Configure IBM MQ for Suite B

IBM MQ can be configured to operate in compliance with the NSA Suite B standard on Windows, UNIX and Linux platforms.

Suite B restricts the set of enabled cryptographic algorithms in order to provide an assured level of security. IBM MQ can be configured to operate in compliance with Suite B to provide an enhanced level of security. For further information on Suite B, see National Security Agency (NSA) Suite B Cryptography. For more information about Suite B configuration and its effect on TLS channels, see NSA Suite B Cryptography in IBM MQ.


Queue manager

For a queue manager, use the command ALTER QMGR with the parameter SUITEB to set the values appropriate for we required level of security. For further information see ALTER QMGR.

We can also use the PCF MQCMD_CHANGE_Q_MGR command with the MQIA_SUITE_B_STRENGTH parameter to configure the queue manager for Suite B compliant operation.

Note: If you alter a queue manager's Suite B settings, we must restart the MQXR service for those settings to take effect.


MQI client

By default, MQI clients do not enforce Suite B compliance. We can enable the MQI client for Suite B compliance by executing one of the following options:
  1. By setting the EncryptionPolicySuiteB field in the MQSCO structure on an MQCONNX call to one or more of the following values:

    • MQ_SUITE_B_NONE
    • MQ_SUITE_B_128_BIT
    • MQ_SUITE_B_192_BIT

    Use MQ_SUITE_B_NONE with any other value is invalid.

  2. By setting the MQSUITEB environment variable to one or more of the following values:

    • NONE
    • 128_BIT
    • 192_BIT

    We can specify multiple values using a comma separated list. Using the value NONE with any other value is invalid.

  3. By setting the EncryptionPolicySuiteB attribute in the SSL stanza of the MQI client configuration file to one or more of the following values:

    • NONE
    • 128_BIT
    • 192_BIT

    We can specify multiple values using a comma separated list. Using NONE with any other value is invalid.

Note: The MQI client settings are listed in order of priority. The MSCO structure on the MQCONNX call overrides the setting on the MQSUITEB environment variable, which overrides the attribute in the SSL stanza.

For full details of the MQSCO structure, see MQSCO - SSL configuration options.

For more information about the use of Suite B in the client configuration file, see SSL stanza of the client configuration file.

For further information on the use of the MQSUITEB environment variable, see Environment Variables.


.NET

For .NET unmanaged clients, the property MQC.ENCRYPTION_POLICY_SUITE_B indicates the type of Suite B security required.

For information about the using Suite B in IBM MQ classes for .NET, see MQEnvironment .NET class.


AMQP

The Suite B attribute settings for a queue manager apply to AMQP channels on that queue manager. If you modify the queue manager Suite B settings, we must restart the AMQP service for the changes to take effect.

Parent topic: TLS security protocols in IBM MQ