Administering Advanced Message Security security polices
Advanced Message Security uses security policies to specify the cryptographic encryption and signature algorithms for encrypting and authenticating messages that flow through the queues.
Security policies overview for AMS
Advanced Message Security security policies are conceptual objects that describe the way a message is cryptographically encrypted and signed.
Managing security policies
A security policy is a conceptual object that describes the way a message is cryptographically encrypted and signed.
System queue protection in AMS
System queues enable communication between IBM MQ and its ancillary applications. Whenever a queue manager is created, a system queue is also created to store IBM MQ internal messages and data. You can protect system queues with Advanced Message Security so that only authorized users can access or decrypt them.
Granting OAM permissions
File permissions authorize all users to execute setmqspl
and dspmqspl
commands. However, Advanced Message Security relies on the Object Authority Manager (OAM) and every attempt to execute these commands by a user who does not belong to the mqm group, which is the IBM MQ administration group, or does not have permissions to read security policy settings that are granted, results in an error.
Granting security permissions
When using command resource security you must set up permissions to allow Advanced Message Security to function. This topic uses RACF® commands in the examples. If your enterprise uses a different external security manager (ESM) you must use the equivalent commands for that ESM.
Setting up certificates and the keystore configuration file on IBM i
Your first task when setting up Advanced Message Security protection is to create a certificate, and associate that with your environment. The association is configured through a file held in the integrated filesystem (IFS).
Command and configuration events
With Advanced Message Security , you can generate command and configuration event messages, which can be logged and serve as a record of policy changes for auditing.