Creating security policies in AMS
Security policies define the way in which a message is protected when the message is put, or how a message must have been protected when a message is received.
Before you begin
- The queue manager must be running.
- The name of a security policy must follow Rules for naming IBM® MQ objects.
- You must have the necessary authority to connect to the queue manager and create a security policy:
- On z/OS®, grant the authorities documented in The message security policy utility (CSQ0UTIL).
- On other platforms other than z/OS, you must grant the necessary +connect, +inq and +chg authorities using the setmqaut command.
- On z/OS, ensure the required system objects have been defined according to the definitions in CSQ4INSM.
Example
QMGR
. The policy
specifies that messages be signed using the SHA256
algorithm and encrypted using
the AES256
algorithm for certificates with DN: CN=joe,O=IBM,C=US and DN: CN=jane,O=IBM,C=US. This policy is attached to
MY.QUEUE
:
setmqspl -m QMGR -p MY.QUEUE -s SHA256 -e AES256 -r CN=joe,O=IBM,C=US -r CN=jane,O=IBM,C=US
Here is an example of creating policy on the queue manager QMGR
. The policy
specifies that messages be encrypted using the 3DES
algorithm for certificates with
DNs: CN=john,O=IBM,C=US and CN=jeff,O=IBM,C=US and signed with the SHA256
algorithm for certificate with DN: CN=phil,O=IBM,C=US
setmqspl -m QMGR -p MY.OTHER.QUEUE -s SHA256 -e 3DES -r CN=john,O=IBM,C=US -r CN=jeff,O=IBM,C=US -a CN=phil,O=IBM,C=US
Note:
- The quality of protection being used for the message put and get must match. If the policy quality of protection that is defined for the message is weaker than that defined for a queue, the message is sent to the error handling queue. This policy is valid for both local and remote queues.