I have to connect to a MQ 9 QMGR, which does not allow the available Cipher Suites I can choose from in MQ Explorer that is part of my 7.0.1-14 installation (Linux x86_64).
Can I add the needed Cipher Suites without upgrading to a newer MQ Version?
An acceptable Cipher Suite would be "TLS_RSA_WITH_AES_256_CBC_SHA256" for example.
Best Answer
MQ Explorer is a Java based application so does not rely on the GSKit version but instead on Java's underlying JSSE implementation.
In general a non-java applications using MQ v7.0.1.14 could utilize TLS1.2 cipherspecs if they have installed GSKit 8 and have specified the
AltGSKit=YES
setting in theSSL
stanza of themqclient.ini
, this does not apply however to Java applications like MQ Explorer.Supporting this is the following info in APAR IT00326: WMQ V7.X EXPLORER IS NOT ABLE TO CONFIGURE A CIPHER SPECIFICATION SUPPORTED BY GSKIT V8 FOR A V7.0.1 QUEUE MANAGER talking about using MQ Explorer to configure channels on a 7.0.1.4 or later queue manager that has the
AltGSKit=YES
setting in place in theSSL
stanza of theqm.ini
. (bolded the key info below):The IBM MQ Classes for Java does not support SHA2 cipherspecs until MQ v7.1.
I would recommend you download the standalone MQ v9.1 Explorer SupportPac, you can find it here: MS0T: IBM MQ Explorer.
The versions listed below are all End of Support at this time and v8 is going to be end of support on April 30th 2020: