FIPS support in MFT

Managed File Transfer supports the use of FIPS-compliant cryptography modules in client connections from agents, commands, and the IBM® MQ Explorer to queue managers. All SSL connections to the queue manager use the TLS protocol only. Support is provided for JKS and PKCS#12 keystore types.

Note: On AIX®, Linux®, and Windows, IBM MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.
Specify whether you want to enable FIPS support for an agent, a coordination queue manager, or a command queue manager as follows:
  • If you want to enable FIPS for a specific agent, set the appropriate agentSsl properties in the agent.properties file for that agent. For more information, see SSL/TLS properties for MFT.
  • If you want to enable FIPS for a specific coordination queue manager, set the appropriate coordinationSsl properties in the coordination.properties file for that coordination queue manager. For more information, see SSL/TLS properties for MFT.
  • If you want to enable FIPS for a specific command queue manager, set the appropriate connectionSsl properties in the command.properties file for that command queue manager. For more information, see SSL/TLS properties for MFT.

[IBM i]FIPS is not supported on Managed File Transfer for [IBM i] IBM i.

FIPS is not supported on connections to or from a protocol bridge or a Connect:Direct® bridge.

For more information about IBM MQ and FIPS and the configuration steps required, see Federal Information Processing Standards (FIPS).

If you want to use FIPS, the CipherSuite must be FIPS-compliant or the connection fails. For more information about the CipherSpecs supported by IBM MQ, see SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java and SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.