System queue protection in AMS

System queues enable communication between IBM MQ and its ancillary applications. Whenever a queue manager is created, a system queue is also created to store IBM MQ internal messages and data. We can protect system queues with Advanced Message Security so that only authorized users can access or decrypt them.

System queue protection follows the same pattern as the protection of regular queues. See Creating security policies in AMS. To use system queue protection on Windows, copy the keystore.conf file to the following directory: 
c:\Documents and Settings\Default User\.mqs\keystore.conf

On z/OSĀ®, to provide protection for SYSTEM.ADMIN.COMMAND.QUEUE, the command server must have access to the keystore and the keystore.conf, which contain keys and a configuration so that the command server can access keys and certificates. All changes made to the security policy of SYSTEM.ADMIN.COMMAND.QUEUE require the restart of the command server.

All messages that are sent and received from the command queue are signed or signed and encrypted depending on policy settings. If an administrator defines authorized signers, command messages that do not pass the signer Distinguished Name (DN) check are not executed by the command server and are not routed to the Advanced Message Security error handling queue. Messages that are sent as replies to IBM MQ Explorer temporary dynamic queues are not protected by AMS.

Security policies do not have an effect on the following SYSTEM queues:

  • SYSTEM.ADMIN.ACCOUNTING.QUEUE
  • SYSTEM.ADMIN.ACTIVITY.QUEUE
  • SYSTEM.ADMIN.CHANNEL.EVENT
  • SYSTEM.ADMIN.COMMAND.EVENT
  • SYSTEM.ADMIN.COMMAND.QUEUE
  • SYSTEM.ADMIN.CONFIG.EVENT
  • SYSTEM.ADMIN.LOGGER.EVENT
  • SYSTEM.ADMIN.PERFM.EVENT
  • SYSTEM.ADMIN.PUBSUB.EVENT
  • SYSTEM.ADMIN.QMGR.EVENT
  • SYSTEM.ADMIN.STATISTICS.QUEUE
  • SYSTEM.ADMIN.TRACE.ROUTE.QUEUE
  • SYSTEM.AUTH.DATA.QUEUE
  • SYSTEM.BROKER.ADMIN.STREAM
  • SYSTEM.BROKER.CLIENTS.DATA
  • SYSTEM.BROKER.CONTROL.QUEUE
  • SYSTEM.BROKER.DEFAULT.STREAM
  • SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS
  • SYSTEM.BROKER.SUBSCRIPTIONS.DATA
  • SYSTEM.CHANNEL.INITQ
  • SYSTEM.CHANNEL.SYNCQ
  • SYSTEM.CHLAUTH.DATA.QUEUE
  • SYSTEM.CICS.INITIATION.QUEUE
  • SYSTEM.CLUSTER.COMMAND.QUEUE
  • SYSTEM.CLUSTER.HISTORY.QUEUE
  • SYSTEM.CLUSTER.REPOSITORY.QUEUE
  • SYSTEM.CLUSTER.TRANSMIT.QUEUE
  • SYSTEM.COMMAND.INPUT
  • SYSTEM.DDELAY.LOCAL.QUEUE
  • SYSTEM.DEAD.LETTER.QUEUE
  • SYSTEM.DURABLE.SUBSCRIBER.QUEUE
  • SYSTEM.HIERARCHY.STATE
  • SYSTEM.INTER.QMGR.CONTROL
  • SYSTEM.INTER.QMGR.FANREQ
  • SYSTEM.INTER.QMGR.PUBS
  • SYSTEM.INTERNAL.REPLY.QUEUE
  • SYSTEM.JMS.PS.STATUS.QUEUE
  • SYSTEM.JMS.REPORT.QUEUE
  • SYSTEM.PENDING.DATA.QUEUE
  • SYSTEM.PROTECTION.ERROR.QUEUE
  • SYSTEM.PROTECTION.POLICY.QUEUE
  • SYSTEM.QSG.CHANNEL.SYNCQ
  • SYSTEM.QSG.TRANSMIT.QUEUE
  • SYSTEM.QSG.UR.RESOLUTION.QUEUE
  • SYSTEM.RETAINED.PUB.QUEUE
  • SYSTEM.RETAINED.PUB.QUEUE
  • SYSTEM.SELECTION.EVALUATION.QUEUE
  • SYSTEM.SELECTION.VALIDATION.QUEUE