Advanced Message Security MCA interception example
An example task on how you set up an AMS MCA interception.
Before you begin
Attention: You must complete client authentication and encryption on the selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that only authorized clients can connect and use this capability.If your enterprise uses IBM® i, and you selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. You must forward the request to your chosen CA.
About this task
This task takes you through the process of setting up your system to use MCA interception, then verifying the setup.
Note: Prior to IBM WebSphere MQ Version 7.5, AMS was an add-on product that needed to be separately installed and interceptors configured to protect applications. From Version 7.5 onwards, the interceptors are automatically included and dynamically enabled in the MQ client and server runtime environments. In this MCA interception example, the interceptors are provided at the server end of the channel, and an older client runtime is used (in Step 12) to put an unprotected messages across the channel so that it can be seen to be protected by the MCA interceptors. If this example had used a Version 7.5 or later client, it would cause the message to be protected twice, because the MQ client runtime interceptor and the MCA interceptor would both protect the message as it comes into MQ. Attention: Replace userID in the code with your user ID.
Procedure
- Create the key database and certificates by using the following commands to create a shell script. Also, change the INSTLOC and KEYSTORELOC or run the required commands. Note that you might not need to create the certificate for bob.
INSTLOC=/opt/mq90 KEYSTORELOC=/home/testusr/ssl/ams1 mkdir -p $KEYSTORELOC chmod -R 777 $KEYSTORELOC chown -R mqm:mqm $KEYSTORELOC export PATH=$PATH:$INSTLOC/gskit8/bin echo "PATH = $PATH" export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64 gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash gsk8capicmd_64 -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes gsk8capicmd_64 -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -label bob_cert -dn "cn=bob,O=IBM,c=IN" -default_cert yes- Share the certificates between the two key databases so that each user can successfully identify the other.
It is important that we use the method described in Task 5. Sharing Certificates in the Quick Start Guide (Windows or UNIX).
- Create keystore.conf with the following configuration: Keystore.conf location: /home/userID/ssl/ams1/
cms.keystore = /home/userID/ssl/ams1/alicekey cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert- Create and start queue manager AMSQMGR1
- Define a listener with port 14567 and control QMGR
- Disable channel authority or set the rules for channel authority. See SET CHLAUTH for more information.
- Stop the queue manager.
- Set the keystore:
export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf- Start the queue manager on the same shell.
- Set the security policy and verify:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN" -r "CN=alice,O=IBM,C=IN" dspmqspl -m AMSQMGR1See setmqspl and dspmqspl for more information.- Set the channel configuration:
export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'- Run amqsputc from an MQ client that does not automatically enable an MCA interceptor; for example an IBM WebSphere MQ Version 7.1 or earlier client. Put the following two messages:
/opt/mqm/samp/bin/amqsputc TESTQ TESTQMGR- Remove the security policy and verify the result:
setmqspl -m AMSQMGR1 -p TESTQ -remove dspmqspl -m AMSQMGR1- Browse the queue from your IBM MQ Version 9.0 installation:
/opt/mq90/samp/bin/amqsbcg TESTQ AMSQMGR1The browse output shows the messages in encrypted format.- Set the security policy and verify the result:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN" -r "CN=alice,O=IBM,C=IN" dspmqspl -m AMSQMGR1- Run amqsgetc from your IBM MQ Version 9.0 installation:
/opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR