FipsRequired (MQLONG)

IBM MQ can be configured with cryptographic hardware so that the cryptography modules used are those provided by the hardware product; these can be FIPS-certified to a particular level depending on the cryptographic hardware product in use. Use this field to specify that only FIPS-certified algorithms are used if the cryptography is provided in IBM MQ-provided software.

When IBM MQ is installed an implementation of TLS cryptography is also installed which provides some FIPS-certified modules.

MQSSL_FIPS_NO

This is the default value. When set to this value:

• Any CipherSpec supported on a particular platform can be used.
• If run without use of cryptographic hardware, the CipherSpecs run using FIPS 140-2 certified cryptography on the IBM MQ platforms.

  For a list of FIPS certified CipherSpecs, see the table described in Enable CipherSpecs.

MQSSL_FIPS_YES

When set to this value, unless we are using cryptographic hardware to perform the cryptography, we can be sure that

• Only FIPS-certified cryptographic algorithms can be used in the CipherSpec applying to this client connection.
• Inbound and outbound TLS channel connections only succeed, if certain Cipher Specs are used.

  See Enable CipherSpecs for more information.

Note: Where possible, if FIPS-only CipherSpecs are configured then the MQI client rejects connections which specify a non-FIPS CipherSpec with MQRC_SSL_INITIALIZATION_ERROR. IBM MQ does not guarantee to reject all such connections and it is your responsibility to determine whether the IBM MQ configuration is FIPS-compliant. Parent topic: Fields for MQSCO