Using certificates on z/OS

IBM® MQ Advanced Message Security implements two levels of protection: integrity and privacy. With the integrity level, messages are signed using the private key of the originator (the application doing the MQPUT). Integrity provides detection of message modification, but the message text itself is not encrypted.

With the privacy level, the message is not only signed, but it is also encrypted. The message is encrypted using a symmetric key and an algorithm specified in the relevant IBM MQ Advanced Message Security policy. The symmetric key itself is encrypted with the public key of each recipient (the application doing the MQGET). Public keys are associated with certificates stored in key rings.

When a message that is protected with privacy is dequeued by a recipient application doing an MQGET, the message must be decrypted. Because it was encrypted using the recipient's public key, it must be decrypted using the recipient's private key found in a key ring.