Supported protocols and ciphers


The upgraded J.P. Morgan Managed File Transfer Services (MFTS) infrastructure provides enhanced security features to protect your data.
 

It is recommended that you maintain all applications in your file transmission infrastructure at their most current revision levels to take advantage of these security features and to avoid incompatibility issues.
 

Please be aware of the following requirements related to the upgraded platform:
 

  • All Secure Sockets Layer (SSL) connections to the platform must use a minimum version of Transport Layer Security version 1.2 (TLSv1.2) for communication session encryption. The less secure SSLv3, TLSv1.0 and TLSv1.1 are not supported.
  • Java-based applications must use Java™ Virtual Machine version 1.8 (JVM 1.8) or higher to provide the appropriate level of support for encryption.
  • The following types of ciphers are no longer supported:

    • Blowfish
    • ARCFOUR (ARC4)
    • Cipher Block Chain (CBC) below 256
    • 3DES
    • TLS_RSA
  • Effective September 1, 2019, the diffie-hellman-group14-sha1 key exchange (KEX) algorithm will no longer be supported.

If your application cannot support one of the applicable ciphers below, you will not be able to properly connect to the MFTS platform.

 

SSL-Based Protocols
 

MFTS Supported TLS Ciphers

The following ciphers are supported for internet-based connections via applications that use:

  • Applicability Statement 2 (AS2)
  • Hypertext Transfer Protocol Secure (HTTPS)
  • File Transport Protocol Secure (FTPS)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

 

NDM
 

If you send or receive files by NDM via IBM® Sterling Connect:Direct® with Secure+, please be sure that your application meets the minimum security standards for encryption. For your information, TLSv1.2 support was introduced into Secure+ for the following versions:

 

  • Connect:Direct for z/OS version 5.2
  • Connect:Direct for Microsoft Windows version 4.7
  • Connect:Direct for UNIX version 4.2
  • Connect:Direct for i5/OS version 3.8
     

MFTS Supported TLS Ciphers for Secure+


The following ciphers are supported for connections that use Secure+:
 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 

SFTP
 

If you use SSH File Transfer Protocol (SFTP), please be sure your application supports the following:
 

  • Ciphers

    • AES128-CTR
    • AES192-CTR
    • AES256-CTR
       
  • Key Exchange Algorithms

    • diffie-hellman-group-exchange-sha256
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
       
  • HMAC

    • hmac-sha1-96
    • hmac-sha256
    • hmac-sha256@ssh.com
    • hmac-sha2-256
    • hmac-sha2-512
    • hmac-sha2-256-etm@openssh.com
    • hmac-sha2-512-etm@openssh.com
       
  • SSH Public Keys

    • ssh-rsa
    • ssh-dss
    • X509v3-sign-rsa
    • X509v3-sign-rsa-sha1
       

Application Compatibility
 

If your application does not support the available ciphers, or otherwise does not have the required encryption capabilities, then it may be necessary to change its configuration, upgrade it to current version, replace it, or switch to another protocol.

You are strongly encouraged to test your file transfer applications in the MFTS client acceptance testing environment, which is currently configured with the upgraded infrastructure. Please refer to the Testing Instructions page for additional information and testing details.