SSLFIPSREQUIRED

This property determines whether a TLS connection must use a CipherSuite that is supported by the IBM® Java Java Secure Socket Extension (JSSE) FIPS provider (IBMJSSEFIPS).

Notes:
  • [AIX, Linux, Windows][MQ 10.0.0 Jun 2026][MQ 10.0.0 Jun 2026]On AIX®, Linux®, and Windows, IBM MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
  • [MQ 10.0.0 Jun 2026][MQ 10.0.0 Jun 2026]FIPS support is currently not available for Linux s390x. Customers on this platform who require FIPS support should remain at a previous version of IBM MQ. Support for FIPS 140-3 will be enabled in a future FixPack once the IBM Crypto for C (ICC) cryptographic module has received its certification on this platform.
  • [MQ 10.0.0 Jun 2026]The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 10.0.0 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
  • For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.

    [MQ 10.0.0 Jun 2026]If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.

[MQ 10.0.0 Jun 2026]From IBM MQ 10.0.0, the connection factory property SSLFIPSREQUIRED is not supported in IBM Semeru Runtime. It does not cause an error if it is included by client applications. A new JMSException is thrown if the property has been set but the IBM Semeru Runtime FIPS properties have not been set. This avoids the scenario of existing client applications moving to Java 11+ and expecting a FIPS connection.
Note: This does not affect existing clients using IBM Java 8, it affects only clients using IBM Semeru Runtime Java.

Applicable Objects

ConnectionFactory, QueueConnectionFactory, TopicConnectionFactory, XAConnectionFactory, XAQueueConnectionFactory, XATopicConnectionFactory

JMS administration tool long name: SSLFIPSREQUIRED

JMS administration tool short name: SFIPS

Programmatic access

Setters/getters

  • MQConnectionFactory.setSSLFipsRequired()
  • MQConnectionFactory.getSSLFipsRequired()

Values

NO
A TLS connection can use any CipherSuite that is not supported by the IBM Java JSSE FIPS provider (IBMJSSEFIPS).
This is the default value. In programs, use false.
YES
A TLS connection must use a CipherSuite that is supported by IBMJSSEFIPS.
In programs, use true.