+

Search Tips | Advanced Search

Advanced Message Security MCA interception example

An example task on how you set up an AMS MCA interception.


Before you begin

Attention: You must complete client authentication and encryption on the selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that only authorized clients can connect and use this capability.

If your enterprise uses IBM® i, and you selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. You must forward the request to your chosen CA.


About this task

This task takes you through the process of setting up your system to use MCA interception, then verifying the setup.

Note: Prior to IBM WebSphere MQ Version 7.5, AMS was an add-on product that needed to be separately installed and interceptors configured to protect applications. From Version 7.5 onwards, the interceptors are automatically included and dynamically enabled in the MQ client and server runtime environments. In this MCA interception example, the interceptors are provided at the server end of the channel, and an older client runtime is used (in Step 12) to put an unprotected messages across the channel so that it can be seen to be protected by the MCA interceptors. If this example had used a Version 7.5 or later client, it would cause the message to be protected twice, because the MQ client runtime interceptor and the MCA interceptor would both protect the message as it comes into MQ. Attention: Replace userID in the code with your user ID.


Procedure

  1. Create the key database and certificates by using the following commands to create a shell script. Also, change the INSTLOC and KEYSTORELOC or run the required commands. Note that you might not need to create the certificate for bob.
    INSTLOC=/opt/mq90
    KEYSTORELOC=/home/testusr/ssl/ams1
    mkdir -p $KEYSTORELOC
    chmod -R 777 $KEYSTORELOC
    chown -R mqm:mqm $KEYSTORELOC
    export PATH=$PATH:$INSTLOC/gskit8/bin
    echo "PATH = $PATH"
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64
    
    gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash
    gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash
    gsk8capicmd_64 -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd
    -label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes
    gsk8capicmd_64 -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd
    -label bob_cert  -dn "cn=bob,O=IBM,c=IN"  -default_cert yes
    
  2. Share the certificates between the two key databases so that each user can successfully identify the other.

    It is important that we use the method described in Task 5. Sharing Certificates in the Quick Start Guide (Windows or UNIX).

  3. Create keystore.conf with the following configuration: Keystore.conf location: /home/userID/ssl/ams1/
    cms.keystore = /home/userID/ssl/ams1/alicekey
    cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert
    
  4. Create and start queue manager AMSQMGR1
  5. Define a listener with port 14567 and control QMGR
  6. Disable channel authority or set the rules for channel authority. See SET CHLAUTH for more information.
  7. Stop the queue manager.
  8. Set the keystore:
    export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf
    
  9. Start the queue manager on the same shell.
  10. Set the security policy and verify:
    setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
    -r "CN=alice,O=IBM,C=IN"
    dspmqspl -m AMSQMGR1
    
    See setmqspl and dspmqspl for more information.
  11. Set the channel configuration:
    export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'
    
  12. Run amqsputc from an MQ client that does not automatically enable an MCA interceptor; for example an IBM WebSphere MQ Version 7.1 or earlier client. Put the following two messages:
    /opt/mqm/samp/bin/amqsputc TESTQ TESTQMGR
    
  13. Remove the security policy and verify the result:
    setmqspl -m AMSQMGR1 -p TESTQ -remove
    dspmqspl -m AMSQMGR1
    
  14. Browse the queue from your IBM MQ Version 9.0 installation:
    /opt/mq90/samp/bin/amqsbcg TESTQ AMSQMGR1
    
    The browse output shows the messages in encrypted format.
  15. Set the security policy and verify the result:
    setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
    -r "CN=alice,O=IBM,C=IN"
    dspmqspl -m AMSQMGR1
    
  16. Run amqsgetc from your IBM MQ Version 9.0 installation:
    /opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR