Federal Information Processing Standards (FIPS) for UNIX, Linux, and Windows

When cryptography is required on an SSL/TLS channel on Windows, UNIX and Linux systems, IBM MQ uses a cryptography package called IBM Crypto for C (ICC). On the Windows, UNIX and Linux platforms, the ICC software has passed the Federal Information Processing Standards (FIPS) Cryptomodule Validation Program of the US National Institute of Standards and Technology, at level 140-2.

The FIPS 140-2 compliance of a IBM MQ TLS connection on Windows, UNIX and Linux systems is as follows:

  • For all IBM MQ message channels (except CLNTCONN channel types), the connection is FIPS-compliant if the following conditions are met:

    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • The queue manager's SSLFIPS attribute has been set to YES.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.

  • For all IBM MQ MQI client applications, the connection uses GSKit and is FIPS-compliant if the following conditions are met:

    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • We have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the MQI client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.

  • For IBM MQ classes for Java applications using client mode, the connection uses the JRE's TLS implementations and is FIPS-compliant if the following conditions are met:

    • The Java Runtime Environment used to run the application is FIPS-compliant on the installed operating system version and hardware architecture.
    • We have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the Java client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.

  • For IBM MQ classes for JMS applications using client mode, the connection uses the JRE's TLS implementations and is FIPS-compliant if the following conditions are met:

    • The Java Runtime Environment used to run the application is FIPS-compliant on the installed operating system version and hardware architecture.
    • We have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the JMS client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.

  • For unmanaged .NET client applications, the connection uses GSKit and is FIPS-compliant if the following conditions are met:

    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • We have specified that only FIPS-certified cryptography is to be used, as described in the related topic for the .NET client.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.

  • For unmanaged XMS .NET client applications, the connection uses GSKit and is FIPS-compliant if the following conditions are met:

    • The installed GSKit ICC version has been certified FIPS 140-2 compliant on the installed operating system version and hardware architecture.
    • We have specified that only FIPS-certified cryptography is to be used, as described in the XMS .NET documentation.
    • All key repositories have been created and manipulated using only FIPS-compliant software, such as runmqakm with the -fips option.

All supported platforms are FIPS 140-2 certified except as noted in the readme file included with each fix pack or refresh pack.

For TLS connections using GSKit, the component which is FIPS 140-2 certified is named ICC. It is the version of this component which determines GSKit FIPS compliance on any given platform. To determine the ICC version currently installed, run the dspmqver -p 64 -v command.

Here is an example extract of the dspmqver -p 64 -v output relating to ICC:
ICC
============
@(#)CompanyName:   IBM Corporation
@(#)LegalTrademarks: IBM
@(#)FileDescription: IBM Crypto for C-language
@(#)FileVersion:   8.0.0.0
@(#)LegalCopyright:  Licensed Materials - Property of IBM
@(#)         ICC
@(#)         (C) Copyright IBM Corp. 2002, 2020
@(#)         All Rights Reserved. US Government Users
@(#)         Restricted Rights - Use, duplication or disclosure
@(#)         restricted by GSA ADP Schedule Contract with IBM Corp.
@(#)ProductName:   icc_8.0 (GoldCoast Build) 100415
@(#)ProductVersion:  8.0.0.0
@(#)ProductInfo:   10/04/15.03:32:19.10/04/15.18:41:51
@(#)CMVCInfo:

The NIST certification statement for GSKit ICC 8 (included in GSKit 8) can be found at the following address: https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1994.

If cryptographic hardware is present, the cryptographic modules used by IBM MQ can be configured to be those provided by the hardware manufacturer. If this is done, the configuration is only FIPS-compliant if those cryptographic modules are FIPS-certified.


Triple DES restrictions enforced when operating in compliance with FIPS 140-2

When IBM MQ is configured to operate in compliance with FIPS 140-2, additional restrictions are enforced in relation to Triple DES (3DES) CipherSpecs. These restrictions enable compliance with the US NIST SP800-67 recommendation.
  1. All parts of the Triple DES key must be unique.
  2. No part of the Triple DES key can be a Weak, Semi-Weak, or Possibly-Weak key according to the definitions in NIST SP800-67.
  3. No more than 32 GB of data can be transmitted over the connection before a secret key reset must occur. By default, IBM MQ does not reset the secret session key so this reset must be configured. Failure to enable secret key reset when using a Triple DES CipherSpec and FIPS 140-2 compliance results in the connection closing with error AMQ9288 after the maximum byte count is exceeded. For information about how to configure secret key reset, see Resetting SSL and TLS secret keys.

IBM MQ generates Triple DES session keys which already comply with rules 1 and 2. However, to satisfy the third restriction we must enable secret key reset when using Triple DES CipherSpecs in a FIPS 140-2 configuration. Alternatively, we can avoid using Triple DES. Parent topic: Federal Information Processing Standards (FIPS)


Related concepts


Related reference


Related information