SSLFIPSRequired (MQLONG)

Notes:
  • [AIX, Linux, Windows][MQ 10.0.0 Jun 2026][MQ 10.0.0 Jun 2026]On AIX®, Linux®, and Windows, IBM® MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
  • [MQ 10.0.0 Jun 2026][MQ 10.0.0 Jun 2026]FIPS support is currently not available for Linux s390x. Customers on this platform who require FIPS support should remain at a previous version of IBM MQ. Support for FIPS 140-3 will be enabled in a future FixPack once the IBM Crypto for C (ICC) cryptographic module has received its certification on this platform.
  • [MQ 10.0.0 Jun 2026]The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 10.0.0 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
  • For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.

    [MQ 10.0.0 Jun 2026]If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.

This lets you specify that only FIPS certified algorithms are to be used if the cryptography is executed in IBM MQ, rather than in cryptographic hardware. If cryptographic hardware is configured, the cryptography modules used are those modules provided by the hardware product; these modules might or might not be FIPS certified to a particular level depending on the hardware product in use.

The value is one of the following values:
MQSSL_FIPS_NO
Use any CipherSpec supported on the platform in use. This value is the default value.
MQSSL_FIPS_YES
[MQ 10.0.0 Jun 2026]Use a FIPS certified cryptographic library and algorithms for all cryptographic functionality including TLS, AMS, Password protection and JWT verification.
[Long Term Support]Use only FIPS certified cryptographic algorithms in the CipherSpecs allowed on all TLS connections from and to this queue manager.

This parameter is valid only on z/OS®, AIX, Linux, and Windows platforms.

To determine the value of this attribute, use the MQIA_SSL_FIPS_REQUIRED selector with the MQINQ call.