Specifying that only FIPS-certified CipherSpecs are used at run time on the MQI client
Create your key repositories using FIPS-compliant software, then specify that the channel must use FIPS-certified CipherSpecs.
In order to be FIPS-compliant at run time, the key repositories must have been created and managed using only FIPS-compliant software such as runmqakm with the -fips option.
We can specify that a TLS channel must use only FIPS-certified CipherSpecs in three ways, listed in order of precedence:- Set the FipsRequired field in the MQSCO structure to MQSSL_FIPS_YES.
- Set the environment variable MQSSLFIPS to YES.
- Set the SSLFipsRequired attribute in the client configuration file to YES.
These values have the same meanings as the equivalent parameter values on ALTER QMGR SSLFIPS (see ALTER QMGR ). If the client process currently has no active TLS connections, and a FipsRequired value is validly specified on an SSL MQCONNX, all subsequent TLS connections associated with this process must use only the CipherSpecs associated with this value. This applies until this and all other TLS connections have stopped, at which stage a subsequent MQCONNX can provide a new value for FipsRequired.
If cryptographic hardware is present, the cryptographic modules used by IBM MQ can be configured to be those modules provided by the hardware product, and these might be FIPS-certified to a particular level. The configurable modules and whether they are FIPS-certified depends on the hardware product in use.
Where possible, if FIPS-only CipherSpecs is configured then the MQI client rejects connections which specify a non-FIPS CipherSpec with MQRC_SSL_INITIALIZATION_ERROR. IBM MQ does not guarantee to reject all such connections and it is your responsibility to determine whether your IBM MQ configuration is FIPS-compliant.