TIBCO ActiveMatrix BusinessWorksPlug-in for WebSphere MQ IBM cipher spec to Java suite mapping on different MQ client versions.

book

Article ID: KB0092496

calendar_today

Updated On:

Products	Versions
TIBCO ActiveMatrix BusinessWorks Plug-in for IBM MQ	-
Not Applicable	-

Description

Resolution:
MQClient Cipher Spec RC4_MD5_EXPORT TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA NULL_MD5 NULL_SHA RC4_MD5_US TLS_RSA_WITH_RC4_128_SHA256

Using (build pxa6470_27sr1fp1-20140708_01(SR1 IBM's JRE (so on MQClient Cipher Spec ECDHE_ECDSA_3DES_EDE_CBC_SHA256 ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_128_GCM_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_ECDSA_AES_256_GCM_SHA384 ECDHE_ECDSA_NULL_SHA256 ECDHE_ECDSA_RC4_128_SHA256 ECDHE_RSA_3DES_EDE_CBC_SHA256 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_128_GCM_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_256_GCM_SHA384 ECDHE_RSA_NULL_SHA256 ECDHE_RSA_RC4_128_SHA256 RC4_MD5_EXPORT FIPS_WITH_3DES_EDE_CBC_SHA FIPS_WITH_DES_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_DES_CBC_SHA NULL_MD5 NULL_SHA TLS_RSA_WITH_NULL_SHA256 RC4_MD5_US TLS_RSA_WITH_RC4_128_SHA256 Using the JRE 1.7 installed as: Java SE Runtime MQClient Cipher Spec ECDHE_ECDSA_3DES_EDE_CBC_SHA256 ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_NULL_SHA256 ECDHE_ECDSA_RC4_128_SHA256 ECDHE_RSA_3DES_EDE_CBC_SHA256 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_NULL_SHA256 ECDHE_RSA_RC4_128_SHA256 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_RC4_128_SHA256
In order to access extended cipher suite modification is required:
for webspehere MQ.
Version in BW on the Oracle a modification to the Client only. TRA 5.10 (which comes with JRE 1.8) MQClient Cipher Spec RC4_MD5_EXPORT TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA NULL_MD5 NULL_SHA RC4_MD5_US TLS_RSA_WITH_RC4_128_SHA256 With the IBM extended ECDHE_ECDSA_3DES_EDE_CBC_SHA256 ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_128_GCM_SHA256 ECDHE_ECDSA_NULL_SHA256 ECDHE_ECDSA_RC4_128_SHA256 ECDHE_RSA_3DES_EDE_CBC_SHA256 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_128_GCM_SHA256 ECDHE_RSA_NULL_SHA256 ECDHE_RSA_RC4_128_SHA256 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_RC4_128_SHA256
The following are client:

Client cipherspec arg is not MQClient Cipher Spec NULL_MD5 RC4_MD5_EXPORT RC4_SHA_US NULL_SHA DES_SHA_EXPORT RC4_MD5_US TRIPLE_DES_SHA_US Client 7.5 fixpack 4 cipherspec arg is not MQClient Cipher Spec NULL_MD5 RC4_MD5_EXPORT RC4_SHA_US NULL_SHA DES_SHA_EXPORT RC4_MD5_US TRIPLE_DES_SHA_US

With MQ client 8.0 fixpack 2, using JRE 1.7 installed with TRA 5.9, which identifies itself as Java SE Runtime Environment (build 1.7.0_55-b13) without the IBM specified argument for extended ciphers. Table of IBM's cipher specs to Java suites: JSSE CipherSuite Match Indication SSL_RSA_EXPORT_WITH_RC4_40_MD5 matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched SSL_RSA_WITH_DES_CBC_SHA matched SSL_RSA_WITH_NULL_MD5 matched SSL_RSA_WITH_NULL_SHA matched SSL_RSA_WITH_RC4_128_MD5 matched SSL_RSA_WITH_RC4_128_SHA matched the IBM JRE downloaded from IBM which identifies itself as Java SE Runtime Environment FP1). Note that this list of matches is available across all available versions of the MQ client using zLinux and AIX). Table of IBM's cipher specs to Java suites: JSSE CipherSuite Match Indication SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA matched SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 matched SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 matched SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 matched SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 matched SSL_ECDHE_ECDSA_WITH_NULL_SHA matched SSL_ECDHE_ECDSA_WITH_RC4_128_SHA matched SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA matched SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 matched SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 matched SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 matched SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 matched SSL_ECDHE_RSA_WITH_NULL_SHA matched SSL_ECDHE_RSA_WITH_RC4_128_SHA matched SSL_RSA_EXPORT_WITH_RC4_40_MD5 matched SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA matched SSL_RSA_FIPS_WITH_DES_CBC_SHA matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched SSL_RSA_WITH_AES_128_CBC_SHA matched SSL_RSA_WITH_AES_128_CBC_SHA256 matched SSL_RSA_WITH_AES_128_GCM_SHA256 matched SSL_RSA_WITH_AES_256_CBC_SHA matched SSL_RSA_WITH_AES_256_CBC_SHA256 matched SSL_RSA_WITH_AES_256_GCM_SHA384 matched SSL_RSA_WITH_DES_CBC_SHA matched SSL_RSA_WITH_NULL_MD5 matched SSL_RSA_WITH_NULL_SHA matched SSL_RSA_WITH_NULL_SHA256 matched SSL_RSA_WITH_RC4_128_MD5 matched SSL_RSA_WITH_RC4_128_SHA matched with TRA 5.9, which identifies itself Environment (build 1.7.0_55-b13) with the IBM specified argument for extended ciphers. Table of IBM's cipher specs to Java suites: JSSE CipherSuite Match Indication TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA matched TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 matched TLS_ECDHE_ECDSA_WITH_NULL_SHA matched TLS_ECDHE_ECDSA_WITH_RC4_128_SHA matched TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA matched TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 matched TLS_ECDHE_RSA_WITH_NULL_SHA matched TLS_ECDHE_RSA_WITH_RC4_128_SHA matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched TLS_RSA_WITH_AES_128_CBC_SHA matched TLS_RSA_WITH_AES_128_CBC_SHA256 matched SSL_RSA_WITH_DES_CBC_SHA matched TLS_RSA_WITH_NULL_SHA256 matched SSL_RSA_WITH_RC4_128_SHA matched these ciphers the IBM specified argument for selections must be specified in the tra. This workaround is described in APAR IV66840. See http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IV66840. To provide this parameter to Designer or to an engine the following TRA java.property.com.ibm.mq.cfg.useIBMCipherMappings=false At this time the fix is only available on the following fixpacks Maintenance Level v7.0 7.0.1.13 not yet published v7.1 7.1.0.7 not yet published v7.5 7.5.0.6 not yet published v8.0 8.0.0.2 To use that cipher JRE, you must use MQ client 8.0.0.2 and manage TRA themselves. These tables are valid for the stated versions of the JRE and was installed and the results of the same tests are: Without the IBM extended cipher support arg: Table of IBM's cipher specs to Java suites: JSSE CipherSuite Match Indication SSL_RSA_EXPORT_WITH_RC4_40_MD5 matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched SSL_RSA_WITH_DES_CBC_SHA matched SSL_RSA_WITH_NULL_MD5 matched SSL_RSA_WITH_NULL_SHA matched SSL_RSA_WITH_RC4_128_MD5 matched SSL_RSA_WITH_RC4_128_SHA matched cipher support arg: Table of IBM's cipher specs to Java suites: MQClient Cipher Spec JSSE CipherSuite Match Indication TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA matched TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 matched TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 matched TLS_ECDHE_ECDSA_WITH_NULL_SHA matched TLS_ECDHE_ECDSA_WITH_RC4_128_SHA matched TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA matched TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 matched TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 matched TLS_ECDHE_RSA_WITH_NULL_SHA matched TLS_ECDHE_RSA_WITH_RC4_128_SHA matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched TLS_RSA_WITH_AES_128_CBC_SHA matched TLS_RSA_WITH_AES_128_CBC_SHA256 matched TLS_RSA_WITH_AES_128_GCM_SHA256 matched SSL_RSA_WITH_DES_CBC_SHA matched TLS_RSA_WITH_NULL_SHA256 matched SSL_RSA_WITH_RC4_128_SHA matched tables for older versions of the WebSphere MQ 7.1 fixpack12 using the TRA 5.9 JRE. The IBM extended available: Table of IBM's cipher specs to Java suites: JSSE CipherSuite Match Indication SSL_RSA_WITH_NULL_MD5 matched SSL_RSA_EXPORT_WITH_RC4_40_MD5 matched SSL_RSA_WITH_RC4_128_SHA matched SSL_RSA_WITH_NULL_SHA matched SSL_RSA_WITH_DES_CBC_SHA matched SSL_RSA_WITH_RC4_128_MD5 matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched using the TRA 5.9 JRE. The IBM extended available: Table of IBM's cipher specs to Java suites: JSSE CipherSuite Match Indication SSL_RSA_WITH_NULL_MD5 matched SSL_RSA_EXPORT_WITH_RC4_40_MD5 matched SSL_RSA_WITH_RC4_128_SHA matched SSL_RSA_WITH_NULL_SHA matched SSL_RSA_WITH_DES_CBC_SHA matched SSL_RSA_WITH_RC4_128_MD5 matched SSL_RSA_WITH_3DES_EDE_CBC_SHA matched Issue/Introduction TIBCO ActiveMatrix BusinessWorksPlug-in for WebSphere MQ IBM cipher spec to Java suite mapping on different MQ client versions. Feedback thumb_up Yes thumb_down No Powered by

With MQ client 8.0 fixpack 2, using JRE 1.7 installed with TRA 5.9, which identifies itself as Java SE Runtime Environment (build 1.7.0_55-b13) without the IBM specified argument for extended ciphers.

Table of IBM's cipher specs to Java suites: JSSE CipherSuite                          Match Indication SSL_RSA_EXPORT_WITH_RC4_40_MD5            matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched SSL_RSA_WITH_DES_CBC_SHA                  matched SSL_RSA_WITH_NULL_MD5                     matched SSL_RSA_WITH_NULL_SHA                     matched SSL_RSA_WITH_RC4_128_MD5                  matched SSL_RSA_WITH_RC4_128_SHA                  matched the IBM JRE downloaded from IBM which identifies itself as Java SE Runtime Environment FP1). Note that this list of matches is available across all available versions of the MQ client using zLinux and AIX).
Table of IBM's cipher specs to Java suites: JSSE CipherSuite                          Match Indication SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     matched SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   matched SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   matched SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   matched SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   matched SSL_ECDHE_ECDSA_WITH_NULL_SHA             matched SSL_ECDHE_ECDSA_WITH_RC4_128_SHA          matched SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       matched SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256     matched SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256     matched SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384     matched SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384     matched SSL_ECDHE_RSA_WITH_NULL_SHA               matched SSL_ECDHE_RSA_WITH_RC4_128_SHA            matched SSL_RSA_EXPORT_WITH_RC4_40_MD5            matched SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA        matched SSL_RSA_FIPS_WITH_DES_CBC_SHA             matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched SSL_RSA_WITH_AES_128_CBC_SHA              matched SSL_RSA_WITH_AES_128_CBC_SHA256           matched SSL_RSA_WITH_AES_128_GCM_SHA256           matched SSL_RSA_WITH_AES_256_CBC_SHA              matched SSL_RSA_WITH_AES_256_CBC_SHA256           matched SSL_RSA_WITH_AES_256_GCM_SHA384           matched SSL_RSA_WITH_DES_CBC_SHA                  matched SSL_RSA_WITH_NULL_MD5                     matched SSL_RSA_WITH_NULL_SHA                     matched SSL_RSA_WITH_NULL_SHA256                  matched SSL_RSA_WITH_RC4_128_MD5                  matched SSL_RSA_WITH_RC4_128_SHA                  matched with TRA 5.9, which identifies itself Environment (build 1.7.0_55-b13) with the IBM specified argument for extended ciphers.
Table of IBM's cipher specs to Java suites: JSSE CipherSuite                          Match Indication TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     matched TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   matched TLS_ECDHE_ECDSA_WITH_NULL_SHA             matched TLS_ECDHE_ECDSA_WITH_RC4_128_SHA          matched TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       matched TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     matched TLS_ECDHE_RSA_WITH_NULL_SHA               matched TLS_ECDHE_RSA_WITH_RC4_128_SHA            matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched TLS_RSA_WITH_AES_128_CBC_SHA              matched TLS_RSA_WITH_AES_128_CBC_SHA256           matched SSL_RSA_WITH_DES_CBC_SHA                  matched TLS_RSA_WITH_NULL_SHA256                  matched SSL_RSA_WITH_RC4_128_SHA                  matched
 these ciphers the IBM specified argument for selections must be specified in the tra. This workaround is described in APAR IV66840.  See http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IV66840. To provide this parameter to Designer or to an engine the following TRA 
java.property.com.ibm.mq.cfg.useIBMCipherMappings=false

At this time the fix is only available on the following fixpacks Maintenance Level
v7.0       7.0.1.13    not yet published
v7.1       7.1.0.7    not yet published
v7.5       7.5.0.6    not yet published
v8.0       8.0.0.2

To use that cipher JRE, you must use MQ client 8.0.0.2 and manage TRA themselves. 

These tables are valid for the stated versions of the JRE and was installed and the results of the same tests are:
Without the IBM extended cipher support arg:
Table of IBM's cipher specs to Java suites: JSSE CipherSuite                          Match Indication SSL_RSA_EXPORT_WITH_RC4_40_MD5            matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched SSL_RSA_WITH_DES_CBC_SHA                  matched SSL_RSA_WITH_NULL_MD5                     matched SSL_RSA_WITH_NULL_SHA                     matched SSL_RSA_WITH_RC4_128_MD5                  matched SSL_RSA_WITH_RC4_128_SHA                  matched cipher support arg:
Table of IBM's cipher specs to Java suites:
MQClient Cipher Spec                      JSSE CipherSuite                          Match Indication TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     matched TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   matched TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   matched TLS_ECDHE_ECDSA_WITH_NULL_SHA             matched TLS_ECDHE_ECDSA_WITH_RC4_128_SHA          matched TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       matched TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     matched TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     matched TLS_ECDHE_RSA_WITH_NULL_SHA               matched TLS_ECDHE_RSA_WITH_RC4_128_SHA            matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched TLS_RSA_WITH_AES_128_CBC_SHA              matched TLS_RSA_WITH_AES_128_CBC_SHA256           matched TLS_RSA_WITH_AES_128_GCM_SHA256           matched SSL_RSA_WITH_DES_CBC_SHA                  matched TLS_RSA_WITH_NULL_SHA256                  matched SSL_RSA_WITH_RC4_128_SHA                  matched tables for older versions of the WebSphere MQ 7.1 fixpack12 using the TRA 5.9 JRE.  The IBM extended available:
Table of IBM's cipher specs to Java suites: JSSE CipherSuite                          Match Indication SSL_RSA_WITH_NULL_MD5                     matched SSL_RSA_EXPORT_WITH_RC4_40_MD5            matched SSL_RSA_WITH_RC4_128_SHA                  matched SSL_RSA_WITH_NULL_SHA                     matched SSL_RSA_WITH_DES_CBC_SHA                  matched SSL_RSA_WITH_RC4_128_MD5                  matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched using the TRA 5.9 JRE.  The IBM extended available:

Table of IBM's cipher specs to Java suites: JSSE CipherSuite                          Match Indication SSL_RSA_WITH_NULL_MD5                     matched SSL_RSA_EXPORT_WITH_RC4_40_MD5            matched SSL_RSA_WITH_RC4_128_SHA                  matched SSL_RSA_WITH_NULL_SHA                     matched SSL_RSA_WITH_DES_CBC_SHA                  matched SSL_RSA_WITH_RC4_128_MD5                  matched SSL_RSA_WITH_3DES_EDE_CBC_SHA             matched
                        
                    
                    
                    
                    
                    
                    
                        
                            
                                Issue/Introduction
                            
                            
                                TIBCO ActiveMatrix BusinessWorksPlug-in for WebSphere MQ IBM cipher spec to Java suite mapping on different MQ client versions.
                            
                        
                        
                    

                    
                    

                
                    Feedback
                    
                    
                    
                        
                            
                                thumb_up
                                Yes
                            
                            
                                thumb_down
                                No
                            
                        
                    
                
            
            
                Powered by

Welcome to "KB Articles"