Message signing

By using a digital signature on the message the identity of the sender and the authenticity of the message can be confirmed, and therefore the sender of the message is unable to deny (or repudiate) the sending of that message.

When an application places a message on a queue, IBM® MQ Advanced Message Security checks if the target queue has a IBM MQ Advanced Message Security policy for signing or encryption. If signing is required, IBM MQ Advanced Message Security creates an envelope containing the message data, a cryptographic signature, and the public certificate data of the user associated with the application.

When an application retrieves the message from the queue, IBM MQ Advanced Message Security strips the signature from the message data and verifies that the sender is known and signed by a trusted certificate authority. In addition, IBM MQ Advanced Message Security checks that the user identified by the signature is authorized, by policy, to place messages on the target queue.

The signature also includes a digest of the message data, generated at the time the message was placed on the queue. This digest is verified to ensure that the data in the message has not been altered between being placed on the queue and being retrieved.