Specifying that only FIPS-certified cryptography will be used

Home

Specifying that only FIPS-certified cryptography will be used

To specify that an SSL channel must only use FIPS-certified cryptography, either set the environment variable MQSSLFIPS to YES or the FipsRequired field in the MQSCO structure to MQSSL_FIPS_YES (the default values are NO and MQSSL_FIPS_NO respectively). These values have the same meanings as they do on ALTER QMGR SSLFIPS (see WebSphere MQ Script (MQSC) Command Reference). If the client process currently has no active SSL connections and a FipsRequired value is validly specified on an SSL MQCONNX, all subsequent SSL connections associated with this process must use only the CipherSpecs associated with this value. This applies until this and all other SSL connections have stopped, at which stage a subsequent MQCONNX can provide a new value for FipsRequired.
If cryptographic hardware is configured, the cryptographic modules used are those provided by the hardware product, and these may, or may not, be FIPS-certified to a particular level. This depends on the hardware product in use.
If the MQSSLFIPS and FipsRequired variables are both set but with inconsistent values, the FipsRequired value takes precedence.
If FIPS-only cryptography is specified in this way but the platform is not a FIPS-certified platform, all SSL connections fail with MQRC_SSL_INITIALIZATION_ERROR.
If FIPS-only cryptography is specified in this way and a non-FIPS CipherSpec is specified for a connection, the connection fails with MQRC_SSL_INITIALIZATION_ERROR.
For full details of MQSSLFIPS, see MQSSLFIPS.

Home