MCA interception example for AMS

An example task on how you set up an AMS MCA interception.

Before you begin

Attention: You must complete client authentication and encryption on the selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that only authorized clients can connect and use this capability.

If your enterprise uses IBM® i, and you selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. You must forward the request to your chosen CA.

About this task

This task takes you through the process of setting up your system to use MCA interception, then verifying the setup.

Note: IBM MQ, includes the AMS interceptors and dynamically enables them in the MQ client and server runtime environments.
Attention:
  • Replace userID in the code with your user ID.
  • The following procedure does not work as expected in IBM MQ unless the AMS interception is deactivated on the client.

Procedure

  1. Create the key database and certificates by using the following commands to create a shell script.
    Also, change the INSTLOC and KEYSTORELOC or run the required commands. Note that you might not need to create the certificate for bob.
    INSTLOC=/opt/mqm
    KEYSTORELOC=/home/userID/var/mqm
    mkdir -p $KEYSTORELOC
    chmod -R 777 $KEYSTORELOC
    chown -R mqm:mqm $KEYSTORELOC
    export PATH=$PATH:$INSTLOC/gskit8/bin
    echo "PATH = $PATH"
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64
    
    runmqakm -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash
    runmqakm -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash
    runmqakm -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd \
    -label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes
    runmqakm -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd \
    -label bob_cert  -dn "cn=bob,O=IBM,c=IN"  -default_cert yes
    
  2. Share the certificates between the two key databases so that each user can successfully identify the other.
    It is important that you use the method described for sharing certificates in the Quick Start Guide, for the platform your enterprise uses:
    Windows
    Task 5 Sharing certificates
    AIX® and Linux®
    Task 5 Sharing certificates
    Java clients
    Task 5 Sharing certificates
  3. Create keystore.conf with the following configuration: Keystore.conf location: /home/userID/ssl/ams1/
    cms.keystore = /home/userID/ssl/ams1/alicekey
    cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert
    
    Attention:
    1. The keystore must be on the system where the queue manager is.
    2. You must specify a specific channel for cms.certificate to enable MCA intervention, and then the queue manager performs AMS operations on applications connecting through that channel to queues with policies set.
  4. Create and start queue manager AMSQMGR1
  5. Define a TCP listener using an available port number under QMGR control.
    For example:
    DEFINE LISTENER(MY.LISTENER) TRPTYPE(TCP) PORT(14567) CONTROL(QMGR)
  6. Start the listener and verify that it started correctly.
    For example:
    START  LISTENER(MY.LISTENER)
    DISPLAY LSSTATUS(MY.LISTENER) PORT
    
  7. Stop the queue manager.
  8. Set the keystore with the MQS_KEYSTORE_CONF environment variable:
    export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf
    
  9. Start the queue manager on the same shell, so that the MQS_KEYSTORE_CONF environment variable is available to the queue manager.
  10. Set the security policy and verify:
    setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN" \
    -r "CN=alice,O=IBM,C=IN"
    dspmqspl -m AMSQMGR1
    
    See setmqspl and dspmqspl for more information.
  11. Set the MQSERVER environment variable:
    export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'
    
  12. Remove the security policy and verify the result:
    setmqspl -m AMSQMGR1 -p TESTQ -remove
    dspmqspl -m AMSQMGR1
    
  13. Browse the queue from your IBM MQ 9.4 installation:
    /opt/mq94/samp/bin/amqsbcg TESTQ AMSQMGR1
    
    The browse output shows the messages in encrypted format.
  14. Set the security policy and verify the result:
    setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
    -r "CN=alice,O=IBM,C=IN"
    dspmqspl -m AMSQMGR1
    
  15. Run amqsgetc from your IBM MQ 9.4 installation:
    /opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR