Skip to Main Content

This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Created by Guest
Created on Apr 9, 2014

PCI-DSS compliance concerning cipher spec configuration for MQ Server

Concering our external audit for PCI-DSS we got an open issue because the https scan on the MQ Server port shows that the MQ Server is accepting all ciphers (including null cipher).

However, we know that only explicit configured channel configurations are working and only the given specs are used in this context. Nevertheless this situation is not okay for PCI-DSS.

What we need would be an option to configure the supported ciphers individually per MQ Server (on/off switch per cipher). The result should be that a scan on the ip/port of the MQ server is not replying not supported ciphers (on/off switch) as supported.

Idea priority Urgent
RFE ID 48773
RFE Product IBM MQ
  • Guest
    Dec 15, 2023
    The AllowedCipherSpecs attribute enables this
  • Guest
    Dec 15, 2015

    We are looking at ways in which both the accepted protocol and ciphers can be fine tuned for a queue manager,

  • Guest
    Oct 15, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - WebSphere
    Product family - Integration
    Product - IBM MQ

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Connectivity and Integration
    Product - IBM MQ

  • Guest
    Jul 4, 2015

    With the existing implementation, MQ sends the list of supported ciphers but will only accept the one specified in the channel. The result is that an attacker isn't provided detail of the MQ configuration and must attempt to connect with different ciphers until finding the correct one. The result is evidence in the log of serial failed connection attempts that provide forensic analysis data for a breach investigation.

    The RFE requests that MQ be modified to provide the attacker with the exact cipher specified in the channel, or the supported subset, thus eliminating or reducing the amount of forensic data available to the breach investigator.

    The justification for this is that the PCI assessor doesn't understand that MQ is not HTTPS and therefore has a different security model which accounts for the "unexpected" behavior when using tools designed for HTTPS.

    Do I have that about right? Has anyone asked the PCI assessor to justify the application of HTTPS standards to the completely different security model used by MQ?