The objective of this technical document is to describe in detail how to install and configure for first usage the MQ Advanced Message Security (AMS) on a queue manager at version 9.0 in Linux.
The queue manager will have 2 queues; one queue is not protected by AMS, and the other queue is protected by AMS.
This document also shows how to perform a basic test using the following samples (which use local bindings mode) amqsput and amqsget by 3 users: one authorized to put, another authorized to get, and another that is not authorized.
MQ provides transport-level security with the feature of TLS over channels. However, by default, MQ does not provide a method to encrypt and secure access to messages while they are at rest on queues. If AMS is used in an MQ environment, it is now possible to implement full end-to-end security.
The chapters in this techdoc are:
Chapter 1: Installing the AMS code
Chapter 2: Creating a queue manager and a queue
Chapter 3: Creating and authorizing users
Chapter 4: Creating a key database and certificates
Chapter 5: Creating keystore.conf
Chapter 6: Sharing Certificates
Chapter 7: Defining queue policy
Chapter 8: Basic testing of the setup
Chapter 9: Testing encryption
Chapter 10: Advanced testing
Scenario A: not authorized by AMS to view messages
Scenario B: User alice is not authorized by AMS to read messages signed by bob
Scenario C: User bob is not authorized by AMS to read messages signed by bob
Chapter 11: Testing performance improvement of new feature in MQ 9.0
Chapter 12: Basic troubleshooting information
+ Update on 08-Jul-2020:
a) New diagram of topology to clarify that the scenarios are using 2 users that connect via local bindings in the same server as the queue manager.
b) Reference to new tutorial in which the 2 users connect from remote servers and use server-connection channels:
Configuration and basic test of remote clients for MQ 9.1 Advanced Message Security (AMS) in Linux
c) New Chapter 12 about troubleshooting
+ Update from 16-Aug-2018
Additional information on the performance improvements.
Queue Name Protected by KeyReuse Time to put Time to get
By AMS 10k messages 10k messag-es
Q1 No not applicable 0.097445 S 0.112199 S
Q.AMS Yes 0 (default) 7.542336 S 12.026407 S
Q.AMS Yes 50 0.189219 S 0.290232 S
Notice that the 1st row is the baseline (no AMS) and the time in column 4 shows that it took around 0.1 second to put 10,000 messages.
The 2nd row is the pre-9.0 function of AMS, and it took around 7.5 seconds to do the same task. Notice that the difference with the baseline is really big!
The 3rd row exploits the new option in 9.0 and it took 0.19 seconds, almost double the baseline time in the 1st row but far less than the time in the 2nd row.
08 July 2020