Plan for Advanced Message Security
TLS (or SSL) can be used to encrypt and protect messages flowing on a network, but this does not protect messages when they are on a queue ("at rest"). Advanced Message Security (AMS) protects the messages from the time that they are first put to a queue, until they are got, so that only the intended recipients of the message can read that message. The messages are encrypted and signed during put processing, and unprotected during get processing.
AMS can be configured to protect messages in different ways:
- A message can be signed. The message is in clear text, but there is a checksum, which is signed. This allows any changes in the message content to be detected. From the signed content, we can identify who signed the data.
- A message can be encrypted. The contents are not visible to anyone without the decryption key. The decryption key is encrypted for each recipient.
- A message can be encrypted and signed. They decryption key is encrypted for each recipient, and from the signing we can identify who sent the message.
The encryption and signing use digital certificates and key rings.
We can set up a client to use AMS, so the data is protected before the data is put on the client channel. Protected messages can be sent to a remote queue manager, and we need to configure the remote queue manager to process these messages.
Set up AMS
An AMS address space is used for doing the AMS work. This has additional security set up, to give access to and protect the use of key rings and certificates.
You configure which queues are to be protected by using a utility program (CSQ0UTIL) to define the security policies for queues.
Once AMS is set up
Set up a digital certificate and a key ring for people who put messages, and the people who get messages.
If a user, Alice, on z/OS needs to send a message to Bob, AMS needs a copy of the public certificate for Bob.
If Bob wants to process a message from Alice, AMS needs the public certificate for Alice, or the same certificate authority certificate used by Alice.
Attention: We need to:
- Carefully plan who can put to, or get from, queues
- Identify the people and their certificate names.
It is easy to make mistakes, and problems can be hard to resolve. Parent topic: Plan the IBM MQ environment on z/OS
Related concepts