Configuring IBM MQ for Suite B
IBM® MQ can be configured to operate in compliance with the NSA Suite B standard on AIX®, Linux®, and Windows platforms.
Suite B restricts the set of enabled cryptographic algorithms in order to provide an assured level of security. IBM MQ can be configured to operate in compliance with Suite B to provide an enhanced level of security. For further information on Suite B, see National Security Agency (NSA) Suite B Cryptography. For more information about Suite B configuration and its effect on TLS channels, see NSA Suite B Cryptography in IBM MQ.
Queue manager
For a queue manager, use the command ALTER QMGR with the parameter SUITEB to set the values appropriate for your required level of security. For more information see ALTER QMGR.
You can also use the PCF MQCMD_CHANGE_Q_MGR command with the MQIA_SUITE_B_STRENGTH parameter to configure the queue manager for Suite B compliant operation.
MQI client
- By setting the EncryptionPolicySuiteB
field in the MQSCO structure on an MQCONNX call to one or more of the following values:
MQ_SUITE_B_NONE
MQ_SUITE_B_128_BIT
MQ_SUITE_B_192_BIT
Using
MQ_SUITE_B_NONE
with any other value is invalid.For more information about the MQSCO structure, see MQSCO - SSL configuration options.
- By setting the MQSUITEB environment variable to one or more of the following values:
- NONE
- 128_BIT
- 192_BIT
You can specify multiple values using a comma separated list. Using the value NONE with any other value is invalid.
- By setting the EncryptionPolicySuiteB attribute in the SSL stanza of the client configuration file to
one or more of the following values:
- NONE
- 128_BIT
- 192_BIT
You can specify multiple values using a comma separated list. Using NONE with any other value is invalid.
.NET
For .NET unmanaged clients, the property MQC.ENCRYPTION_POLICY_SUITE_B indicates the type of Suite B security required.
For information about the using Suite B in IBM MQ classes for .NET, see MQEnvironment .NET class.
AMQP
The Suite B attribute settings for a queue manager apply to AMQP channels on that queue manager. If you modify the queue manager Suite B settings, you must restart the AMQP service for the changes to take effect.