Quantum Safe IBM MQ in Containers

Information about Quantum Safe support for IBM® MQ in containers and the IBM MQ Operator.

Overview

When you deploy IBM MQ in containers by using the IBM MQ Operator, several endpoints that use TLS communications can benefit from quantum safe protection. Use the information in this topic to configure quantum safe TLS for these container-specific endpoints.

For information about securing the queue manager itself and messages, see Quantum Safe IBM MQ.

Prerequisites

The following versions are required to use quantum safe features in containers:

  • IBM MQ 10.0.0.0 or later
  • IBM MQ Operator 4.0.0 or later

Quantum Safe endpoints in IBM MQ containers

The following endpoints in IBM MQ container deployments support quantum safe TLS:

  • The IBM MQ container metrics server
  • The IBM MQ Operator webhook

The following quantum safe key exchange algorithms are accepted:

  • X25519MLKEM768
  • SecP256r1MLKEM768
  • SecP384r1MLKEM1024

The following endpoints do not currently support quantum safe TLS:

  • IBM MQ web console
  • IBM Instana® agent connections

Configuring quantum safe TLS for the metrics server

The IBM MQ metrics server supports, but does not by default require, quantum safe TLS key exchange algorithms when it serves metrics over HTTPS. Quantum safe key exchanges are enabled by default, allowing clients to negotiate their use, but the metrics server accepts connections from clients that do not support quantum safe algorithms unless explicitly configured otherwise.
Platform requirements
To use quantum safe TLS with the metrics server on Red Hat® OpenShift®, you must have Red Hat OpenShift Container Platform 4.21 or later. This version includes Prometheus 3.7.3, which supports quantum safe TLS.
Configuration
To use quantum safe TLS, you must serve metrics through HTTPS. For more information about configuring HTTPS for metrics, see Monitoring when using the IBM MQ Operator.
Require quantum safe TLS for metrics
When HTTPS is enabled, the metrics server supports quantum safe key exchanges but falls back to traditional key exchanges if the client does not support quantum safe algorithms. To enforce quantum safe TLS and reject connections that do not use quantum safe key exchanges, set the MQ_METRICS_REQUIRE_QUANTUM_SAFE environment variable to true.
Example: Configuring required quantum safe TLS for metrics
The following example shows how to configure a queue manager to require quantum safe TLS for the metrics server (change the license.accept field to true if you accept the license, which in this example is for IBM MQ Advanced):
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
metadata:
  name: qm-quantum-safe-metrics
spec:
  version: 10.0.0.0-r1
  license:
    accept: true
    license: L-CXDB-XTZ9J8
    use: Production
  queueManager:
    env:
    - name: MQ_METRICS_REQUIRE_QUANTUM_SAFE
      value: "true"
When MQ_METRICS_REQUIRE_QUANTUM_SAFE is set to true, the metrics server rejects any TLS connections that do not support quantum safe key exchanges.
Verifying quantum safe configuration
When you configure the metrics server to require quantum safe key exchanges, the following message is logged:
2026-05-20T11:38:57.644Z Metrics server configured to require quantum-safe key exchange
You can verify this message by examining the queue manager pod logs.

Configuring quantum safe TLS for the IBM MQ Operator webhook

The IBM MQ Operator webhook supports quantum safe TLS key exchange algorithms when it communicates with the Kubernetes API server. Quantum safe key exchanges are enabled by default for the operator webhook.
Platform requirements
On Red Hat OpenShift, the API server supports quantum safe TLS from OpenShift Container Platform 4.20 or later.
Configuration
No additional configuration is required to enable quantum safe support for the operator webhook. The webhook automatically negotiates quantum safe key exchanges with the API server when both support them.