FIPS compliance for IBM MQ in containers

At start up, IBM® MQ in containers detects whether the operating system on which the container is starting is FIPS compliant, and (if so) configures FIPS support automatically. Requirements and limitations are noted here.

Federal Information Processing Standards

The US government produces technical advice on IT systems and security, including data encryption. The National Institute for Standards and Technology (NIST) is a government body concerned with IT systems and security. NIST produces recommendations and standards, including the Federal Information Processing Standards (FIPS).

A significant FIPS standard is FIPS 140-2 , which requires the use of strong cryptographic algorithms. FIPS 140-2 also specifies requirements for hashing algorithms to be used to protect packets against modification in transit.

IBM MQ provides FIPS 140-2 support if it has been configured to do so.

Note: On AIX®, Linux® s390x, and Windows, IBM MQ provides FIPS 140-2 compliance through the GSKit 8 IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.

[MQ 9.4.4 Oct 2025]From IBM MQ 9.4.4, on Linux for x86-64 and Linux on Power® Systems - Little Endian, IBM MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.

[MQ 9.4.2 Feb 2025]The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.

For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.[MQ 9.4.4 Oct 2025]If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.

Requirements

For requirements related to cluster setup and other considerations, see FIPS Wall: Current IBM approach to FIPS compliance.

IBM MQ in containers can run in FIPS 140-2 compliance mode. During start up, IBM MQ in containers detects whether the host operating system on which the container is starting is FIPS compliant. If the host operating system is FIPS compliant, and private keys and certificates have been supplied, the IBM MQ container configures the queue manager, the IBM MQ web server, and data transfer between the nodes in a Native High Availability deployment, to run in FIPS compliance mode.

When using IBM MQ Operator to deploy queue managers on the Red Hat® OpenShift® Container Platform, the operator creates a route with a termination type of Passthrough. This means that the traffic is sent straight to the destination without the router providing TLS termination. The IBM MQ queue manager and IBM MQ web server are the destinations in this case, and they already provide FIPS compliant secure communication.

To ensure FIPS compliance for deployments of the IBM MQ Operator in containers on other platforms, you must configure your own network ingress with the relevant termination type.

Key requirements:

  1. A private key and certificates, provided in a secret to the queue manager and web server, that allow external clients to connect securely to the queue manager and web server.

  2. A private key and certificates for data transfer between different nodes in a Native High Availability configuration.

Limitations

For a FIPS compliant deployment of IBM MQ in containers, consider the following:

  • IBM MQ in containers provides an endpoint for collection of metrics. Prior to IBM MQ 9.4.2.0-r1, this endpoint was HTTP only. IBM MQ queue managers from 9.4.2.0-r1 can be configured by the IBM MQ Operator to serve metrics through HTTPS.
    To be FIPS compliant, you can choose from the following options:
    • You can serve metrics through HTTPS. For more information, see Monitoring when using the IBM MQ Operator.
    • You can turn off the metrics endpoint to make the rest of IBM MQ compliant if you are using a version prior to IBM MQ 9.4.2.0-r1, or do not want to use HTTPS for metrics.
  • IBM MQ in containers allows custom image overrides. That is, you can build custom images using the IBM MQ container image as the base image. FIPS compliance might not apply for such customized images.
  • For message tracking using IBM Instana®, the communication between IBM MQ and IBM Instana is HTTP or HTTPS, with no FIPS compliance.
  • IBM MQ Operator access to IBM identity and access management (IAM)/Zen services is not FIPS compliant.