SSLFIPSREQUIRED

This property determines whether a TLS connection must use a CipherSuite that is supported by the IBM® Java Java Secure Socket Extension (JSSE) FIPS provider (IBMJSSEFIPS).

Note: On AIX®, Linux® s390x, and Windows, IBM MQ provides FIPS 140-2 compliance through the GSKit 8 IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.

[MQ 9.4.4 Oct 2025]From IBM MQ 9.4.4, on Linux for x86-64 and Linux on Power® Systems - Little Endian, IBM MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.

[MQ 9.4.2 Feb 2025]The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.

For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.[MQ 9.4.4 Oct 2025]If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.

[MQ 9.4.2 Feb 2025]From IBM MQ 9.4.2, the connection factory property SSLFIPSREQUIRED is not supported in IBM Semeru Runtime. It does not cause an error if it is included by client applications. A new JMSException is thrown if the property has been set but the IBM Semeru Runtime FIPS properties have not been set. This avoids the scenario of existing client applications moving to Java 11+ and expecting a FIPS connection.
Note: This does not affect existing clients using IBM Java 8, it affects only clients using IBM Semeru Runtime Java.

Applicable Objects

ConnectionFactory, QueueConnectionFactory, TopicConnectionFactory, XAConnectionFactory, XAQueueConnectionFactory, XATopicConnectionFactory

JMS administration tool long name: SSLFIPSREQUIRED

JMS administration tool short name: SFIPS

Programmatic access

Setters/getters

  • MQConnectionFactory.setSSLFipsRequired()
  • MQConnectionFactory.getSSLFipsRequired()

Values

NO
A TLS connection can use any CipherSuite that is not supported by the IBM Java JSSE FIPS provider (IBMJSSEFIPS).
This is the default value. In programs, use false.
YES
A TLS connection must use a CipherSuite that is supported by IBMJSSEFIPS.
In programs, use true.