Federal Information Processing Standards (FIPS) for UNIX, Linux, and Windows

When cryptography is required on an SSL or TLS channel on Windows, UNIX and Linux® systems, WebSphere® MQ uses a cryptography package called IBM® Crypto for C (ICC). On the Windows, UNIX and Linux platforms, the ICC software has passed the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program of the US National Institute of Standards and Technology, at level 140-2.

The FIPS 140-2 compliance of a WebSphere MQ SSL or TLS connection on Windows, UNIX and Linux systems is as follows:
  • For all IBM WebSphere MQ message channels (except CLNTCONN channel types), the connection is FIPS-compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • The queue manager's SSLFIPS attribute has been set to YES.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
  • For all IBM WebSphere MQ MQI client applications , the connection uses GSKit and is FIPS-compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the MQI client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
  • For IBM WebSphere MQ classes for Java applications using client mode, the connection uses the JRE's SSL and TLS implementations and is FIPS-compliant if the following conditions are met:
    • The Java Runtime Environment used to run the application is FIPS-compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the Java client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
  • For IBM WebSphere MQ classes for JMS applications using client mode, the connection uses the JRE's SSL and TLS implementations and is FIPS-compliant if the following conditions are met:
    • The Java Runtime Environment used to run the application is FIPS-compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the JMS client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
  • For unmanaged .NET client applications, the connection uses GSKit and is FIPS-compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the .NET client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
  • For unmanaged XMS .NET client applications, the connection uses GSKit and is FIPS-compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS-certified cryptography is to be used, as described in the XMS .NET documentation.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
All supported AIX®, Linux, HP-UX, Solaris, Windows, and z/OS® platforms are FIPS 140-2 certified except as noted in the readme file included with each fix pack or refresh pack.

For SSL and TLS connections using GSKit, the component which is FIPS 140-2 certified is named ICC. It is the version of this component which determines GSKit FIPS compliance on any given platform. To determine the ICC version currently installed, run the dspmqver -p 64 -v command.

Here is an example extract of the dspmqver -p 64 -v output relating to ICC:
  ICC
 ============
@(#)CompanyName:      IBM Corporation
@(#)LegalTrademarks:  IBM
@(#)FileDescription:  IBM Crypto for C-language
@(#)FileVersion:      8.0.0.0
@(#)LegalCopyright:   Licensed Materials - Property of IBM
@(#)                  ICC
@(#)                  (C) Copyright IBM Corp. 2002, 2024.
@(#)                  All Rights Reserved. US Government Users
@(#)                  Restricted Rights - Use, duplication or disclosure
@(#)                  restricted by GSA ADP Schedule Contract with IBM Corp.
@(#)ProductName:      icc_8.0 (GoldCoast Build) 100415
@(#)ProductVersion:   8.0.0.0
@(#)ProductInfo:      10/04/15.03:32:19.10/04/15.18:41:51
@(#)CMVCInfo:

The NIST certification statement for GSKit ICC 8 (included in GSKit 8) can be found at the following address: Cryptographic Module Validation Program.

If cryptographic hardware is present, the cryptographic modules used by IBM WebSphere MQ can be configured to be those provided by the hardware manufacturer. If this is done, the configuration is only FIPS-compliant if those cryptographic modules are FIPS-certified.

Note: 32 bit Solaris x86 SSL and TLS clients configured for FIPS 140-2 compliant operation fail when running on Intel systems. This failure occurs because the FIPS 140-2 compliant GSKit-Crypto Solaris x86 32 bit library file does not load on the Intel chipset. On affected systems, error AMQ9655 is reported in the client error log. To resolve this issue, disable FIPS 140-2 compliance or recompile the client application 64 bit, because 64 bit code is not affected.

Triple DES restrictions enforced when operating in compliance with FIPS 140-2

When WebSphere MQ is configured to operate in compliance with FIPS 140-2, additional restrictions are enforced in relation to Triple DES (3DES) CipherSpecs. These restrictions enable compliance with the US NIST SP800-67 recommendation.
  1. All parts of the Triple DES key must be unique.
  2. No part of the Triple DES key can be a Weak, Semi-Weak, or Possibly-Weak key according to the definitions in NIST SP800-67.
  3. No more than 32 GB of data can be transmitted over the connection before a secret key reset must occur. By default, WebSphere MQ does not reset the secret session key so this reset must be configured. Failure to enable secret key reset when using a Triple DES CipherSpec and FIPS 140-2 compliance results in the connection closing with error AMQ9288 after the maximum byte count is exceeded. For information about how to configure secret key reset, see Resetting SSL and TLS secret keys.
WebSphere MQ generates Triple DES session keys which already comply with rules 1 and 2. However, to satisfy the third restriction you must enable secret key reset when using Triple DES CipherSpecs in a FIPS 140-2 configuration. Alternatively, you can avoid using Triple DES.