Quick Start Guide for AMS on Windows platforms
Use this guide to quickly configure Advanced Message Security (AMS) to provide message security on Windows platforms. By the time you complete it, you will have created a key database to verify user identities, and defined signing/encryption policies for your queue manager.
Before you begin
- Server
- Development Toolkit (for the Sample programs)
- Advanced Message Security (AMS)
For information about using the setmqenv command to initialize the current environment so that the appropriate IBM MQ commands can be located and executed by the operating system, see setmqenv (set IBM MQ environment).
1. Creating a queue manager and a queue
About this task
TEST.Q
for passing messages
between applications. Advanced Message Security uses interceptors to sign
and encrypt messages at the point they enter the IBM MQ
infrastructure through the standard IBM MQ interface. The
basic setup is done in IBM MQ and is configured in the
following steps. You can use IBM MQ Explorer to create the
queue manager QM_VERIFY_AMS and its local queue called TEST.Q
by using all the
default wizard settings, or you can use the commands found in C:\Program Files\IBM\MQ\bin
. Remember that you must
be a member of the mqm
user group to run the following administrative commands.
Procedure
Results
TEST.Q
:
DISPLAY Q(TEST.Q)
2. Creating and authorizing users
About this task
alice
, the sender, and
bob
, the receiver. To use the application queue, these users need to be granted
authority to use it. Also to successfully use the protection policies that we will define these
users must be granted access to some system queues. For more information about the
setmqaut command refer to setmqaut. Procedure
Results
What to do next
amqsput
and
amqsget
samples as described in section 7. Testing the setup. 3. Creating key database and certificates
About this task
alice
and bob
and share the user certificates between them. Procedure
Results
alice
and bob
each now have a self-signed
certificate. 4. Creating keystore.conf
About this task
alice
and bob
.
cms.keystore = dir/keystore_file
cms.certificate = certificate_label
Example
cms.keystore = C:/Documents and Settings/alice/AMS/alicekey
cms.certificate = Alice_Cert
- The path to the keystore file must be provided with no file extension.
- The certificate label can include spaces, thus "Alice_Cert" and "Alice_Cert " (with a space on the end) for example, are recognized as labels of two different certificates. However, to avoid confusion, it is better not to use spaces in label's name.
- There are the following keystore formats: CMS (Cryptographic Message Syntax), JKS ( Java Keystore) and JCEKS ( Java Cryptographic Extension Keystore). For more information, refer to Structure of the keystore configuration file (keystore.conf) for AMS.
- %HOMEDRIVE%\%HOMEPATH%\.mqs\keystore.conf (eg. C:\Documents and Settings\alice\.mqs\keystore.conf) is the default location where Advanced Message Security searches for the keystore.conf file. For information about how to use a non-default location for the keystore.conf, see Using keystores and certificates with AMS.
- To create .mqs directory, you must use the command prompt.
5. Sharing Certificates
About this task
Procedure
Results
alice
and bob
are now able to successfully
identify each other having created and shared self-signed certificates. What to do next
runmqakm -cert -details -db "C:\Documents and Settings\bob\AMS\bobkey.kdb" -pw passw0rd -label Alice_Cert
runmqakm -cert -details -db "C:\Documents and Settings\alice\AMS\alicekey.kdb" -pw passw0rd -label Bob_Cert
6. Defining queue policy
About this task
QM_VERIFY_AMS
using
the setmqspl
command. Refer to setmqspl for more information on this command. Each policy name must be the same
as the queue name it is to be applied to. Example
TEST.Q
queue. In the
example, messages are signed with the SHA1 algorithm and encrypted with the
AES256
algorithm. alice
is the only valid sender and
bob
is the only receiver of the messages on this queue:
setmqspl -m QM_VERIFY_AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
What to do next
dspmqspl -m QM_VERIFY_AMS
To print the policy details as a set of
setmqspl
commands, use the -export
flag. This allows storing
already defined policies:
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
7. Testing the setup
About this task
Procedure
Results
alice
's message is displayed when bob
runs the getting
application. 8. Testing encryption
About this task
TEST.Q
. This alias queue will have no security policy
and so no user will have the information to decrypt the message and therefore the encrypted data
will be shown. Procedure
Results
amqsbcg
application shows the encrypted data that is
on the queue proving that the message has been encrypted.