Streaming queues and AMS

If a queue has an AMS policy defined that causes messages put to that queue to be signed and/or encrypted, you can also configure the STREAMQ attribute of the queue to put a copy of each protected message to a second queue. The duplicate, streamed message is signed and/or encrypted using the same policy that has been configured for the original queue.

In the following example you are configuring two queues, QUEUE1 and QUEUE2. QUEUE1 has its STREAMQ attribute configured to put streamed messages to QUEUE2:

DEFINE QLOCAL(QUEUE2)

DEFINE QLOCAL(QUEUE1) STREAMQ(QUEUE2)

AMS protected messages are being put to QUEUE1 by a user with the certificate CN=bob,O=IBM,C=GB.

An application with certificate CN=alice,O=IBM,C=GB is going to consume the messages from QUEUE1. A separate application with certificate CN=fred,O=IBM,C=GB is going to consume the messages from QUEUE2.

QUEUE1 has the following AMS privacy policy applied to it:

SET POLICY(QUEUE1) SIGNALG(SHA256) SIGNER('CN=bob,O=IBM,C=GB') ENCALG(AES256) RECIP('CN=alice,O=IBM,C=GB') RECIP('CN=fred,O=IBM,C=GB') ACTION(ADD)

If an encryption algorithm has been configured in the policy for QUEUE1, the recipients listed in the policy must include both the recipients of the original messages from QUEUE1, and the recipients who are going to consume duplicate messages from QUEUE2.

When the application attempts to consume messages from QUEUE2 it performs integrity checks, and/or decrypts the message based on the policy that has been set on QUEUE2. If an application wants to consume streamed messages from QUEUE2, you must set a suitable policy on QUEUE2 that allows the messages to be checked for integrity and decrypted correctly.

For example, the following policy could be set on QUEUE2 to allow an application with the certificate distinguished name CN=fred,O=IBM,C=GB to read AMS-protected messages from it:

SET POLICY(QUEUE2) SIGNALG(SHA256) SIGNER('CN=bob,O=IBM,C=GB') ENCALG(AES256) RECIP('CN=fred,O=IBM,C=GB') ACTION(ADD)