Confidentiality of messages

Encrypting messages ensures that the contents of messages remains confidential. There are various methods of encrypting messages in IBM MQ depending on your needs.

For application-level, end-to-end data protection for the point to point messaging infrastructure, we can use Advanced Message Security to encrypt the messages, or write your own API exit or API-crossing exit.

The most secure solution is to provide end-to-end encryption, by encrypting a message from the point it is put by an application, to the point where it is got by the consuming application. This can be done using Advanced Message Security (AMS), or by writing your own API exit or API-crossing exit; see Implement confidentiality in user exit programs for more information.

For to encrypt messages only while they are being transported over a network, we can use TLS; see TLS security protocols in IBM MQ for more information, or we can write your own security exit, message exit, or send and receive exit programs to perform encryption.

For to encrypt messages at rest on a queue manager, you can use z/OS data set encryption on that queue manager; see Confidentiality for data at rest on IBM MQ for z/OS with data set encryption. for more information.

• Enable CipherSpecs
  Enable a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL or ALTER CHANNEL MQSC command.
• Resetting SSL and TLS secret keys
  IBM MQ supports the resetting of secret keys on queue managers and clients.
• Implement confidentiality in user exit programs
  

Parent topic: Securing IBM MQ

Related information

• Connect two queue managers using TLS
• Connect a client to a queue manager securely