An example task on how you set up an AMS MCA interception.
Before you begin
Attention: You must complete client authentication and encryption on the
selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that
only authorized clients can connect and use this capability.
If your enterprise uses IBM® i, and you
selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate
Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. You must forward the
request to your chosen CA.
About this task
This task takes you through the process of setting up your system to use MCA interception, then
verifying the setup.
Note: IBM MQ, includes the AMS interceptors and dynamically enables them in the MQ
client and server runtime environments.
Attention:
- Replace
userID
in the code with your user ID.
- The following procedure does not work as expected in IBM MQ unless the AMS interception is deactivated on the
client.
Procedure
-
Create the key database and certificates by using the following commands to create a shell script.
Also, change the
INSTLOC and
KEYSTORELOC or run the
required commands. Note that you might not need to create the certificate for
bob
.
INSTLOC=/opt/mqm
KEYSTORELOC=/home/userID/var/mqm
mkdir -p $KEYSTORELOC
chmod -R 777 $KEYSTORELOC
chown -R mqm:mqm $KEYSTORELOC
export PATH=$PATH:$INSTLOC/gskit8/bin
echo "PATH = $PATH"
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64
runmqakm -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash
runmqakm -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash
runmqakm -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd \
-label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes
runmqakm -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd \
-label bob_cert -dn "cn=bob,O=IBM,c=IN" -default_cert yes
-
Share the certificates between the two key databases so that each user can successfully
identify the other.
-
Create keystore.conf with the following configuration:
Keystore.conf location: /home/userID/ssl/ams1/
cms.keystore = /home/userID/ssl/ams1/alicekey
cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert
Attention:
- The keystore must be on the system where the queue manager is.
- You must specify a specific channel for
cms.certificate
to enable MCA
intervention, and then the queue manager performs AMS operations on applications connecting through
that channel to queues with policies set.
-
Create and start queue manager
AMSQMGR1
-
Define a TCP listener using an available port number under QMGR control.
For
example:
DEFINE LISTENER(MY.LISTENER) TRPTYPE(TCP) PORT(14567) CONTROL(QMGR)
- Start the listener and verify that it started correctly.
For
example:
START LISTENER(MY.LISTENER)
DISPLAY LSSTATUS(MY.LISTENER) PORT
-
Stop the queue manager.
-
Set the keystore:
export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf
-
Start the queue manager on the same shell, so that the MQS_KEYSTORE_CONF environment variable
is available to the queue manager.
-
Set the security policy and verify:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN" \
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
See
setmqspl and
dspmqspl for more information.
-
Set the MQSERVER environment
variable:
export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'
-
Remove the security policy and verify the result:
setmqspl -m AMSQMGR1 -p TESTQ -remove
dspmqspl -m AMSQMGR1
-
Browse the queue from your IBM MQ 9.3
installation:
/opt/mq93/samp/bin/amqsbcg TESTQ AMSQMGR1
The browse output shows the messages in encrypted format.
-
Set the security policy and verify the result:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
-
Run amqsgetc from your IBM MQ 9.3 installation:
/opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR