[AIX, Linux, Windows]

Federal Information Processing Standards (FIPS) for AIX, Linux, and Windows

When cryptography is required on an SSL/TLS channel on AIX®, Linux®, and Windows systems, IBM® MQ uses a cryptography package called IBM Crypto for C (ICC). On the AIX, Linux, and Windows platforms, the ICC software has passed the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program of the US National Institute of Standards and Technology.

Notes:
  • [AIX, Linux, Windows]On AIX, Linux s390x, and Windows, IBM MQ provides FIPS 140-2 compliance through the GSKit 8 IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.
  • [MQ 9.4.4 Oct 2025][Linux]From IBM MQ 9.4.4, on Linux for x86-64 and Linux on Power® Systems - Little Endian, IBM MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
  • [MQ 9.4.5 Feb 2026][AIX]From IBM MQ 9.4.5 on AIX, GSKit has been updated to version 9. GSKit 9 increases the standard for FIPS compliance from FIPS 140-2 to FIPS 140-3. IBM MQ provides FIPS 140-3 compliance through the IBM Crypto for C (ICC) cryptographic module (64 bit only).
    Note: Other platforms such as Windows and Linux s390x remain at GSKit 8 and FIPS 140-2 level.
  • [MQ 9.4.2 Feb 2025]The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.
  • For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.

    [MQ 9.4.4 Oct 2025]If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.

[MQ 9.4.4 Oct 2025]The FIPS compliance of an IBM MQ TLS connection on AIX, Linux, and Windows systems is as follows:
  • For all IBM MQ TLS enabled message channels (except CLNTCONN channel types), LDAP Secure communications, JWT validation, JWKS communication and AMS MCA channels, the cryptographic operations are FIPS compliant if the following conditions are met:
    • The installed IBM Global Security Kit (GSKit) ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • The queue manager's SSLFIPS attribute has been set to YES.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file or, when the password was provided to the queue manager via the KEYRPWD attribute, the SSLFIPS attribute was set to YES.
  • For all IBM MQ MQI client applications and HTTPS CCDT, the connection uses GSKit and is FIPS compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the MQI client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file or, when the password was encrypted it was encrypted with the -sm flag provided.
  • For IBM MQ classes for Java applications using client mode, the connection uses the JRE TLS implementations and is FIPS compliant for FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3 if the following conditions are met:
    • The Java Runtime Environment used to run the application is FIPS compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the Java client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
  • For IBM MQ classes for JMS applications using client mode, the connection uses the JRE TLS implementations and is FIPS compliant for FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3 if the following conditions are met:
    • The Java Runtime Environment used to run the application is FIPS compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the JMS client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
  • For unmanaged .NET client applications, the connection uses GSKit and is FIPS compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the .NET client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file or, when the password was encrypted, it was encrypted with the -sm flag provided.
  • For unmanaged XMS .NET client applications, the connection uses GSKit and is FIPS compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the XMS .NET documentation.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file or, when the password was encrypted, it was encrypted with the -sm flag provided.
  • For IBM MQ Advanced Message Security (AMS) applications, the connection uses a FIPS compliant cryptographic library and algorithms if the following conditions are met:
    • The installed cryptographic library version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file or, when the password was encrypted, it was encrypted with the -sm flag provided.
    • The .fips option is set to yes for the relevant AMS configuration prefix.
[Long Term Support]The FIPS compliance of an IBM MQ TLS connection on AIX, Linux, and Windows systems is as follows:
  • For all IBM MQ message channels (except CLNTCONN channel types), the connection is FIPS compliant if the following conditions are met:
    • The installed IBM Global Security Kit (GSKit) ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • The queue manager's SSLFIPS attribute has been set to YES.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file and not the queue manager's KEYRPWD attribute.
  • For all IBM MQ MQI client applications, the connection uses GSKit and is FIPS compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the MQI client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file and not the key repository password mechanism.
  • For IBM MQ classes for Java applications using client mode, the connection uses the JRE TLS implementations and is FIPS compliant for FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3 if the following conditions are met:
    • The Java Runtime Environment used to run the application is FIPS compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the Java client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
  • For IBM MQ classes for JMS applications using client mode, the connection uses the JRE TLS implementations and is FIPS compliant for FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3 if the following conditions are met:
    • The Java Runtime Environment used to run the application is FIPS compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the JMS client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
  • For unmanaged .NET client applications, the connection uses GSKit and is FIPS compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the related topic for the .NET client.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file and not the key repository password mechanism.
  • For unmanaged XMS .NET client applications, the connection uses GSKit and is FIPS compliant if the following conditions are met:
    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • You have specified that only FIPS certified cryptography is to be used, as described in the XMS .NET documentation.
    • All key repositories have been created and manipulated using only FIPS compliant software, such as runmqakm with the -fips option.
    • Access to all key repositories is provided using a stash file and not the key repository password mechanism.

All supported platforms are FIPS 140-2[MQ 9.4.2 Feb 2025] or FIPS 140-3 certified except as noted in the readme file included with each fix pack or refresh pack.

For TLS connections using GSKit, the component which is FIPS 140-2 certified is named ICC. It is the version of this component which determines GSKit FIPS compliance on any given platform. To determine the ICC version currently installed, run the dspmqver -p 64 -v command.

Here is an example extract of the dspmqver -p 64 -v output relating to ICC: 
ICC
============
@(#)CompanyName:   IBM Corporation
@(#)LegalTrademarks: IBM
@(#)FileDescription: IBM Crypto for C-language
@(#)FileVersion:   8.0.0.0
@(#)LegalCopyright:  Licensed Materials - Property of IBM
@(#)         ICC
@(#)         (C) Copyright IBM Corp. 2002, 2026.
@(#)         All Rights Reserved. US Government Users
@(#)         Restricted Rights - Use, duplication or disclosure
@(#)         restricted by GSA ADP Schedule Contract with IBM Corp.
@(#)ProductName:   icc_8.0 (GoldCoast Build) 100415
@(#)ProductVersion:  8.0.0.0
@(#)ProductInfo:   10/04/15.03:32:19.10/04/15.18:41:51
@(#)CMVCInfo:

The NIST certification statement for GSKit ICC 8 (included in GSKit 8) can be found at the following address: Cryptographic Module Validation Program.

If cryptographic hardware is present, the cryptographic modules used by IBM MQ can be configured to be those provided by the hardware manufacturer. If this is done, the configuration is only FIPS compliant if those cryptographic modules are FIPS certified.

Triple DES restrictions enforced when operating in compliance with FIPS 140-2 or FIPS 140-3

When IBM MQ is configured to operate in compliance with FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3, additional restrictions are enforced in relation to Triple DES (3DES) CipherSpecs. These restrictions enable compliance with the US NIST SP800-67 recommendation.
  1. All parts of the Triple DES key must be unique.
  2. No part of the Triple DES key can be a Weak, Semi-Weak, or Possibly-Weak key according to the definitions in NIST SP800-67.
  3. No more than 32 GB of data can be transmitted over the connection before a secret key reset must occur. By default, IBM MQ does not reset the secret session key so this reset must be configured. Failure to enable secret key reset when using a Triple DES CipherSpec and FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3 compliance results in the connection closing with error AMQ9288 after the maximum byte count is exceeded. For information about how to configure secret key reset, see Resetting SSL and TLS secret keys.
IBM MQ generates Triple DES session keys which already comply with rules 1 and 2. However, to satisfy the third restriction you must enable secret key reset when using Triple DES CipherSpecs in a FIPS 140-2 [MQ 9.4.2 Feb 2025] or FIPS 140-3 configuration. Alternatively, you can avoid using Triple DES.