Confidentiality of messages
To maintain confidentiality, encrypt your messages. There are various methods of encrypting messages in IBM® MQ depending on your needs.
Your choice of CipherSpec determines what level of confidentiality you have.
If you need application-level, end-to-end data protection for your point to point messaging infrastructure, you can use Advanced Message Security to encrypt the messages, or write your own API exit or API-crossing exit.
If you need to encrypt messages only while they are being transported through a channel, because you have adequate security on your queue managers, you can use TLS, or you can write your own security exit, message exit, or send and receive exit programs.
![[z/OS]](ngzos.gif)
![[V9.1.4 Dec 2019]](ng914.gif)
If you need to encrypt messages at rest on a queue manager, you
can use z/OS® data set encryption on that queue
manager.
For more information about Advanced Message Security, see Planning for Advanced Message Security. The use of TLS with IBM MQ is described at TLS security protocols in IBM MQ. The use of exit programs in message encryption is described at Implementing confidentiality in user exit programs.
See the section, confidentiality for data at rest on IBM MQ for z/OS with data set encryption. for more information about z/OS data set encryption.