TLS protects IBM MQ channel traffic from interception and tampering on untrusted networks—but only if both ends agree on a strong, supported cipher suite. SSLCIPH on DEFINE CHANNEL and ALTER CHANNEL names that suite for the connection. A data center upgrade that disables TLS 1.0 can break channels overnight if SSLCIPH still names an obsolete cipher string. Security architects mandate AES-GCM and TLS 1.2 minimum; legacy partners may still request older RSA ciphers until migrated. This tutorial explains SSLCIPH for beginners, pairing rules on SDR and RCVR, SVRCONN client configuration, relationship to SSLCAUTH and certificate stores, and systematic troubleshooting when BINDING fails with handshake errors.
During TLS handshake, client and server propose cipher suites. IBM MQ channel definitions constrain which specifications the queue manager accepts for that channel name. SSLCIPH might name a single cipher or use cipher spec strings supported on your release—consult IBM documentation rather than copying decade-old examples from blog posts. The selected suite determines key exchange, bulk encryption, and MAC algorithm. Weak suites (NULL encryption, EXPORT grade, SSLv3) should be absent from production standards.
| Attribute | Role |
|---|---|
| SSLCIPH | Which cipher spec to use for encryption |
| SSLCAUTH | Whether client certificate is required |
| SSLKEYR / certs | Key repository and certificate labels |
| CHLAUTH SSLPEERMAP | Map cert DN to MCAUSER after handshake |
123456789* Use cipher specs valid for YOUR IBM MQ release - examples illustrative DEFINE CHANNEL('QM1.TO.QM2') CHLTYPE(SDR) TRPTYPE(TCP) + CONNAME('qm2.corp(1414)') XMITQ('XMIT.QM2') + SSLCIPH('TLS_RSA_WITH_AES_128_GCM_SHA256') SSLCAUTH(REQUIRED) DEFINE CHANNEL('QM1.TO.QM2') CHLTYPE(RCVR) TRPTYPE(TCP) + SSLCIPH('TLS_RSA_WITH_AES_128_GCM_SHA256') SSLCAUTH(REQUIRED) ALTER CHANNEL('APP.SVRCONN') CHLTYPE(SVRCONN) + SSLCIPH('TLS_RSA_WITH_AES_256_GCM_SHA384') DISPLAY CHANNEL('QM1.TO.QM2') SSLCIPH SSLCAUTH
SDR and RCVR must list compatible SSLCIPH values. Mismatched strings are a top cause of RETRY after TLS projects. Java and .NET clients need matching TLS protocol and cipher enablement in their SSL configuration when connecting to SVRCONN. Container platforms often inject cipher policy via environment variables separate from MQSC—keep both in sync.
SSLCIPH is both friends agreeing to speak the same secret code language (cipher) on the phone. If one speaks an old code the other deleted, the call never really starts even though both picked up (TCP connected).
z/OS, Linux, and Windows MQ support different cipher lists and TLS implementations. A cipher valid on distributed MQ may need a different spec name on z/OS. Java clients use JSSE cipher names internally—mapping to MQ channel SSLCIPH must be validated with a test MQCONNX, not assumed from documentation tables alone.
AES-GCM ciphers on modern CPUs often outperform older CBC suites with less CPU per megabyte on high-throughput SDR links. Cipher choice affects CPU more than BATCHSZ on encrypted WAN routes. Profile before and after cipher migrations on busy channels using CHSTATUS BYTS and system metrics.
SSLCIPH is picking which secret scramble recipe both computers use so nobody else can read the messages on the wire.
Write a checklist to migrate one SDR/RCVR pair from an old cipher to TLS 1.2 AES-GCM.
BINDING fails after partner MQ upgrade—six SSL-related DISPLAY commands to run.
Explain why SSLCIPH must match but channel names already matched.
1. SSLCIPH specifies:
2. Partners must have:
3. SSLCIPH vs SSLCAUTH—SSLCAUTH is:
4. Cipher mismatch shows during: