WebSphere MQ AMS
WebSphere MQ applications can use WebSphere MQ Advanced Message Security to send sensitive data, such as high-value financial transactions and personal information, with different levels of protection by using a public key cryptography model.
groupadd mqusers
useradd alice
useradd bob
useradd fulano
alice - will have access to AMS to put messages
bob - will have access to AMS to get messages
fulano - will NOT have access to AMS, and it will be used to show what happens when an unauthorized user tries to browse the AMS protected messages.
Users are members of the group “mqusers”
crtmqm -u DLQ AMS
strmqm AMS
runmqsc AMS
define qlocal(TEST.Q)
define qlocal(Q1)
define listener(LISTENER.1444) trptype(tcp) control(qmgr) port(1444)
start listener(LISTENER.1444)
define channel(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN)
define qlocal(DLQ) like(SYSTEM.DEAD.LETTER.QUEUE)
set CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody','*MQADMIN')
set CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER) USERLIST('nobody')
**check AMS is enabled or not
display qmgr SPLCAP
display ql(SYSTEM.PROTECTION*)
setmqaut -m AMS -t qmgr -p alice -p bob -p fulano +connect +inq +dsp
setmqaut -m AMS -n TEST.Q -t queue -p alice -p fulano +put +browse +dsp
setmqaut -m AMS -n TEST.Q -t queue -p bob -p fulano +get +browse +dsp
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p alice -p bob +browse
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p alice -p bob +put
mkdir /home/alice/.mqs -p
runmqakm -keydb -create -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -stash
runmqakm -cert -create -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Alice_Cert -dn "cn=alice,o=IBM,c=GB" -default_cert yes
runmqakm -cert -extract -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Alice_Cert -target /tmp/alice_public.arm
chmod 644 /tmp/alice_public.arm
runmqakm -cert -add -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Bob_Cert -file /tmp/bob_public.arm
mkdir /home/bob/.mqs -p
runmqakm -keydb -create -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -stash
runmqakm -cert -create -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Bob_Cert -dn "cn=bob,o=IBM,c=GB" -default_cert yes
runmqakm -cert -extract -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Bob_Cert -target /tmp/bob_public.arm
chmod 644 /tmp/bob_public.arm
runmqakm -cert -add -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Alice_Cert -file /tmp/alice_public.arm
chmod +r /home/alice/.mqs/alicekey.kdb
chmod +r /home/bob/.mqs/bobkey.kdb
** Creating 'keystore.conf' (Each user must have a separate keystore.conf file)
vi /home/alice/.mqs/keystore.conf
cms.keystore = /home/alice/.mqs/alicekey
cms.certificate = Alice_Cert
vi /home/bob/.mqs/keystore.conf
cms.keystore = /home/bob/.mqs/bobkey
cms.certificate = Bob_Cert
chmod 777 /home/alice/.mqs/*
chmod 777 /home/bob/.mqs/*
*** Defining queue policy
setmqspl -m AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
**dspmqspl -m AMS (Verify the policy:)
su alice
amqsputc TEST.Q AMS
this is a test
su bob
amqsputc TEST.Q AMS
Sample AMQSGET0 start
message <this is a test>
no more messages
Sample AMQSGET0 end
************** Notes....
Features and functions of WebSphere MQ Advanced Message Security:
Secures sensitive or high-value transactions processed by WebSphere MQ.
Detects and removes rogue or unauthorized messages before they are processed by a receiving application.
Verifies that messages were not modified while in transit from queue to queue.
Protects the data not only as it flows across the network but also when it is put on a queue.
Secures existing proprietary and customer-written applications for WebSphere MQ.
SPLCAP: Indicates whether security capabilities of WebSphere MQ Advanced Message Security are available for a queue manager.
SETMQSPL: setmqspl command to define a new security policy, alter an already existing one, or remove an existing policy.
Usage:
C:\>setmqspl
Usage: setmqspl -m <QMGR> -p <Policy Name> (-remove | -s <signing algorithm>
[-a <signer DN>]*
[-e <encryption algorithm> [-r <receiver DN>]+] [-t <0|1>])
Example:
Here is an example of creating a policy on queue manager QMGR. The policy specifies that messages be signed using the SHA1 algorithm and encrypted using the AES256 algorithm for certificates with DN: CN=joe,O=IBM,C=US and DN: CN=jane,O=IBM,C=US. This policy is attached to MY.QUEUE:
$ setmqspl -m QMGR -p MY.QUEUE -s SHA1 -e AES256 -r CN=joe,O=IBM,C=US -r CN=jane,O=IBM,C=US
Here is an example of creating policy on the queue manager QMGR. The policy specifies that messages be encrypted using the DES algorithm for certificates with DNs: CN=john,O=IBM,C=US and CN=jeff,O=IBM,C=US and signed with the MD5 algorithm for certificate with DN: CN=phil,O=IBM,C=US
$ setmqspl -m QMGR -p MY.OTHER.QUEUE -s MD5 -e DES -r CN=john,O=IBM,C=US -r CN=jeff,O=IBM,C=US -a CN=phil,O=IBM,C=US
Removing security policies:
$ setmqspl -m QMGR -remove -p MY.OTHER.QUEUE
Granting OAM permissions:
To grant necessary permissions to a user, run:
setmqaut -m AMS -t qmgr -p alice +connect +inq
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p alice +browse +put
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p alice +put
Digital signature algorithm:
WebSphere MQ Advanced Message Security supports the following values:
MD5, SHA1, SHA256, SHA384, and SHA512. All must be in uppercase. The default value is NONE.
For the SHA384 and SHA512 cryptographic hash functions, keys used for signing must be longer than 768 bits.
Encryption algorithms' name must be in uppercase.
Digital encryption algorithm:
WebSphere MQ Advanced Message Security supports the following encryption algorithms: RC2, DES, 3DES, AES128, AES256. The default value is NONE.
Encryption algorithms' name must be in uppercase.
Policy Backup.. (qload OR dmpmqcfg won't took the policy's backup)
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
Structure of the "keystore.conf" configuration file
Each WebSphere MQ Advanced Message Security user must have the keystore configuration file that points to a keystore file. WebSphere MQ Advanced Message Security accepts the following format of keystore files: .kdb, .jceks, .jks.
default location of the keystore.conf file is:
On UNIX platforms: $HOME/.mqs/
On Windows platforms: %HOMEDRIVE%\%HOMEPATH%\.mqs\keystore.con
If you are using a specified keystore filename and location, you should use the following commands:
export MQS_KEYSTORE_CONF=<path>/<filename>
CMS (cryptographic message security)
cms.keystore = /<dir>/<keystore_file>
cms.certificate = certificate_label
JCEKS (Java Cryptographic encription keyStore)
jceks.keystore = <dir>/Keystore
jceks.certificate = <certificate_label>
jceks.encrypted = no
jceks.keystore_pass = <password>
jceks.key_pass = <password>
jceks.provider = IBMJCE
JKS (Java KeyStore)
jks.keystore = <dir>/Keystore
jks.certificate = <certificate_label>
jks.encrypted = no
jks.keystore_pass = <password>
jks.key_pass = <password>
jks.provider = IBMJCE
WebSphere MQ applications can use WebSphere MQ Advanced Message Security to send sensitive data, such as high-value financial transactions and personal information, with different levels of protection by using a public key cryptography model.
groupadd mqusers
useradd alice
useradd bob
useradd fulano
alice - will have access to AMS to put messages
bob - will have access to AMS to get messages
fulano - will NOT have access to AMS, and it will be used to show what happens when an unauthorized user tries to browse the AMS protected messages.
Users are members of the group “mqusers”
strmqm AMS
runmqsc AMS
define qlocal(TEST.Q)
define qlocal(Q1)
define listener(LISTENER.1444) trptype(tcp) control(qmgr) port(1444)
start listener(LISTENER.1444)
define channel(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN)
define qlocal(DLQ) like(SYSTEM.DEAD.LETTER.QUEUE)
set CHLAUTH(*) TYPE(BLOCKUSER) USERLIST('nobody','*MQADMIN')
set CHLAUTH(SYSTEM.ADMIN.*) TYPE(BLOCKUSER) USERLIST('nobody')
**check AMS is enabled or not
display qmgr SPLCAP
display ql(SYSTEM.PROTECTION*)
setmqaut -m AMS -t qmgr -p alice -p bob -p fulano +connect +inq +dsp
setmqaut -m AMS -n TEST.Q -t queue -p alice -p fulano +put +browse +dsp
setmqaut -m AMS -n TEST.Q -t queue -p bob -p fulano +get +browse +dsp
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p alice -p bob +browse
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p alice -p bob +put
mkdir /home/alice/.mqs -p
runmqakm -keydb -create -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -stash
runmqakm -cert -create -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Alice_Cert -dn "cn=alice,o=IBM,c=GB" -default_cert yes
runmqakm -cert -extract -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Alice_Cert -target /tmp/alice_public.arm
chmod 644 /tmp/alice_public.arm
runmqakm -cert -add -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Bob_Cert -file /tmp/bob_public.arm
mkdir /home/bob/.mqs -p
runmqakm -keydb -create -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -stash
runmqakm -cert -create -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Bob_Cert -dn "cn=bob,o=IBM,c=GB" -default_cert yes
runmqakm -cert -extract -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Bob_Cert -target /tmp/bob_public.arm
chmod 644 /tmp/bob_public.arm
runmqakm -cert -add -db /home/bob/.mqs/bobkey.kdb -pw passw0rd -label Alice_Cert -file /tmp/alice_public.arm
chmod +r /home/alice/.mqs/alicekey.kdb
chmod +r /home/bob/.mqs/bobkey.kdb
** Creating 'keystore.conf' (Each user must have a separate keystore.conf file)
vi /home/alice/.mqs/keystore.conf
cms.keystore = /home/alice/.mqs/alicekey
cms.certificate = Alice_Cert
vi /home/bob/.mqs/keystore.conf
cms.keystore = /home/bob/.mqs/bobkey
cms.certificate = Bob_Cert
chmod 777 /home/alice/.mqs/*
chmod 777 /home/bob/.mqs/*
*** Defining queue policy
setmqspl -m AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB"
**dspmqspl -m AMS (Verify the policy:)
su alice
amqsputc TEST.Q AMS
this is a test
su bob
amqsputc TEST.Q AMS
Sample AMQSGET0 start
message <this is a test>
no more messages
Sample AMQSGET0 end
************** Notes....
Features and functions of WebSphere MQ Advanced Message Security:
Secures sensitive or high-value transactions processed by WebSphere MQ.
Detects and removes rogue or unauthorized messages before they are processed by a receiving application.
Verifies that messages were not modified while in transit from queue to queue.
Protects the data not only as it flows across the network but also when it is put on a queue.
Secures existing proprietary and customer-written applications for WebSphere MQ.
SPLCAP: Indicates whether security capabilities of WebSphere MQ Advanced Message Security are available for a queue manager.
SETMQSPL: setmqspl command to define a new security policy, alter an already existing one, or remove an existing policy.
Usage:
C:\>setmqspl
Usage: setmqspl -m <QMGR> -p <Policy Name> (-remove | -s <signing algorithm>
[-a <signer DN>]*
[-e <encryption algorithm> [-r <receiver DN>]+] [-t <0|1>])
Example:
Here is an example of creating a policy on queue manager QMGR. The policy specifies that messages be signed using the SHA1 algorithm and encrypted using the AES256 algorithm for certificates with DN: CN=joe,O=IBM,C=US and DN: CN=jane,O=IBM,C=US. This policy is attached to MY.QUEUE:
$ setmqspl -m QMGR -p MY.QUEUE -s SHA1 -e AES256 -r CN=joe,O=IBM,C=US -r CN=jane,O=IBM,C=US
Here is an example of creating policy on the queue manager QMGR. The policy specifies that messages be encrypted using the DES algorithm for certificates with DNs: CN=john,O=IBM,C=US and CN=jeff,O=IBM,C=US and signed with the MD5 algorithm for certificate with DN: CN=phil,O=IBM,C=US
$ setmqspl -m QMGR -p MY.OTHER.QUEUE -s MD5 -e DES -r CN=john,O=IBM,C=US -r CN=jeff,O=IBM,C=US -a CN=phil,O=IBM,C=US
Removing security policies:
$ setmqspl -m QMGR -remove -p MY.OTHER.QUEUE
Granting OAM permissions:
To grant necessary permissions to a user, run:
setmqaut -m AMS -t qmgr -p alice +connect +inq
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p alice +browse +put
setmqaut -m AMS -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p alice +put
Digital signature algorithm:
WebSphere MQ Advanced Message Security supports the following values:
MD5, SHA1, SHA256, SHA384, and SHA512. All must be in uppercase. The default value is NONE.
For the SHA384 and SHA512 cryptographic hash functions, keys used for signing must be longer than 768 bits.
Encryption algorithms' name must be in uppercase.
Digital encryption algorithm:
WebSphere MQ Advanced Message Security supports the following encryption algorithms: RC2, DES, 3DES, AES128, AES256. The default value is NONE.
Encryption algorithms' name must be in uppercase.
Policy Backup.. (qload OR dmpmqcfg won't took the policy's backup)
dspmqspl -m QM_VERIFY_AMS -export >restore_my_policies.bat
Structure of the "keystore.conf" configuration file
Each WebSphere MQ Advanced Message Security user must have the keystore configuration file that points to a keystore file. WebSphere MQ Advanced Message Security accepts the following format of keystore files: .kdb, .jceks, .jks.
default location of the keystore.conf file is:
On UNIX platforms: $HOME/.mqs/
On Windows platforms: %HOMEDRIVE%\%HOMEPATH%\.mqs\keystore.con
If you are using a specified keystore filename and location, you should use the following commands:
export MQS_KEYSTORE_CONF=<path>/<filename>
CMS (cryptographic message security)
cms.keystore = /<dir>/<keystore_file>
cms.certificate = certificate_label
JCEKS (Java Cryptographic encription keyStore)
jceks.keystore = <dir>/Keystore
jceks.certificate = <certificate_label>
jceks.encrypted = no
jceks.keystore_pass = <password>
jceks.key_pass = <password>
jceks.provider = IBMJCE
JKS (Java KeyStore)
jks.keystore = <dir>/Keystore
jks.certificate = <certificate_label>
jks.encrypted = no
jks.keystore_pass = <password>
jks.key_pass = <password>
jks.provider = IBMJCE