Creating security policies in AMS

Security policies define the way in which a message is protected when the message is put, or how a message must have been protected when a message is received.

Before you begin

There are some entry conditions which must be met when creating security policies:

• The queue manager must be running.
• The name of a security policy must follow Rules for naming IBM MQ objects.
• You must have the necessary authority to connect to the queue manager and create a security policy:
  • On z/OS®, grant the authorities documented in The message security policy utility (CSQ0UTIL).
  • On other platforms other than z/OS, you must grant the necessary +connect, +inq and +chg authorities using the setmqaut command.
  For more information about configuring security see Set up security.
• On z/OS, ensure the required system objects have been defined according to the definitions in CSQ4INSM.

Example

Here is an example of creating a policy on queue manager QMGR. The policy specifies that messages be signed using the SHA256 algorithm and encrypted using the AES256 algorithm for certificates with DN: CN=joe,O=IBM,C=US and DN: CN=jane,O=IBM,C=US. This policy is attached to MY.QUEUE:

setmqspl -m QMGR -p MY.QUEUE -s SHA256 -e AES256 -r CN=joe,O=IBM,C=US -r CN=jane,O=IBM,C=US

Here is an example of creating policy on the queue manager QMGR. The policy specifies that messages be encrypted using the 3DES algorithm for certificates with DNs: CN=john,O=IBM,C=US and CN=jeff,O=IBM,C=US and signed with the SHA256 algorithm for certificate with DN: CN=phil,O=IBM,C=US

setmqspl -m QMGR -p MY.OTHER.QUEUE -s SHA256 -e 3DES -r CN=john,O=IBM,C=US -r CN=jeff,O=IBM,C=US -a CN=phil,O=IBM,C=US

Note:

• The quality of protection being used for the message put and get must match. If the policy quality of protection that is defined for the message is weaker than that defined for a queue, the message is sent to the error handling queue. This policy is valid for both local and remote queues.