password-hash-algorithm
This command sets the hash algorithm to apply to passwords before they are stored.
Syntax
password-hash-algorithm { md5crypt | sha256crypt }
Parameters
md5crypt- Uses MD5 Crypt as the hash algorithm. This setting is the default value.
sha256crypt- Uses SHA-256 Crypt as the hash algorithm.
Guidelines
Notes:
- On AIX®, Linux®, and Windows, IBM® MQ provides FIPS 140-3 compliance through the GSKit 9 IBM Crypto for C (ICC) cryptographic module. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
- FIPS support is currently not available for Linux s390x. Customers on this platform who require FIPS support should remain at a previous version of IBM MQ. Support for FIPS 140-3 will be enabled in a future FixPack once the IBM Crypto for C (ICC) cryptographic module has received its certification on this platform.
- The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 10.0.0 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
- For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based
on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently
pending.
If FIPS is enabled, IBM MQ in Container control processes use a FIPS 140-3 Certified OpenSSL Module. Details of the NIST certification can be viewed at: https://access.redhat.com/compliance/fips. IBM MQ queue managers running in container images have the same FIPS certification level as the base image platform version of IBM MQ.
The password-hash-algorithm command specifies the hash algorithm that is applied to passwords for locally defined users before the passwords are stored.
- In FIPS 140-2 Level 1 mode, the appliance cannot check MD5 Crypt password entries because MD5 is
banned in this mode. If any existing account passwords use MD5 Crypt, the appliance refuses to enter
FIPS 140-2 Level 1 mode to avoid user lockout. To successfully enter FIPS 140-2 Level 1 mode, you
must select
sha256cryptand then change the password on any existing user accounts that used MD5 Crypt when last changed. - Firmware releases before 6.0.1 do not support SHA-256 Crypt passwords. If you need to downgrade
to a release before 6.0.1, you must select
md5cryptand then change the password on any existing user accounts that used SHA-256 Crypt when last changed. Only after such configuration is downgrading to the release before 6.0.1 allowed. This check is to avoid user lockout.
Example
Use the hash algorithm SHA-256 Crypt to apply to passwords before they are stored.
# password-hash-algorithm sha256crypt