Security policies
IBM® MQ Advanced Message Security uses security policies to specify the cryptographic encryption and signature algorithms for encrypting and authenticating messages that flow through the queues.
Security policies overview
IBM MQ Advanced Message Security security policies are conceptual objects that describe the way a message is cryptographically encrypted and signed.
Managing security policies
A security policy is a conceptual object that describes the way a message is cryptographically encrypted and signed.
System queue protection
System queues enable communication between IBM MQ and its ancillary applications. Whenever a queue manager is created, a system queue is also created to store IBM MQ internal messages and data. You can protect system queues with IBM MQ Advanced Message Security so that only authorized users can access or decrypt them.
Granting OAM permissions
File permissions authorize all users to execute setmqspl
and dspmqspl
commands. However, IBM MQ Advanced Message Security relies on the Object Authority Manager (OAM) and every attempt to execute these commands by a user who does not belong to the mqm group, which is the IBM MQ administration group, or does not have permissions to read security policy settings that are granted, results in an error.
Granting security permissions
When using command resource security you must set up permissions to allow IBM MQ Advanced Message Security to function. This topic uses RACF® commands in the examples. If your enterprise uses a different external security manager (ESM) you must use the equivalent commands for that ESM.
IBM i: Setting up certificates and the keystore configuration file
Your first task when setting up IBM MQ Advanced Message Security protection is to create a certificate, and associate that with your environment. The association is configured through a file held in the integrated filesystem (IFS).
Command and configuration events
With IBM MQ Advanced Message Security , you can generate command and configuration event messages, which can be logged and serve as a record of policy changes for auditing.