FIPS compliance

Gives a guide to FIPS 140-2 level 1 compliance on the IBM® MQ Appliance.

Note: On AIX®, Linux®, and Windows, IBM MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST.

A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.The FIPS 140-3 cryptographic module within IBM Semeru Runtime was approved by NIST in August 2024. IBM MQ 9.4.2 adds support for the handling of IBM MQ classes for JMS and IBM MQ classes for Java client connections using TLS for FIPS 140-3 in Java 8 and IBM Semeru Runtime 11+. The NIST certification associated with the FIPS 140-3 module can be viewed at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. The FIPS 140-2 provider is still the default profile. IBM MQ 9.4.2 does not change the default behavior but does allow you to configure connections with FIPS 140-3.

For IBM MQ in Containers, the IBM MQ Operator 3.2.0 and queue manager container image 9.4.0.0 onwards are based on UBI 9. FIPS 140-3 compliance for IBM MQ in Containers is currently pending.

Important: You cannot ensure that all encryption on the appliance is performed using FIPS compliant code paths.

While you can ensure that individual components of the IBM MQ Appliance use FIPS compliant libraries for cryptographic applications, as described in the following sections, there is currently no global way to ensure the system as a whole performs all encryption using only compliant code paths.

Administration interfaces

The appliance has various interfaces that can be used to administer the appliance: SSH, web UI, and REST API. Use the command crypto-mode-set fips-140-2-11 to tell the appliance administrative process to perform the encryption on these interfaces using a cryptographic software module that is validated to FIPS 140-2 Level 1 (see crypto-mode-set).

For FIPS compliance and administration interfaces that use MQ Channels (for example, PCF or remote MQSC), see the following section, IBM MQ Channels.

IBM MQ channels

Appliance queue managers can be instructed to use a library that has been tested for FIPS 140-2-l1 compliance for cryptography on all MQ channels. The library is named IBM Crypto for C (ICC). The versions of the library embedded in the IBM MQ Appliance can be displayed using the command dspmqver -p 64 -v (see dspmqver (display version information)).

See Federal Information Processing Standards (FIPS) for UNIX, Linux, and Windows in the IBM MQ documentation for more information about IBM MQ channels and FIPS compliance.

IBM MQ clients

For client connections to the appliance, you must ensure that your client is configured for FIPS compliance, see Specifying that only FIPS-certified CipherSpecs are used at run time on the MQI client in the IBM MQ documentation.