Protecting remote queues
To fully protect remote queues, policies must be set on the remote queue and local queue to which messages are transmitted.
When a message is put into a remote queue, Advanced Message Security intercepts the operation and processes the message according to a policy set for the remote queue. For example, for an encryption policy, the message is encrypted before it is passed to the IBM MQ to handle it. After Advanced Message Security has processed the message put into a remote queue, IBM MQ puts it into associated transmission queue and forwards it to the target queue manager and target queue.
When a GET operation is performed on the local queue, Advanced Message Security tries to decode the message according to the policy set on the local queue. For the operation to succeed, the policy used to decrypt the message must be identical to the one used to encrypt it. Any discrepancy will cause the message to be rejected.
If for any reason both policies cannot be set at the same time, a staged roll-out support is provided. The policy can be set on a local queue with toleration flag on, which indicates that a policy associated with a queue can be ignored when an attempt to retrieve a message from the queue involves a message that does not have the security policy set. In this case, GET will try to decrypt the message, but will allow non-encrypted messages to be delivered. This way policies on remote queues can be set after the local queues has been protected (and tested).
Remember: Remove the toleration flag once the Advanced Message Security roll-out has been completed. Parent topic: User scenarios