Home

 

FipsRequired (MQLONG)

This field allows you to specify that only FIPS-certified algorithms are used if the cryptography is provided in WebSphere MQ-provided software. WebSphere MQ can be configured with cryptographic hardware so that the cryptography modules used are those provided by the hardware product; these can either be FIPS-certified, or not, to a particular level depending on the cryptographic hardware product in use.

When WebSphere MQ is installed an implementation of SSL cryptography is also installed which provides some FIPS-certified modules. The values can be:

MQSSL_FIPS_NO

This is the default value. When set to this value:

• Any CipherSpec supported on a particular platform can be used.

• If run without use of cryptographic hardware, the following CipherSpecs run using FIPS 140-2 certified cryptography on the WebSphere MQ V6.0 platforms:

  • TLS_RSA_WITH_DES_CBC_SHA

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • FIPS_WITH_DES_CBC_SHA

  • FIPS_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

MQSSL_FIPS_YES

When set to this value, unless you are using cryptographic hardware to perform the cryptography, we can be sure that

• Only FIPS-certified cryptographic algorithms can be used in the CipherSpecs allowed on all SSL connections from, and to, this queue manager

• Inbound and outbound SSL channel connections only succeed if one of the following Cipher Specs are used:

  • TLS_RSA_WITH_DES_CBC_SHA

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • FIPS_WITH_DES_CBC_SHA

  • FIPS_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

 

Home