An example task on how you setup an IBM® WebSphere® MQ AMS MCA interception.
Before you begin
Attention: You must complete client authentication and encryption on the
selected channels, for example, by using SSL and SSLPEER or CHLAUTH TYPE(SSLPEERMAP), to ensure that
only authorized clients can connect and use this capability.
About this task
This task takes you through the process of setting up your system to use MCA interception, then
verifying the setup.
Note: Prior to IBM WebSphere MQ Version 7.5, IBM WebSphere MQ AMS was an add-on product that needed to
be separately installed and interceptors configured to protect applications. From Version 7.5 onwards, the interceptors are automatically
included and dynamically enabled in the MQ client and server runtime environments. In this MCA
interception example, the interceptors are provided at the server end of the channel, and an older
client runtime is used (in Step 12) to put an unprotected messages across the channel so that it can
be seen to be protected by the MCA interceptors. If this example had used a Version 7.5 or later client, it would cause the message to be
protected twice, because the MQ client runtime interceptor and the MCA interceptor would both protect the
message as it comes into MQ.
Attention: Replace userID
in the code with your user ID.
Procedure
-
Create the key database and certificates by using the following commands to create a shell
script.
Also, change the
INSTLOC and
KEYSTORELOC or run the
required commands. Note that you might not need to create the certificate for
bob
.
INSTLOC=/opt/mq75
KEYSTORELOC=/home/testusr/ssl/ams1
mkdir -p $KEYSTORELOC
chmod -R 777 $KEYSTORELOC
chown -R mqm:mqm $KEYSTORELOC
export PATH=$PATH:$INSTLOC/gskit8/bin
echo "PATH = $PATH"
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$INSTLOC/gskit8/lib64
gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd -stash
gsk8capicmd_64 -keydb -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd -stash
gsk8capicmd_64 -cert -create -db $KEYSTORELOC/alicekey.kdb -pw passw0rd
-label alice_cert -dn "cn=alice,O=IBM,c=IN" -default_cert yes
gsk8capicmd_64 -cert -create -db $KEYSTORELOC/bobkey.kdb -pw passw0rd
-label bob_cert -dn "cn=bob,O=IBM,c=IN" -default_cert yes
-
Share the certificates between the two key databases so that each user can successfully
identify the other.
It is important that you use the method described in Task 5. Sharing Certificates in the
Quick Start Guide (Windows or UNIX).
-
Create keystore.conf with the following configuration:
Keystore.conf location: /home/userID/ssl/ams1/
cms.keystore = /home/userID/ssl/ams1/alicekey
cms.certificate.channel.SYSTEM.DEF.SVRCONN = alice_cert
-
Create and start queue manager
AMSQMGR1
-
Define a listener with port 14567 and control
QMGR
-
Disable channel authority or set the rules for channel authority.
-
Stop the queue manager.
-
Set the keystore:
export MQS_KEYSTORE_CONF=/home/userID/ssl/ams1/keystore.conf
-
Start the queue manager on the same shell.
-
Set the security policy and verify:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
See
setmqspl and
dspmqspl for more information.
-
Set the channel configuration:
export MQSERVER='SYSTEM.DEF.SVRCONN/TCP/127.0.0.1(14567)'
-
Run amqsputc from an MQ client that does not automatically enable an MCA
interceptor; for example an IBM WebSphere MQ Version 7.1 or earlier
client. Put the following two messages:
/opt/mqm/samp/bin/amqsputc TESTQ TESTQMGR
-
Remove the security policy and verify the result:
setmqspl -m AMSQMGR1 -p TESTQ -remove
dspmqspl -m AMSQMGR1
-
Browse the queue from your IBM WebSphere MQ Version 7.5
installation:
/opt/mq75/samp/bin/amqsbcg TESTQ AMSQMGR1
The
browse output shows the messages in encrypted format.
-
Set the security policy and verify the result:
setmqspl -m AMSQMGR1 -s SHA256 -e AES256 -p TESTQ -a "CN=alice,O=IBM,C=IN"
-r "CN=alice,O=IBM,C=IN"
dspmqspl -m AMSQMGR1
-
Run amqsgetc from your IBM WebSphere MQ Version 7.5 installation:
/opt/mqm/samp/bin/amqsgetc TESTQ TESTQMGR