Migrating Advanced Message Security on z/OS

Advanced Message Security for z/OSĀ® (AMS) is a separately licensed enabling product that extends IBM MQ to provide a high level of protection for sensitive data flowing through the IBM MQ network using a public key cryptography model.

In IBM MQ for z/OS releases prior to Version 8.0, AMS was provided as a separate product. This topic describes the tasks required to migrate the AMS configuration on z/OS from that used in Version 7.0 and earlier, to that used in Version 8.0. These steps supplement those required to migrate a single IBM MQ for z/OS queue manager where AMS is not configured. AMS must be migrated at the same time as the queue manager, it is not supported to use Advanced Message Security Version 7.0.1 with IBM MQ for z/OS Version 8.0.

To enable AMS on a newly created IBM MQ for z/OS queue manager, or on a queue manager that has already been migrated to Version 8.0, see Install Advanced Message Security on z/OS.

For information about licensing for Advanced Message Security for z/OS, see IBM MQ license information and IBM MQ for z/OS product identifiers.


Preparing to migrate Advanced Message Security on z/OS

To prepare to migrate an IBM MQ queue manager on z/OS using AMS Version 7.0.1 or earlier, you must perform the steps in this section in addition to those listed in Preparing to migrate a single IBM MQ for z/OS queue manager.

  1. Install the Advanced Message Security for z/OS enabling product and make the target libraries available to all MVS systems that are running queue managers that will use AMS. You must carry out the following procedure for each MVS system:
    1. Copy the AMS target libraries to the system.
    2. APF authorize the thlqual.SDRQAUTH target library and grant access to this data set using your external security system, see Task 2: APF authorize the IBM MQ load libraries.
    3. Ensure the LPA contains the AMS module CSQ0DRTM, see Task 3: Update the z/OS link list and LPA.
    4. Ensure the program properties table (PPT) contains an entry for CSQ0DSRV, see Task 4: Update the z/OS program properties table.
  2. For each queue manager, set up the started task user for the AMS address space. In AMS Version 7.0.1 two address spaces are used, one for the main task and another for the data services task. In Version 8.0 these are combined in to a single address space called qmgrAMSM. Either set up a new user for the Version 8.0 AMS address space, or grant additional authorities to one of the existing AMS started task users. See Task 25: Set up the started task user Advanced Message Security for information on how to set up the started task user. If we do not use the existing data services address space user you will need to replicate the drq.ams.keyring key ring for the user ID associated with the Version 8.0 qmgrAMSM address space. See Use certificates on z/OS for information on how to set up the AMS key ring.


Migrating Advanced Message Security on z/OS

To migrate an IBM MQ queue manager on z/OS using AMS Version 7.0.1 or earlier, before restarting the queue manager you must perform the steps in this section in addition to those listed in Migrating a single IBM MQ z/OS queue manager to the next version of the product.
  1. Take a copy of the qmgrAMSM task for Advanced Message Security (AMS) Version 7.0.1, in case you need to revert to your previous system.

    See Backward migration of Advanced Message Security on z/OS for more information.

  2. Configure the queue manager to use AMS by updating the system parameter module to set SPLCAP(YES) using CSQ6SYSP, see Task 17: Tailor your system parameter module and Use CSQ6SYSP.
  3. Create or update the started task procedure for the qmgrAMSM address space, see Task 24: Create procedures for Advanced Message Security.


Post migration tasks for Advanced Message Security on z/OS

After we have migrated an IBM MQ queue manager on z/OS that uses AMS you must perform the following tasks.
  1. In Version 8.0 and later, the AMS address space is started and stopped automatically by the queue manager. If we have automation to manage the main task and data services task for AMS Version 7.0.1 or earlier, this should be removed. You must also review any automated console commands for AMS, because some have changed since Version 8.0.
  2. Delete the started task procedures for the Version 7.0.1 data services task and the Version 7.0 main task if these were not called qmgrAMSM.


Backward migration of Advanced Message Security on z/OS

If you are an AMS user, and you backward migrate your queue manager from Version 8.0 to a version 7 release, additional actions are required to revert AMS to version 7.

Considerations when migrating

You should ensure that your previous setup is in place and that tasks Updating the z/OS LPA to Updating your system DIAG member have been carried out.

Ensure that the user ID associated with the version 7 data-services address spaces has access to drq.ams.keyring, and that drq.ams.keyring has the same connected certificates as the Version 8.0 qmgrAMSM user ID.

Performing the migration

When we have completed the previous tasks, we can migrate your queue manager backwards in the normal way.

Manually start, or reintroduce automation for starting, the AMS main and data services address spaces.

See Starting Advanced Message Security for further information.