Using IBM® WebSphere MQ Advanced Message Security with IBM WebSphere MQ File Transfer Edition

WebSphere® MQ Advanced Message Security provides enhanced security for message traffic in WebSphere MQ File Transfer Edition, in particular for data at rest on queues.

About this task

In this topic, WebSphere MQ Advanced Message Security is referred to as WMQAMS and WebSphere MQ File Transfer Edition is referred to as WMQFTE. For more information about WMQAMS, see the WebSphere MQ Advanced Message Security v7.1.0 product documentation.

WMQAMS provides a number of facilities to intercept and apply security actions to message data. For WMQFTE, the WMQAMS Java™ Interceptor is used to encrypt the data before it leaves the source agent and to decrypt the data after it arrives in the destination agent. The messages in transit between the two agents are secured.

WMQAMS offers a range of security policies that can be applied to a WebSphere MQ network. The configuration supported by WebSphere MQ File Transfer Edition 7.0.3 or later is the encryption of file data between two agents; the protection of control or status messages is not supported.

Install and configure WMQFTE first, and confirm that your installation is working correctly, before adding WMQAMS for additional protection.

Procedure

  1. Install the WMQAMS Java Interceptor on each system that hosts WMQFTE agents you want to secure. Follow the instructions in the WMQAMS product documentation to install the Java Interceptor component. You must also install the WMQAMS administration tools on at least one system and run the necessary MQSC scripts against each queue manager, which is also described in the WMQAMS product documentation.
  2. Create the cryptographic keystores and policies used by WMQAMS.

    This configuration requires a policy of message encryption on the data queue of each agent involved (SYSTEM.FTE.DATA.agent_name). See the WMQAMS V7.0.1 product information for detailed information about this step.

  3. Enable the use of WMQAMS by WMQFTE Perform the following steps for each agent that is to use WMQAMS:
    1. Stop the agent.
    2. Add the advancedSecurityPath property to the agent.properties file. The value of this property is the full file name of the WMQAMS Java Interceptor JAR file (com.ibm.mq.ese.jar) installed on that system.

      See The agent.properties file for more information about this file and property.

      Note: Note that the instructions in the WMQAMS documentation that refer to this JAR file being loaded from the WebSphere MQ directory do not apply. WMQFTE contains its own WebSphere MQ libraries and does not require or use a separate WebSphere MQ installation for client connections.
    3. If running the agent in WebSphere MQ bindings mode, set the mqs.intercept.bindingsJava property to 1.

      WebSphere MQ bindings is the connection mode used when an agent connects directly to a queue manager on the same system without using a network protocol. If the agent.properties file contains an agentQMgr property but no agentQMgrHost property, the agent is using WebSphere MQ bindings mode.

      The WMQAMS Java Interceptor works only on bindings mode connections with the mqs.intercept.bindings property set to 1. To set the mqs.intercept.bindings property, run the following command before starting the agent:
      • export FTE_JVM_PROPERTIES="-Dmqs.intercept.bindings=1" # on Unix platforms
      • set FTE_JVM_PROPERTIES="-Dmqs.intercept.bindings=1" # on Windows platforms
    4. Start the agent.

What to do next

When WebSphere MQ Advanced Message Security is used to protect agent data queues, the agents at both the source and destination of the transfer must be configured with identical queue protection policies. For more information, see the topic Using WebSphere MQ AMS with WebSphere MQ File Transfer Edition in the WebSphere MQ Advanced Message Security v7.1.0 product documentation.

Task Task

Feedback

Timestamp icon Last updated: Tuesday, 30 January 2018
http://www.ibm.com/support/knowledgecenter/SSEP7X_7.0.4/com.ibm.wmqfte.doc/using_ams.htm