Create a policy on IBM i

Before creating a policy, we need to create a queue to hold protected messages.

Procedure

1. At a command line prompt enter;

   CRTMQMQ QNAME(PROTECTED) QTYPE(*LCL) MQMNAME (mqmname)
   

   where mqmname is the name of our queue manager.

   Use the DSPMQM command to check that the queue manager is capable of using security policies. Ensure that Security Policy Capability shows *YES.

   The simplest policy we can define is an integrity policy, which is achieved by creating a policy with a digital signature algorithm but no encryption algorithm.

   Messages are signed but not encrypted. If messages are to be encrypted, we must specify an encryption algorithm, and one or more intended message recipients.

   A certificate in the public keystore for an intended message recipient is identified through a distinguished name.

2. Display the distinguished names of the certificates in the public keystore, mycert.pem in $HOME, by using the following command in QShell:

   /QOpenSys/usr/bin/openssl x509 -in $HOME/mycert.pem -noout -subject -nameopt RFC2253
   

   We need to enter the distinguished name as an intended recipient, and the policy name must match the queue name to be protected.

3. At a CL command prompt enter, for example:

   SETMQMSPL POLICY(PROTECTED) MQMNAME (mqmname)SIGNALG(*SHA256) ENCALG(*AES256) RECIP('CN=.., O=.., C=..')
   

   where mqmname is the name of our queue manager.

   Once the policy is created, any messages that are put, browsed, or destructively removed through that queue name are subject to the AMS policy.

Parent topic: Set up certificates and the keystore configuration file on IBM i

Related information

• Display Message Queue Manager (DSPMQM)
• Set MQM Security Policy (SETMQMSPL)