GSKit: Some FIPS 140-2 compliant channels do not start
From IBM® WebSphere® MQ 7.1 three CipherSpecs are no
longer FIPS 140-2 compliant. If a client or queue manager is configured to require FIPS 140-2
compliance, channels that use the following CipherSpecs do not start after migration.
- FIPS_WITH_DES_CBC_SHA
- FIPS_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_DES_CBC_SHA
To restart a channel, alter the channel definition to use a FIPS 140-2 compliant CipherSpec. Alternatively, configure the queue manager, or the client in the case of an IBM MQ MQI client, not to enforce FIPS 140-2 compliance.
Earlier versions of IBM WebSphere MQ enforced an older
version of the FIPS 140-2 standard. The following CipherSpecs were considered FIPS 140-2 compliant
in earlier versions of IBM WebSphere MQ and are also compliant
in this version:
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated)
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256 (only when AltGSKit version 8 is used with Fix Pack 7.0.1.4 or later)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (only when AltGSKit version 8 is used with Fix Pack 7.0.1.4 or later)
Use these CipherSpecs if you want IBM MQ to interoperate in a FIPS 140-2 compliant manner with earlier versions.
Previous IBM MQ releases enforced an older version of the FIPS 140-2 standard. The following CipherSpecs were considered FIPS 140-2 compliant by previous IBM MQ releases and are also considered compliant in this version of IBM MQ:
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (deprecated)
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
Use these CipherSpecs if you need IBM MQ to interoperate in a FIPS 140-2 compliant manner with earlier IBM MQ releases.