CryptoModeSet

Trigger this action to set the appliance-wide cryptographic mode for the next firmware reload.

Note: On AIX®, Linux®, and Windows, IBM® MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.

A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.

For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.

Use the HTTP POST method with the resource /mgmt/actionqueue/default, specifying a request payload with the following format:

{
  "CryptoModeSet": {
    "Mode": "crypto-mode"
    }
}

Mode

String

Indicates which cryptographic mode to enable. The following keywords are available to indicate the modes to enable:

permissive - Runs the firmware in permissive mode.
fips-140-2-l1 - Runs the firmware in FIPS 140-2 Level 1 mode.

Example

To set the appliance cryptographic mode to the FIPS 140-2 Level 1 mode, post the following payload to https://yourhost:5554/mgmt/actionqueue/default:

{
  "CryptoModeSet": {
    "Mode": "fips-140-2-l1"
    }
}