Quick Start Guide for IBM MQ AMS with Java clients
Use this guide to quickly configure IBM® MQ Advanced Message Security to provide message security for Java applications connecting using client bindings. By the time you complete it, you will have created a keystore to verify user identities, and defined signing/encryption policies for your queue manager.
Before you begin
1. Creating a queue manager and a queue
About this task
TEST.Q
for passing messages between applications. IBM MQ Advanced Message
Security uses interceptors to sign and encrypt messages at the point they enter the IBM MQ infrastructure through the standard IBM MQ interface. The basic setup is done in IBM MQ and is configured in the following steps.
Procedure
Results
TEST.Q
:
DISPLAY Q(TEST.Q)
2. Creating and authorizing users
About this task
alice
, the sender, and bob
, the receiver. To use the application queue, these users need to be granted authority to use it. Also to successfully use the protection policies defined in this scenario, these users must be granted access to some system queues. For more information about the setmqaut command refer to setmqaut .
Procedure
Results
What to do next
JmsProducer
and JmsConsumer
samples as described in section 7. Testing the setup.
3. Creating key database and certificates
About this task
alice
and bob
and share the user certificates between them.
Note: In this guide, we use sample applications written in Java connecting using client bindings. If you plan to use Java applications using local bindings or C applications, you must create a CMS keystore and certificates using the runmqakm command. This is shown in the Quick Start Guide ( Windows or UNIX ).
Procedure
Results
alice
and bob
each now have a self-signed certificate.
4. Creating keystore.conf
About this task
alice
and bob
.
Example
alice
are as follows:
JKS.keystore = keystore-dir/keystore
JKS.certificate = Alice_Java_Cert
JKS.encrypted = no
JKS.keystore_pass = passw0rd
JKS.key_pass = passw0rd
JKS.provider = IBMJCE
For this scenario, the contents of the keystore.conf for bob
are as follows:
JKS.keystore = keystore-dir/keystore
JKS.certificate = Bob_Java_Cert
JKS.encrypted = no
JKS.keystore_pass = passw0rd
JKS.key_pass = passw0rd
JKS.provider = IBMJCE
Note:
- The path to the keystore file must be provided with no file extension.
- If you already have a keystore.conf file because you have followed the instructions in the Quick Start Guide ( Windows or UNIX ), you can edit the existing file to add these lines.
- For more information, see Structure of the keystore configuration file (keystore.conf) for AMS.
5. Sharing certificates
About this task
Note: The terms extract and export are used differently by
different certificate tools. For example the IBM Global Security Kit (GSKit)
strmqikm command (ikeyman) tool makes a distinction that you
extract certificates (public keys) and you export private keys. This distinction is
extremely important for tools that offer both options, since using export by mistake would
completely compromise your application by passing on its private key. Because the distinction is so
important, the IBM MQ documentation strives to use these
terms consistently. However, the Java keytool
provides a command line option called exportcert that extracts only the public key. For these
reasons, the following procedure refers to extracting certificates by using the
exportcert option.
Procedure
Results
alice
and bob
are now able to successfully identify each other having created and shared self-signed certificates.
What to do next
keytool -list -keystore bob-keystore-dir/keystore.jks -storepass passw0rd -alias Alice_Java_Cert
keytool -list -keystore alice-keystore-dir/keystore.jks -storepass passw0rd -alias Bob_Java_Cert
6. Defining queue policy
About this task
QM_VERIFY_AMS
using the setmqspl
command. Refer to setmqspl for more information on this command. Each policy name must be the same as the queue name it is to be applied to.
Example
TEST.Q
queue, signed by the
user alice
using the SHA1 algorithm, and encrypted using the
256-bit AES
algorithm for the user bob
:
setmqspl -m QM_VERIFY_AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
Note: The DNs match exactly those specified in the respective user's certificate from the key
database.
What to do next
dspmqspl -m QM_VERIFY_AMS
To print
the policy details as a set of setmqspl
commands, the -export
flag. This allows storing already defined policies:
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
7. Testing the setup
Before you begin
Note: The version of Java supplied in the IBM MQ
installation already has these policy files. It can be found in
MQ_INSTALLATION_PATH/java/bin.
About this task
Procedure
Results
alice
's message is displayed when bob
runs the getting application.