Quick Start Guide for AMS on AIX and Linux
Use this guide to quickly configure Advanced Message Security to provide message security on AIX® and Linux®. By the time you complete it, you will have created a key database to verify user identities, and defined signing/encryption policies for your queue manager.
Before you begin
- Runtime
- Server
- Sample programs
- IBM® Global Security Kit (GSKit)
- Advanced Message Security
1. Creating a queue manager and a queue
About this task
TEST.Q
for passing messages
between applications. Advanced Message Security uses interceptors to sign
and encrypt messages at the point they enter the IBM MQ
infrastructure through the standard IBM MQ interface.
The basic setup is done in IBM MQ and is configured in
the following steps. You can use IBM MQ Explorer to
create the queue manager QM_VERIFY_AMS and its local queue called TEST.Q
by using
all the default wizard settings, or you can use the commands found in
MQ_INSTALLATION_PATH/bin
. Remember that you must be a member of the
mqm
user group to run the following administrative commands.
Procedure
Results
TEST.Q
:
DISPLAY Q(TEST.Q)
2. Creating and authorizing users
About this task
alice
, the sender, and
bob
, the receiver. To use the application queue, these users need to be granted
authority to use it. Also to successfully use the protection policies that we will define these
users must be granted access to some system queues. For more information about the
setmqaut command refer to setmqaut. Procedure
Results
What to do next
amqsput
and
amqsget
samples as described in section 8. Testing encryption. 3. Creating key database and certificates
About this task
To encrypt the message, the interceptor requires the private key of the sending user and the
public key(s) of the recipient(s). Thus, the key database of user identities mapped to public and
private keys must be created. In the real system, where users and applications are dispersed over
several computers, each user would have its own private keystore. Similarly, in this guide, we
create key databases for alice
and bob
and share the user
certificates between them.
Procedure
Results
alice
and bob
each now have a self-signed
certificate. 4. Creating keystore.conf
About this task
alice
and bob
.
cms.keystore = dir/keystore_file
cms.certificate = certificate_label
Example
cms.keystore = /home/alice/.mqs/alicekey
cms.certificate = Alice_Cert
- The path to the keystore file must be provided with no file extension.
- There are the following keystore formats: CMS (Cryptographic Message Syntax), JKS ( Java Keystore) and JCEKS ( Java Cryptographic Extension Keystore). For more information, refer to Structure of the keystore configuration file (keystore.conf) for AMS.
- HOME/.mqs/keystore.conf is the default location where Advanced Message Security searches for the keystore.conf file. For information about how to use a non-default location for the keystore.conf, see Using keystores and certificates with AMS.
5. Sharing Certificates
About this task
Procedure
Results
alice
and bob
are now able to successfully
identify each other having created and shared self-signed certificates. What to do next
runmqakm -cert -details -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Alice_Cert
runmqakm -cert -details -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Bob_Cert
6. Defining queue policy
About this task
QM_VERIFY_AMS
using
the setmqspl
command. Refer to setmqspl for more information on this command. Each policy name must be the same
as the queue name it is to be applied to. Example
TEST.Q
queue. In this
example, messages are signed by the user alice
using the SHA1
algorithm, and encrypted using the 256-bit AES
algorithm. alice
is
the only valid sender and bob
is the only receiver of the messages on this queue:
setmqspl -m QM_VERIFY_AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
What to do next
dspmqspl -m QM_VERIFY_AMS
To print the policy details as a set of
setmqspl
commands, use the -export
flag. This allows storing
already defined policies:
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
7. Testing the setup
About this task
Procedure
Results
alice
's message is displayed when bob
runs the getting
application. 8. Testing encryption
About this task
TEST.Q
. This alias queue will have no security policy
and so no user will have the information to decrypt the message and therefore the encrypted data
will be shown. Procedure
Results
amqsbcg
application will show the encrypted data that
is on the queue proving that the message has been encrypted.