Creating a policy

Before creating a policy, you need to create a queue to hold protected messages.

1. At a command line prompt enter;

   
   CRTMQMQ QNAME(PROTECTED) QTYPE(*LCL) MQMNAME (<mqmname>)
   

   where mqmname is the name of your queue manager.

   Use the DSPMQM command to check that the queue manager is capable of using security policies. Ensure that Security Policy Capability shows *YES.

   The simplest policy you can define is an integrity policy, which is achieved by creating a policy with a digital signature algorithm but no encryption algorithm.

   Messages are signed but not encrypted. If messages are to be encrypted, you must specify an encryption algorithm, and one or more intended message recipients.

   A certificate in the public keystore for an intended message recipient is identified through a distinguished name.

2. Display the distinguished names of the certificates in the public keystore, mycert.pem in $HOME, by using the following command in QShell:

   
   /QOpenSys/usr/bin/openssl x509 -in $HOME/mycert.pem -noout -subject -nameopt RFC2253
   

   You need to enter the distinguished name as an intended recipient, and the policy name must match the queue name to be protected.

3. At a CL command prompt enter, for example:

   
   SETMQMSPL POLICY(PROTECTED) MQMNAME (<mqmname>)SIGNALG(*SHA256) ENCALG(*AES256) RECIP('CN=.., O=.., C=..')
   

   where mqmname is the name of your queue manager.

   Once the policy is created, any messages that are put, browsed, or destructively removed through that queue name are subject to the IBM® MQ AMS policy.