Appendix B: SSL Configuration for IBM WebSphere MQ

SSL Configuration is similar to other providers with some additional settings.

SSL Configuration on the MQ Queue Manager Side

Suppose a Queue Manager is secured using the SSL certificate. SSL client sends a certificate only if it has one labeled in the correct WebSphere MQ format: for a queue manager on UNIX, i5/OS, or Windows, ibmwebspheremq followed by the name of your queue manager changed to lower case. For example, for QM1, ibmwebspheremqqm1. The channel has an SSL Cipher Spec defined. For example, RC4_SHA_US.

In the JMS RA JMS Agent Solution Agent Object

In the Connection object for IBM WebSphere MQ using SSL, you will need to add a property called "IBM WMQ SSLCipherSuite" with the proper value for the corresponding CipherSuite. For example, the value of the CipherSuite is SSL_RSA_WITH_RC4_128_SHA.

CipherSpecs Supported by IBM WebSphere MQ and Their Equivalent CipherSuites

CipherSpec	Equivalent CipherSuite
NULL_MD5	SSL_RSA_WITH_NULL_MD5
NULL_SHA	SSL_RSA_WITH_NULL_SHA
RC4_MD5_EXPORT	SSL_RSA_EXPORT_WITH_RC4_40_MD5
RC4_MD5_US	SSL_RSA_WITH_RC4_128_MD5
RC4_SHA_US	SSL_RSA_WITH_RC4_128_SHA
RC2_MD5_EXPORT	SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
DES_SHA_EXPORT	SSL_RSA_WITH_DES_CBC_SHA
RC4_56_SHA_EXPORT1024	SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
DES_SHA_EXPORT1024	SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
TRIPLE_DES_SHA_US	SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA	SSL_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA	SSL_RSA_WITH_AES_256_CBC_SHA
AES_SHA_US2
TLS_RSA_WITH_DES_CBC_SHA	SSL_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA	SSL_RSA_WITH_3DES_EDE_CBC_SHA
FIPS_WITH_DES_CBC_SHA	SSL_RSA_FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

The Agent should be run with the following options where "Path" is the folder where the trustStore file is located.

-Djavax.net.ssl.trustStore=(Path)/truststore.jks -Djavax.net.ssl.trustStorePassword=<Password>