MCA interception example for AMS

An example task on how you set up an AMS MCA interception.

Before you begin

Attention: You must complete client authentication and encryption on the selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that only authorized clients can connect and use this capability.

If your enterprise uses IBM® i, and you selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. You must forward the request to your chosen CA.

About this task

This task takes you through the process of setting up your system to use MCA interception, then verifying the setup.

Note: Prior to IBM WebSphere® MQ 7.5, AMS was an add-on product that needed to be separately installed and interceptors configured to protect applications. From IBM WebSphere MQ 7.5, the interceptors are automatically included and dynamically enabled in the MQ client and server runtime environments. In this MCA interception example, the interceptors are provided at the server end of the channel, and an older client runtime is used (in Step 12) to put an unprotected messages across the channel so that it can be seen to be protected by the MCA interceptors. If this example had used an IBM WebSphere MQ 7.5 or later client, it would cause the message to be protected twice, because the MQ client runtime interceptor and the MCA interceptor would both protect the message as it comes into MQ.
Attention: Replace userID in the code with your user ID.

Procedure

  1. Create the key database and certificates by using the following commands to create a shell script.
    Also, change the INSTLOC and KEYSTORELOC or run the required commands. Note that you might not need to create the certificate for bob. 
    INSTLOC=/opt/mq90
KEYSTORELOC=/home/testusr/ssl/ams1
mkdir -p $KEYSTORELOC
chmod -R 777 $KEYSTORELOC
chown -R mqm:mqm $KEYSTORELOC
export PATH=$PATH:$INSTLOC/gskit8/bin
echo "PATH = $PATH"
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64

gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash
gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash
gsk8capicmd_64 -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd
-label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes
gsk8capicmd_64 -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd
-label bob_cert  -dn "cn=bob,O=IBM,c=IN"  -default_cert yes
  2. Share the certificates between the two key databases so that each user can successfully identify the other.

    It is important that you use the method described in Task 5. Sharing Certificates in the Quick Start Guide (Windows or AIX® and Linux®).

  3. Create keystore.conf with the following configuration: Keystore.conf location: /home/userID/ssl/ams1/ 
    cms.keystore = /home/userID/ssl/ams1/alicekey
cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert
  4. Create and start queue manager AMSQMGR1
  5. Define a listener with port 14567 and control QMGR
  6. Disable channel authority or set the rules for channel authority.
    See SET CHLAUTH for more information.
  7. Stop the queue manager.
  8. Set the keystore: 
    export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf
  9. Start the queue manager on the same shell.
  10. Set the security policy and verify: 
    setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
    See setmqspl and dspmqspl for more information.
  11. Set the channel configuration: 
    export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'
  12. Run amqsputc from an MQ client that does not automatically enable an MCA interceptor; for example an IBM WebSphere MQ 7.1 or earlier client. Put the following two messages: 
    /opt/mqm/samp/bin/amqsputc TESTQ TESTQMGR
  13. Remove the security policy and verify the result: 
    setmqspl -m AMSQMGR1 -p TESTQ -remove
dspmqspl -m AMSQMGR1
  14. Browse the queue from your IBM MQ 9.0 installation: 
    /opt/mq90/samp/bin/amqsbcg TESTQ AMSQMGR1
    The browse output shows the messages in encrypted format.
  15. Set the security policy and verify the result: 
    setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
  16. Run amqsgetc from your IBM MQ 9.0 installation: 
    /opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR