FIPS support in MFT

Managed File Transfer supports the use of FIPS-compliant cryptography modules in client connections from agents, from commands, and for coordination to queue managers. All SSL connections to the queue manager use the TLS protocol only.

To enable FIPS support for an agent, a coordination queue manager, a command queue manager, or a logger, set the corresponding SslFipsRequired property to true:
  • To enable FIPS support for an agent, set agentSslFipsRequired to TRUE in the agent.properties file for that agent. For more information, see The MFT agent.properties file.
  • To enable FIPS support for a coordination queue manager, set coordinationSslFipsRequired to TRUE in the coordination.properties file for that coordination queue manager. For more information, see The MFT coordination.properties file.
  • To enable FIPS support for a command queue manager, set connectionSslFipsRequired to TRUE in the command.properties file for that command queue manager. For more information, see The MFT command.properties file.
  • To enable FIPS support at the level of the logger, set wmqfte.Ssl.FipsRequired to TRUE in the logger.properties file for that logger. For more information, see The MFT logger.properties file.

Based on the setting of the SslFipsRequired properties, MFT dynamically identifies the FIPS provider and initializes it during an SSL connection.

[MQ 9.4.4 Oct 2025]From IBM® MQ 9.4.4, MFT uses FIPS 140-3. When you use this version of Federal Information Processing Standards, MFT sets the following Java system properties when initializing TLS connections to a queue manager from agents and loggers:
-Dsemeru.fips=true 
-Dsemeru.customprofile=OpenJCEPlusFIPS
[MQ 9.4.4 Oct 2025]For MFT commands that need to connect to a queue manager that uses FIPS 140-3, ensure that the Java system properties -Dsemeru.fips=true and -Dsemeru.customprofile=OpenJCEPlusFIPS are set in the BFG_JVM_PROPERTIES environment variable, in addition to other specified properties, before you run the command. For example, to set the properties on Linux® or AIX®, define the variable as follows:
export BFG_JVM_PROPERTIES="-Dsemeru.fips=true -Dsemeru.customprofile=OpenJCEPlusFIPS"
For more information about setting BFG_JVM_PROPERTIES, see Java system properties for MFT.
Note:
  • [IBM i]FIPS is not supported on Managed File Transfer for IBM i.
  • FIPS is not supported on connections to or from a protocol bridge or a Connect:Direct® bridge.
  • [MQ 9.4.4 Oct 2025]From IBM MQ 9.4.4, FIPS is not supported for MFT agents, loggers, and commands running on Linux s390.

For more information about IBM MQ and FIPS and the configuration steps required, see Configuring SSL or TLS encryption for MFT.

For more information, see SSL/TLS properties for MFT.

If you want to use FIPS, the CipherSuite must be FIPS-compliant or the connection fails. For more information about the CipherSpecs supported by IBM MQ, see Enabling CipherSpecs.