An example task on how you set up an AMS MCA interception.
Before you begin
Attention: You must complete client authentication and encryption on the
selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that
only authorized clients can connect and use this capability.
If your enterprise uses IBM® i, and you
selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate
Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. You must forward the
request to your chosen CA.
About this task
This task takes you through the process of setting up your system to use MCA interception, then
verifying the setup.
Note: Prior to IBM WebSphere® MQ 7.5, AMS was an add-on product that needed to be separately
installed and interceptors configured to protect applications. From IBM WebSphere MQ 7.5, the interceptors are automatically included and
dynamically enabled in the MQ client and server runtime environments. In this MCA interception
example, the interceptors are provided at the server end of the channel, and an older client runtime
is used (in Step 12) to put an unprotected messages across the channel so that it can be seen to be
protected by the MCA interceptors. If this example had used an IBM WebSphere MQ 7.5 or later client, it would cause the message to be
protected twice, because the MQ client runtime interceptor and the MCA interceptor would both protect the
message as it comes into MQ.
Attention: Replace userID
in the code with your user ID.
Procedure
-
Create the key database and certificates by using the following commands to create a shell script.
Also, change the
INSTLOC and
KEYSTORELOC or run the
required commands. Note that you might not need to create the certificate for
bob
.
INSTLOC=/opt/mq90
KEYSTORELOC=/home/testusr/ssl/ams1
mkdir -p $KEYSTORELOC
chmod -R 777 $KEYSTORELOC
chown -R mqm:mqm $KEYSTORELOC
export PATH=$PATH:$INSTLOC/gskit8/bin
echo "PATH = $PATH"
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64
gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash
gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash
gsk8capicmd_64 -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd
-label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes
gsk8capicmd_64 -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd
-label bob_cert -dn "cn=bob,O=IBM,c=IN" -default_cert yes
-
Share the certificates between the two key databases so that each user can successfully
identify the other.
It is important that you use the method described in Task 5. Sharing Certificates in the
Quick Start Guide (Windows or AIX® and Linux®).
-
Create keystore.conf with the following configuration:
Keystore.conf location: /home/userID/ssl/ams1/
cms.keystore = /home/userID/ssl/ams1/alicekey
cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert
-
Create and start queue manager
AMSQMGR1
-
Define a listener with port 14567 and control
QMGR
-
Disable channel authority or set the rules for channel authority.
-
Stop the queue manager.
-
Set the keystore:
export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf
-
Start the queue manager on the same shell.
-
Set the security policy and verify:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
See
setmqspl and
dspmqspl for more information.
-
Set the channel configuration:
export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'
-
Run amqsputc from an MQ client that does not automatically enable an MCA
interceptor; for example an IBM WebSphere MQ 7.1 or earlier
client. Put the following two messages:
/opt/mqm/samp/bin/amqsputc TESTQ TESTQMGR
-
Remove the security policy and verify the result:
setmqspl -m AMSQMGR1 -p TESTQ -remove
dspmqspl -m AMSQMGR1
-
Browse the queue from your IBM MQ 9.0
installation:
/opt/mq90/samp/bin/amqsbcg TESTQ AMSQMGR1
The
browse output shows the messages in encrypted format.
-
Set the security policy and verify the result:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
-
Run amqsgetc from your IBM MQ 9.0
installation:
/opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR