Configuring MCA interception
If you are using AMS to provide message-level security on a queue manager, you might want to configure MCA interception on particular server-connection channels.
MCA interception is used to implement a different message security policy for particular clients. Without MCA interception, certificates must be distributed to clients to enable them to encrypt or decrypt messages. With MCA interception configured for a channel, encryption and decryption are performed by the queue manager. Required certificates and keys must be held in the queue manager key repository (which is created automatically with the queue manager and managed with the certificate commands, see Queue manager security management commands). Messages in flight over the channel have no message-level encryption (but are usually protected by channel-level security, for example, TLS).
- To operate in a situation where it is undesirable or not possible to distribute certificates to IBM® MQ clients.
- To ensure messages are encrypted while stored on the appliance (although note that such data is still vulnerable if a disk is stolen from the appliance, or there is a malicious administrator).
setamschl -m QMgrName -n Channel_Name -c Certificate_Label dspamschl -m QMgrName [-n Channel_Name]For more information about AMS and MCA interception, see Message Channel Agent (MCA) interception in the IBM MQ documentation.