Quick Start Guide for AMS with Java clients
Use this guide to quickly configure Advanced Message Security to provide message security for Java applications connecting using client bindings. By the time you complete it, you will have created a keystore to verify user identities, and defined signing/encryption policies for your queue manager.
Before you begin
1. Creating a queue manager and a queue
About this task
TEST.Q
for passing messages between applications. Advanced Message Security uses interceptors to sign and encrypt messages at the point they enter the IBM® MQ infrastructure through the standard IBM MQ interface. The basic setup is done in IBM MQ and is configured in the following steps.
Procedure
Results
TEST.Q
:
DISPLAY Q(TEST.Q)
2. Creating and authorizing users
About this task
alice
, the sender, and bob
, the receiver. To use the application queue, these users need to be granted authority to use it. Also to successfully use the protection policies defined in this scenario, these users must be granted access to some system queues. For more information about the setmqaut command refer to setmqaut.
Procedure
Results
What to do next
JmsProducer
and JmsConsumer
samples as described in section 7. Testing the setup.
3. Creating key database and certificates
About this task
alice
and bob
and share the user certificates between them. Note: In this guide, we use
sample applications written in Java connecting using
client bindings. If you plan to use Java applications
using local bindings or C applications, you must create a CMS keystore and certificates using the
runmqakm command. For more information, see Quick Start Guide for AMS on Windows platforms and
Quick Start Guide for AMS on AIX and Linux.
Procedure
Results
alice
and bob
each now have a self-signed certificate.
4. Creating keystore.conf
About this task
alice
and bob
.
Example
alice
are as follows:
JKS.keystore = keystore-dir/keystore
JKS.certificate = Alice_Java_Cert
JKS.encrypted = no
JKS.keystore_pass = passw0rd
JKS.key_pass = passw0rd
JKS.provider = IBMJCE
For this scenario, the contents of the keystore.conf for bob
are as follows:
JKS.keystore = keystore-dir/keystore
JKS.certificate = Bob_Java_Cert
JKS.encrypted = no
JKS.keystore_pass = passw0rd
JKS.key_pass = passw0rd
JKS.provider = IBMJCE
Note:
- The path to the keystore file must be provided with no file extension.
- If you already have a keystore.conf file because you have followed the instructions in the Quick Start Guide (Windows or AIX and Linux), you can edit the existing file to add these lines.
- For more information, see Structure of the keystore configuration file (keystore.conf) for AMS.
5. Sharing certificates
About this task
Important: The terms extract and export
are used differently by different certificate management commands.
- The IBM Global Security Kit (GSKit) runmqakm command uses the term extract to refer to the process of copying only the public part of a certificate from a keystore, and the term export to refer to the process of copying certificates and their associated public and private keys from one keystore to another.
- The Java keytool command, and the IBM MQ runmqktool command, use the term export to refer to the process of copying only the public part of a certificate from a keystore.
Procedure
Results
alice
and bob
are now able to successfully identify each other having created and shared self-signed certificates.
What to do next
keytool -list -keystore bob-keystore-dir/keystore.jks -storepass passw0rd -alias Alice_Java_Cert
keytool -list -keystore alice-keystore-dir/keystore.jks -storepass passw0rd -alias Bob_Java_Cert
6. Defining queue policy
About this task
QM_VERIFY_AMS
using the setmqspl
command. Refer to setmqspl for more information on this command. Each policy name must be the same as the queue name it is to be applied to.
Example
TEST.Q
queue, signed by the
user alice
using the SHA1 algorithm,
and encrypted using the 256-bit AES
algorithm for the user bob
:
setmqspl -m QM_VERIFY_AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
Note: The DNs match exactly those specified in the respective user's certificate from the key
database.
What to do next
dspmqspl -m QM_VERIFY_AMS
To print
the policy details as a set of setmqspl
commands, the -export
flag. This allows storing already defined policies:
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
7. Testing the setup
Before you begin
Note: The version of Java supplied in the IBM MQ
installation already has these policy files. It can be found in
MQ_INSTALLATION_PATH/java/bin.
About this task
Procedure
Results
alice
's message is displayed when bob
runs the getting application.