Federal Information Processing Standards (FIPS) for AIX, Linux, and Windows
When cryptography is required on an SSL/TLS channel on AIX®, Linux®, and Windows systems, IBM® MQ uses a cryptography package called IBM Crypto for C (ICC). On the AIX, Linux, and Windows platforms, the ICC software has passed the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program of the US National Institute of Standards and Technology, at level 140-2.
- For all IBM MQ message channels (except CLNTCONN
channel types), the connection is FIPS-compliant if the following conditions are met:
- The installed IBM Global Security Kit (GSKit) ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
- The queue manager's SSLFIPS attribute has been set to YES.
- All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
- For all IBM MQ MQI client applications , the
connection uses GSKit and is FIPS-compliant if the following conditions are met:
- The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
- You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the MQI client.
- All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
- For IBM MQ classes for Java applications using client mode, the
connection uses the JRE's TLS implementations and is FIPS-compliant if the following conditions are met:
- The Java Runtime Environment used to run the application is FIPS-compliant on the installed operating system version and hardware architecture.
- You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the Java client.
- All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
- For IBM MQ classes for JMS applications using client mode, the
connection uses the JRE's TLS implementations and is FIPS-compliant if the following conditions are met:
- The Java Runtime Environment used to run the application is FIPS-compliant on the installed operating system version and hardware architecture.
- You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the JMS client.
- All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
- For unmanaged .NET client applications, the
connection uses GSKit and is FIPS-compliant if the following conditions are met:
- The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
- You have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the .NET client.
- All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
- For unmanaged XMS .NET client applications, the
connection uses GSKit and is FIPS-compliant if the following conditions are met:
- The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
- You have specified that only FIPS-certified cryptography is to be used, as described in the XMS .NET documentation.
- All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.
For TLS connections using GSKit, the component which is FIPS 140-2 certified is named ICC. It is the version of this component which determines GSKit FIPS compliance on any given platform. To determine the ICC version currently installed, run the dspmqver -p 64 -v command.
ICC ============ @(#)CompanyName: IBM Corporation @(#)LegalTrademarks: IBM @(#)FileDescription: IBM Crypto for C-language @(#)FileVersion: 8.0.0.0 @(#)LegalCopyright: Licensed Materials - Property of IBM @(#) ICC @(#) (C) Copyright IBM Corp. 2002, 2024. @(#) All Rights Reserved. US Government Users @(#) Restricted Rights - Use, duplication or disclosure @(#) restricted by GSA ADP Schedule Contract with IBM Corp. @(#)ProductName: icc_8.0 (GoldCoast Build) 100415 @(#)ProductVersion: 8.0.0.0 @(#)ProductInfo: 10/04/15.03:32:19.10/04/15.18:41:51 @(#)CMVCInfo:
The NIST certification statement for GSKit ICC 8 (included in GSKit 8) can be found at the following address: Cryptographic Module Validation Program.
If cryptographic hardware is present, the cryptographic modules used by IBM MQ can be configured to be those provided by the hardware manufacturer. If this is done, the configuration is only FIPS-compliant if those cryptographic modules are FIPS-certified.
Triple DES restrictions enforced when operating in compliance with FIPS 140-2
- All parts of the Triple DES key must be unique.
- No part of the Triple DES key can be a Weak, Semi-Weak, or Possibly-Weak key according to the definitions in NIST SP800-67.
- No more than 32 GB of data can be transmitted over the connection before a secret key reset must occur. By default, IBM MQ does not reset the secret session key so this reset must be configured. Failure to enable secret key reset when using a Triple DES CipherSpec and FIPS 140-2 compliance results in the connection closing with error AMQ9288 after the maximum byte count is exceeded. For information about how to configure secret key reset, see Resetting SSL and TLS secret keys.