password-hash-algorithm

This command sets the hash algorithm to apply to passwords before they are stored.

Syntax

password-hash-algorithm { md5crypt | sha256crypt }

Parameters

md5crypt
Uses MD5 Crypt as the hash algorithm. This setting is the default value.
sha256crypt
Uses SHA-256 Crypt as the hash algorithm.

Guidelines

Note: On AIX®, Linux®, and Windows, IBM® MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.

A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.

For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.

The password-hash-algorithm command specifies the hash algorithm that is applied to passwords for locally defined users before the passwords are stored.

  • In FIPS 140-2 Level 1 mode, the appliance cannot check MD5 Crypt password entries because MD5 is banned in this mode. If any existing account passwords use MD5 Crypt, the appliance refuses to enter FIPS 140-2 Level 1 mode to avoid user lockout. To successfully enter FIPS 140-2 Level 1 mode, you must select sha256crypt and then change the password on any existing user accounts that used MD5 Crypt when last changed.
  • Firmware releases before 6.0.1 do not support SHA-256 Crypt passwords. If you need to downgrade to a release before 6.0.1, you must select md5crypt and then change the password on any existing user accounts that used SHA-256 Crypt when last changed. Only after such configuration is downgrading to the release before 6.0.1 allowed. This check is to avoid user lockout.

Example

Use the hash algorithm SHA-256 Crypt to apply to passwords before they are stored. 
# password-hash-algorithm sha256crypt