Configuring MCA interception

If you are using AMS to provide message-level security on a queue manager, you might want to configure MCA interception on particular server-connection channels.

MCA interception is used to implement a different message security policy for particular clients. Without MCA interception, certificates must be distributed to clients to enable them to encrypt or decrypt messages. With MCA interception configured for a channel, encryption and decryption are performed by the queue manager. Required certificates and keys must be held in the queue manager key repository (which is created automatically with the queue manager and managed with the certificate commands, see Queue manager security management commands). Messages in flight over the channel have no message-level encryption (but are usually protected by channel-level security, for example, TLS).

MCA interception is implemented for one of the following reasons:
  • To operate in a situation where it is undesirable or not possible to distribute certificates to IBM® MQ clients.
  • To ensure messages are encrypted while stored on the appliance (although note that such data is still vulnerable if a disk is stolen from the appliance, or there is a malicious administrator).
You must not use MCA interception on channels that you use message-level encryption on, because this causes double-encryption.
On the appliance, you specify MCA interception for a server-connection channel using the following command:
setamschl -m QMgrName -n Channel_Name -c Certificate_Label 
You can view the MCA intercept configuration of a queue manager, or specific server-connection channel, by using the following command:
dspamschl -m QMgrName [-n Channel_Name]

For more information about AMS and MCA interception, see Message Channel Agent (MCA) interception in the IBM MQ documentation.