust Certificate

...

NOTE: The default password for the truststore.jks file is 'changeit'

MQ Java TLS CipherSpecs and CipherSuites for Oracle Java 8 Usage

Download the JCE 8

The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files need to be downloaded and installed in order for the Oracle JRE to support the required CipherSuites in the table below. 

After downloading the JCE, extract and copy the JCE jurisdiction policy JAR files below to the target locations.

local_policy.jar (Unlimited strength local policy file)
US_export_policy.jar (Unlimited strength US export policy file)

Target locations

<java-home>/lib/security [Unix]
<java-home>\lib\security [Windows]

Recommended CipherSpecs and Equivalent CipherSuites 

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm 

MQ CipherSpec
Equivalent CipherSuite (IBM JRE)
Equivalent CipherSuite (Oracle JRE)
Protocol
TLS_RSA_WITH_AES_128_CBC_SHASSL_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS v1
TLS_RSA_WITH_AES_128_CBC_SHA256SSL_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS v1.2
TLS_RSA_WITH_AES_256_CBC_SHASSL_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS v1
TLS_RSA_WITH_AES_256_CBC_SHA256SSL_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS v1.2

Required JRE Startup Option for Oracle JRE

Once the Cryptography Extension Jars have been installed, the Java option below needs to be added to the JRE startup . This option enables the use of the equivalent Oracle JRE CipherSuites shown in the table above. 

-Dcom.ibm.mq.cfg.useIBMCipherMappings=false