Federal Information Processing Standards (FIPS) for z/OS
When cryptography is required on an SSL/TLS channel on z/OS® , IBM® MQ uses a service called System SSL. The objective of System SSL is to provide the capability to execute securely in a mode designed to adhere to the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program of the US National Institute of Standards and Technology, at level 140-2.
- To enable IBM MQ message channels for FIPS-compliance, ensure the following conditions are met:
- System SSL Security Level 3 FMID is installed and configured (see Planning to install IBM MQ ).
- System SSL modules are validated.
- The queue manager's SSLFIPS attribute has been set to YES.
When executing in FIPS mode, System SSL exploits CP Assist for Cryptographic Function (CPACF) when available. Cryptographic functions performed by ICSF-supported hardware when running in non-FIPS mode continue to be exploited when executing in FIPS mode, with the exception of RSA signature generation which must be performed in software.
Non-FIPS | FIPS | |||
---|---|---|---|---|
Algorithm | Key sizes | Hardware | Key sizes | Hardware |
RC2 | 40 and 128 | |||
RC4 | 40 and 128 | |||
DES | 56 | x | ||
TDES | 168 | x | 168 | x |
AES | 128 and 256 | x | 128 and 256 | x |
MD5 | 48 | |||
SHA-1 | 160 | x | 160 | x |
SHA-2 | 224, 256, 384 and 512 | x | 224, 256, 384 and 512 | x |
RSA | 512-4096 | x | 1024-4096 | x |
DSA | 512-1024 | 1024 | ||
DH | 512-2048 | 2048 |
For IBM MQ classes applications using client mode within WebSphere® Application Server , refer to Federal Information Processing Standard support.
For information on System SSL module configuration, see System SSL Module Verification Setup.