FIPS support
IBM® MQ Managed File Transfer supports the use of FIPS-compliant cryptography modules in client connections from agents, commands, and the IBM MQ Explorer to queue managers. All SSL connections to the queue manager use the TLS protocol only. Support is provided for JKS and PKCS#12 keystore types.
IBM Crypto for Ccryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.
- If you want to enable FIPS for a specific agent, set the appropriate agentSsl properties in the agent.properties file for that agent. For more information, see SSL properties.
- If you want to enable FIPS for a specific coordination queue manager, set the appropriate coordinationSsl properties in the coordination.properties file for that coordination queue manager. For more information, see SSL properties.
- If you want to enable FIPS for a specific command queue manager, set the appropriate connectionSsl properties in the command.properties file for that command queue manager. For more information, see SSL properties.
FIPS is not supported on IBM MQ Managed File Transfer for IBM i.
FIPS is not supported on connections to or from a protocol bridge or a Connect:Direct® bridge.
For more information about IBM MQ and FIPS and the configuration steps required, see Federal Information Processing Standards (FIPS).
If you want to use FIPS, the CipherSuite must be FIPS-compliant or the connection fails. For more information about the CipherSpecs supported by IBM MQ, see SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.