Quick Start Guide for IBM MQ AMS on UNIX platforms
Use this guide to quickly configure IBM® MQ Advanced Message Security to provide message security on UNIX platforms. By the time you complete it, you will have created a key database to verify user identities, and defined signing/encryption policies for your queue manager.
Before you begin
- Runtime
- Server
- Sample programs
- IBM Global Security Kit (GSKit)
- MQ Advanced Message Security
1. Creating a queue manager and a queue
About this task
TEST.Q
for passing messages between applications. IBM MQ Advanced Message
Security uses interceptors to sign and encrypt messages at the point they enter the IBM MQ infrastructure through the standard IBM MQ interface. The basic setup is done in IBM MQ and is configured in the following steps.
You can use IBM MQ Explorer to create the queue manager QM_VERIFY_AMS and its local queue called TEST.Q
by using all the default wizard settings, or you can use the commands found in <MQ_INSTALL_PATH>/bin
. Remember that you must be a member of the mqm
user group to run the following administrative commands.
Procedure
Results
TEST.Q
:
DISPLAY Q(TEST.Q)
2. Creating and authorizing users
About this task
alice
, the sender, and bob
, the receiver. To use the application queue, these users need to be granted authority to use it. Also to successfully use the protection policies that we will define these users must be granted access to some system queues. For more information about the setmqaut command refer to setmqaut .
Procedure
Results
What to do next
amqsput
and amqsget
samples as described in section 8. Testing encryption.
3. Creating key database and certificates
About this task
To encrypt the message, the interceptor requires the private key of the sending user and the
public key(s) of the recipient(s). Thus, the key database of user identities mapped to public and
private keys must be created. In the real system, where users and applications are dispersed over
several computers, each user would have its own private keystore. Similarly, in this guide, we
create key databases for alice
and bob
and share the user
certificates between them.
Procedure
Results
alice
and bob
each now have a self-signed certificate.
4. Creating keystore.conf
About this task
alice
and bob
.
cms.keystore = <dir>/keystore_file
cms.certificate = certificate_label
Example
cms.keystore = /home/alice/.mqs/alicekey
cms.certificate = Alice_Cert
- The path to the keystore file must be provided with no file extension.
- There are the following keystore formats: CMS (Cryptographic Message Syntax), JKS ( Java Keystore) and JCEKS ( Java Cryptographic Extension Keystore). For more information, refer to Structure of the keystore configuration file (keystore.conf) for AMS.
- HOME/.mqs/keystore.conf is the default location where IBM MQ Advanced Message Security searches for the keystore.conf file. For information about how to use a non-default location for the keystore.conf, see Using keystores and certificates.
5. Sharing Certificates
About this task
Procedure
Results
alice
and bob
are now able to successfully identify each other having created and shared self-signed certificates.
What to do next
runmqakm -cert -details -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Alice_Cert
runmqakm -cert -details -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Bob_Cert
6. Defining queue policy
About this task
QM_VERIFY_AMS
using the setmqspl
command. Refer to setmqspl for more information on this command. Each policy name must be the same as the queue name it is to be applied to.
Example
TEST.Q
queue. In this example, messages are signed by the user alice
using the SHA1 algorithm, and encrypted using the 256-bit AES
algorithm. alice
is the only valid sender and bob
is the only receiver of the messages on this queue:
setmqspl -m QM_VERIFY_AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
What to do next
dspmqspl -m QM_VERIFY_AMS
To print
the policy details as a set of setmqspl
commands, the -export
flag. This allows storing already defined policies:
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
7. Testing the setup
About this task
Procedure
Results
alice
's message is displayed when bob
runs the getting application.
8. Testing encryption
About this task
TEST.Q
. This alias queue will have no security policy and so no user will have the information to decrypt the message and therefore the encrypted data will be shown.
Procedure
Results
amqsbcg
application will show the encrypted data that is on the queue proving that the message has been encrypted.