Using IBM MQ Advanced Message Security with IBM MQ Managed File Transfer

IBM® MQ Advanced Message Security provides enhanced security for message traffic in IBM MQ Managed File Transfer, in particular for data at rest on queues.

About this task

In this topic, IBM MQ Advanced Message Security is referred to as WMQAMS and IBM MQ Managed File Transfer is referred to as WMQFTE. For more information about WMQAMS, see IBM MQ Advanced Message Security.

WMQAMS provides a number of facilities to intercept and apply security actions to message data. For WMQFTE, the WMQAMS Java Interceptor is used to encrypt the data before it leaves the source agent and to decrypt the data after it arrives in the destination agent. The messages in transit between the two agents are secured.

WMQAMS offers a range of security policies that can be applied to an IBM MQ network. The configuration supported by WebSphere® MQ File Transfer Edition 7.0.3 or later is the encryption of file data between two agents; the protection of control or status messages is not supported.

Install and configure MQMFT first, and confirm that your installation is working correctly, before adding WMQAMS for additional protection.

Procedure

  1. Install the WMQAMS Java Interceptor on each system that hosts MQMFT agents you want to secure.
    Follow the instructions in the WMQAMS product documentation to install the Java Interceptor component. You must also install the WMQAMS administration tools on at least one system and run the necessary MQSC scripts against each queue manager, which is also described in the WMQAMS product documentation.
  2. Create the cryptographic keystores and policies used by WMQAMS.

    This configuration requires a policy of message encryption on the data queue of each agent involved (SYSTEM.FTE.DATA.agent_name). See IBM MQ Advanced Message Security for detailed information about this step.

  3. Enable the use of WMQAMS by WMQFTE
    Perform the following steps for each agent that is to use WMQAMS:
    1. Stop the agent.
    2. Add the advancedSecurityPath property to the agent.properties file. The value of this property is the full file name of the WMQAMS Java Interceptor JAR file (com.ibm.mq.ese.jar) installed on that system.

      See The agent.properties file for more information about this file and property.

      Note: Note that the instructions in the WMQAMS documentation that refer to this JAR file being loaded from the IBM MQ directory do not apply. WMQFTE contains its own IBM MQ libraries and does not require or use a separate IBM MQ installation for client connections.
    3. If running the agent in IBM MQ bindings mode, set the mqs.intercept.bindingsJava property to 1.

      IBM MQ bindings is the connection mode used when an agent connects directly to a queue manager on the same system without using a network protocol. If the agent.properties file contains an agentQMgr property but no agentQMgrHost property, the agent is using IBM MQ bindings mode.

      The WMQAMS Java Interceptor works only on bindings mode connections with the mqs.intercept.bindings property set to 1. To set the mqs.intercept.bindings property, run the following command before starting the agent: 
      • 
export FTE_JVM_PROPERTIES="-Dmqs.intercept.bindings=1" # on Unix platforms

      • 
set FTE_JVM_PROPERTIES="-Dmqs.intercept.bindings=1" # on Windows platforms
    4. Start the agent.

What to do next

When IBM MQ Advanced Message Security is used to protect agent data queues, the agents at both the source and destination of the transfer must be configured with identical queue protection policies. For more information, see Using IBM MQ AMS with IBM MQ Managed File Transfer.