Websphere MQ – Adding Missing SSL Cipher Suites

MQ Explorer is a Java based application so does not rely on the GSKit version but instead on Java's underlying JSSE implementation.

In general a non-java applications using MQ v7.0.1.14 could utilize TLS1.2 cipherspecs if they have installed GSKit 8 and have specified the AltGSKit=YES setting in the SSL stanza of the mqclient.ini, this does not apply however to Java applications like MQ Explorer.

Supporting this is the following info in APAR IT00326: WMQ V7.X EXPLORER IS NOT ABLE TO CONFIGURE A CIPHER SPECIFICATION SUPPORTED BY GSKIT V8 FOR A V7.0.1 QUEUE MANAGER talking about using MQ Explorer to configure channels on a 7.0.1.4 or later queue manager that has the AltGSKit=YES setting in place in the SSL stanza of the qm.ini. (bolded the key info below):

The WebSphere MQ Explorer has been updated to allow the configuration of the following CipherSpecs on a channel definition when connected to a version 7.0.1 queue manager:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256

These CipherSpecs require GSKit 8 to be configured on the queue manager. Attempting to set these CipherSpecs for a channel definition on a version 7.0.1 queue manager which is using GSKit 7 will cause MQ Explorer to display an AMQ4126 error.

It should be noted that WebSphere MQ Explorer version 7.0.1 does not support the use of these three CipherSpecs for its communications with the queue manager over a ServerConnection channel.

The IBM MQ Classes for Java does not support SHA2 cipherspecs until MQ v7.1.

I would recommend you download the standalone MQ v9.1 Explorer SupportPac, you can find it here: MS0T: IBM MQ Explorer.

The versions listed below are all End of Support at this time and v8 is going to be end of support on April 30th 2020:

V7.0 EOS: September 30 2015
V7.1 EOS: April     30 2017
V7.5 EOS: April     30 2018
V8.0 EOS: April     30 2020