Configure Advanced Message Security for z/OS
Use these topics as a step by step guide for configuring Advanced Message Security (AMS).
Before starting
Before you start to configure AMS, ensure that the following queue manager configuration steps have been performed:- From Version 9.1.3 onwards, ignore this
step.
For versions of IBM MQ for z/OS prior to Version 9.1.3, APF authorize the library thqual.SDRQAUTH, as described in APF authorize the IBM MQ load libraries.
- Add the CSQ0DRTM module to the LPA, as described in Update the z/OS link list and LPA.
- Add an entry for CSQ0DSRV to the z/OS program properties table (PPT), as described in Update the z/OS program properties table.
- Include the CSQ4INSM member in the CSQINP2 concatenation of queue manager started task procedure, as described in Customize the initialization input data sets.
- For versions of IBM MQ for z/OS prior to
Version 9.1.3, include the thqual.SDRQAUTH library in the
queue manager STEPLIB concatenation, as described in Create procedures for the IBM MQ queue manager.
From Version 9.1.3 onwards, we can enable AMS using the AMSPROD attribute. See product usage recording with IBM MQ for z/OS products for more details.
What to do next
Configure policies for queues protected by AMS. Security policies are described in Administer Advanced Message Security security policies.
There are examples of AMS configurations in Example configurations on z/OS.
- Create procedures for Advanced Message Security
Each IBM MQ subsystem that is to be configured to use Advanced Message Security (AMS) requires a cataloged procedure to start the AMS address space. We can create your own or use the IBM-supplied procedure library. - Set up the Advanced Message Security started task user ID
The Advanced Message Security (AMS) task requires a user ID that allows it to be known as a UNIX System Services (USS) process. - Grant RACDCERT permissions to the security administrator for Advanced Message Security
Your Advanced Message Security security administrator requires authority to use the RACDCERT command to create and manage digital certificates. - Grant users resource permissions for Advanced Message Security
Advanced Message Security users require relevant resource permissions. - Create key rings for Advanced Message Security
Certificates used by Advanced Message Security (AMS) for signing and encryption are stored in z/OS SAF key rings. We need to create these key rings and certificates before we can use AMS. - Enable Advanced Message Security
Security policy capability for a queue manager is controlled by the SPLCAP parameter in the system parameter module.
Parent topic: Set up IBM MQ for z/OS