FIPS compliance for IBM MQ in containers

At start up, IBM® MQ in containers detects whether the operating system on which the container is starting is FIPS compliant, and (if so) configures FIPS support automatically. Requirements and limitations are noted here.

Federal Information Processing Standards

The US government produces technical advice on IT systems and security, including data encryption. The National Institute for Standards and Technology (NIST) is a government body concerned with IT systems and security. NIST produces recommendations and standards, including the Federal Information Processing Standards (FIPS).

A significant FIPS standard is FIPS 140-2, which requires the use of strong cryptographic algorithms. FIPS 140-2 also specifies requirements for hashing algorithms to be used to protect packets against modification in transit.

IBM MQ provides FIPS 140-2 support if it has been configured to do so.

Note: On AIX®, Linux®, and Windows, IBM MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.

Requirements

For requirements related to cluster setup and other considerations, see FIPS Wall: Current IBM approach to FIPS compliance.

IBM MQ in containers can run in FIPS 140-2 compliance mode. During start up, IBM MQ in containers (9.3.1.0 and above) detects whether the host operating system on which the container is starting is FIPS compliant. If the host operating system is FIPS compliant, and private keys and certificates have been supplied, the IBM MQ container configures the queue manager, the IBM MQ web server, and data transfer between the nodes in a Native High Availability deployment, to run in FIPS compliance mode.

When using IBM MQ Operator to deploy queue managers, the operator creates a route with a termination type of Passthrough. This means that the traffic is sent straight to the destination without the router providing TLS termination. The IBM MQ queue manager and IBM MQ web server are the destinations in this case, and they already provide FIPS compliant secure communication.

Key requirements:

  1. A private key and certificates, provided in a secret to the queue manager and web server, that allow external clients to connect securely to the queue manager and web server.

  2. A private key and certificates for data transfer between different nodes in a Native High Availability configuration.

Limitations

For a FIPS compliant deployment of IBM MQ in containers, consider the following:

  • IBM MQ in containers provides an endpoint for collection of metrics. Currently this endpoint is HTTP only. You can turn off the metrics endpoint to make the rest of IBM MQ FIPS compliant.
  • IBM MQ in containers allows custom image overrides. That is, you can build custom images using the IBM MQ container image as the base image. FIPS compliance might not apply for such customized images.
  • For message tracking using IBM Instana, the communication between IBM MQ and IBM Instana is HTTP or HTTPS, with no FIPS compliance.
  • IBM MQ Operator access to IBM identity and access management (IAM)/Zen services is not FIPS compliant.