Message Channel Agent (MCA) interception

MCA interception enables a queue manager running under IBM MQ to selectively enable policies to be applied for server connection channels.

MCA interception allows clients that remain outside AMS to still be connected to a queue manager and their messages to be encrypted and decrypted.

MCA interception is intended to provide AMS capability when AMS cannot be enabled at the client. Note that using MCA interception and an AMS-enabled client leads to double-protection of messages which might be problematic for receiving applications. For more information, see Disabling Advanced Message Security at the client.

Note: MCA interceptors are not supported for AMQP or MQTT channels.


Keystore configuration file

By default, the keystore configuration file for MCA interception is keystore.conf and is located in the .mqs directory in the HOME directory path of the user who started the queue manager or the listener. The keystore can also be configured by using the MQS_KEYSTORE_CONF environment variable. See Use keystores and certificates.

To enable MCA interception, we must provide the name of a channel that we want to use in the keystore configuration file. For MCA Interception, only a cms keystore type can be used.

See Advanced Message Security MCA interception example for an example of setting up MCA interception.

Attention: We must complete client authentication and encryption on the selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that only authorized clients can connect and use this capability.

If your enterprise uses IBM i, and you selected a commercial Certificate Authority (CA) to sign your certificate, the Digital Certificate Manager creates a certificate request in PEM (Privacy-Enhanced Mail) format. We must forward the request to your chosen CA.

To do this, we must use the following command to select the correct certificate for the channel specified in channelname:
pem.certificate.channel.channelname