SSLFIPSRequired (MQLONG)
![[AIX, Linux, Windows]](../common/../refdev/ngalw.gif)
On AIX®, Linux® s390x, and Windows,
IBM® MQ provides FIPS 140-2 compliance through the GSKit 8
IBM Crypto for C (ICC) cryptographic module. The certificate for
this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC)
certificate and be aware of any advice provided by NIST. ![[MQ 9.4.4 Oct 2025]](../common/../refdev/ng944.gif)
![[Linux]](../common/../refdev/nglinux.gif)
From
IBM MQ 9.4.4, on Linux for x86-64 and Linux on Power® Systems - Little Endian, IBM MQ
provides FIPS 140-3 compliance through the GSKit 9
IBM Crypto for C (ICC) cryptographic module. The NIST certification
associated with the FIPS 140-3 module can be viewed at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.![[MQ 9.4.5 Feb 2026]](../common/../refdev/ng945.gif)
![[AIX]](../common/../refdev/ngaix.gif)
From IBM MQ 9.4.5 on AIX,
GSKit has been updated to version 9. GSKit 9 increases the standard for FIPS compliance from FIPS 140-2 to FIPS 140-3. IBM MQ
provides FIPS 140-3 compliance through the IBM Crypto for C (ICC) cryptographic module (64 bit only). Note: Other platforms such as Windows and Linux s390x remain at GSKit 8 and FIPS 140-2 level.![[MQ 9.4.2 Feb 2025]](../common/../refdev/ng942.gif)
The FIPS 140-3 cryptographic
module within IBM Semeru Runtime was approved by NIST in
August 2024. IBM MQ 9.4.2 adds support for the handling of
IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the
FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2
provider is still the default profile. IBM MQ 9.4.2 does not
change the default behavior but does allow you to configure connections with FIPS 140-3.- For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based
on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently
pending.If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST
certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform
version of IBM MQ.
This lets you specify that only FIPS certified algorithms are to be used if the cryptography is executed in IBM MQ, rather than in cryptographic hardware. If cryptographic hardware is configured, the cryptography modules used are those modules provided by the hardware product; these modules might or might not be FIPS certified to a particular level depending on the hardware product in use.
- MQSSL_FIPS_NO
- Use any CipherSpec supported on the platform in use. This value is the default value.
- MQSSL_FIPS_YES
![[MQ 9.4.4 Oct 2025]](ng944.gif)
Use
a FIPS certified cryptographic library and algorithms for all cryptographic functionality including
TLS, AMS, Password protection and JWT verification.![[Long Term Support]](nglts.gif)
Use only FIPS certified
cryptographic algorithms in the CipherSpecs allowed on all TLS connections from and to this queue
manager.
This parameter is valid only on z/OS®, AIX, Linux, and Windows platforms.
To determine the value of this attribute, use the MQIA_SSL_FIPS_REQUIRED selector with the MQINQ call.