MQ

 View Only

  • 1.  Enable TLS1.2 encryption on MQ Channel (MQ 7.1)

    Posted Fri June 09, 2023 10:53 AM

    I just received the request to enable TLS1.2 encryption on some MQ channels (to external partners).

    This environment is a MQ environment (MQ 7.1), running on an iSeries/IBMi with OS 7.3. I know this MQ 7.1 is out of support, and soon this MQ version 7.1 will be upgraded to MQ v9.2 or MQ v9.3, but my external partner would like to install the encryption setup (TLS1.2) now (still in MQ 7.1).

    Is this TLS1.2 setup feasible with MQ7.1. ?

    And what' s the best approach to handle this setup (any installation document available) ? 

    I would expect to receive a certificate from the external partner, and get imported into DCM, and afterwards start with some configuration changes within MQ. 

    Kind regards,

    Jos

    Jos (Jozef) Thijs

    Kyndryl Belgium.



    ------------------------------
    Jozef Thijs
    ------------------------------


  • 2.  RE: Enable TLS1.2 encryption on MQ Channel (MQ 7.1)

    Posted Fri June 09, 2023 11:28 AM

    Hi Jozef,

    The 7.1 Documentation is no longer live but the MQ 7.5 doc shows a large number of TLS 1.2 ciphers available but they appear to only be available on UNIX, Windows and Linux per note 'b' https://www.ibm.com/docs/en/ibm-mq/7.5?topic=messages-specifying-cipherspecs

    It doesn't look likely but someone else may be able to confirm.

    However, what is the plan should TLS 1.2 not be available? If TLS 1.2 is not available then it may be possible to still connect the MQ 7.1 via TLS 1.0 or SSLv3, your customer would just have to enable the protocols/ciphers on the other queue managers. Although be aware, there is a statement of direction saying that in the future the SSLv3 and TLS 1.0 cipherspecs are going to be removed from MQ entirely.



    ------------------------------
    Rob Parker
    Security Architect, IBM MQ Distributed
    IBM UK Ltd
    ------------------------------

    Original Message


  • 3.  RE: Enable TLS1.2 encryption on MQ Channel (MQ 7.1)

    Posted Mon June 12, 2023 05:55 AM
    Edited by Mayur RAJA Mon June 12, 2023 06:05 AM

    Hi Guys, 
    The requirements for using TLS 1.2 with IBMi are documented in the .pdf version of the Installing IBM WebSphere MQ manual which can be accessed here: https://public.dhe.ibm.com/software/integration/wmq/docs/V7.1/PDFs/wmq71.installconfig.pdf#ZI00770_ . See page 255. 

    The CipherSpecs supported on IBMi in MQ V7.1 are listed here: https://public.dhe.ibm.com/software/integration/wmq/docs/V7.1/PDFs/wmq71.administer.pdf#SY12870_ . See page 774. CipherSpecs tagged with letters c and d apply to IBMi. Page 520 also has information on Protecting channels with SSL or TLS. I think this is a good manual to look at as it also includes some examples of security configuration and you should be able to find what you need in here. 

    The full list of MQ V7.1. manuals available in .pdf form are listed on page 8 here: https://public.dhe.ibm.com/software/integration/wmq/docs/V7.1/PDFs/wmq71.overview.pdf . However, I do not know for how long they will be available so if your MQ V7.1 environment is likely to be around for sometime, you may want to take a copy of each manual for your reference. 

    Regards .. Mayur



    ------------------------------
    Mayur RAJA
    ------------------------------

    Original Message