Testing the policy on IBM i

Use the sample applications provided with the product to test your security policies.


We can use the sample applications provided with IBM MQ , such as AMQSPUT4, AMQSGET4, AMQSGBR4, and tools such as WRKMQMMSG to put, browse, and get messages using the PROTECTED queue name.

Provided everything has been configured correctly, there should be no difference in application behavior to that of an unprotected queue for this user.

A user not set up for Advanced Message Security, or a user that does not have the required private key to decrypt the message will, however, not be able to view the message. The user receives a completion code of RCFAIL, equivalent to MQCC_FAILED (2) and reason code of RC2063 (MQRC_SECURITY_ERROR).

To see that AMS protection is in effect, put some test messages to the PROTECTED queue, for example using AMQSPUT0. We can then create an alias queue to browse the raw protected data while at rest.


Procedure

To grant necessary permissions to a user, run:
CRTMQMQ QNAME(ALIAS) QTYPE(*ALS) TGTQNAME(PROTECTED) MQMNAME(yourqm)

Browsing using the ALIAS queue name, for example using AMQSBCG4 or WRKMQMMSG, should reveal larger scrambled messages where a browse of the PROTECTED queue shows cleartext messages.

The scrambled messages are visible, but the original cleartext is not decipherable using the ALIAS queue, as there is no policy for AMS to enforce matching this name. Hence, the raw protected data is returned.