configure IBM MQ AMS step by step

@Vasil Vasilev 575 days ago


Complete guide for AMS (Advenced Message Security) configuration on MQ v>8

I am writing this article after i had problem enabling AMS on one agent and after i couldnt find information on first look what was wrong.
first you need to install the software. Make sure that Advanced Message Security component is installed on the IBM® MQ installation hosting the queues for the file transfer agent.
You are enabling AMS, in case there is some confidential data that you want to transfer and want to protect it from being read.

These few configurations are esential for the agent:

If you do not specify a value for the agentQMgrHost property, bindings mode is used by default.
If you specify a value for the agentQMgrHost property but do not specify values for the agentQMgrPort and agentQMgrChannel properties, a port number of 1414 and a channel of SYSTEM.DEF.SVRCONN are used by default.

If your Managed File Transfer agents are running in bindings mode, the commands that you use to create a CMS (Cryptographic Message Syntax) keystore are detailed in the Quick Start Guide ( Windows or UNIX ) for your platform.
If your Managed File Transfer agents are running in client mode, the commands you will need to create a JKS ( Java™ Keystore) are detailed in the Quick Start Guide for AMS with Java clients.

sample client mode:

sample JKS keystore conf:
JKS.keystore = keystore-dir/keystore
JKS.certificate = CERT_LABEL
JKS.encrypted = no
JKS.keystore_pass = password
JKS.key_pass = password
JKS.provider = IBMJCE

sample CMS keystore conf:
cms.keystore = dir/keystore_file
cms.certificate = certificate_label

In each transfer, you have source and destination.
creating the certificates

1. Create a self-signed certificate to identify the user fteuser.
Use a Distinguished Name (DN) as follows:

CN=fteuser, OU=MFT, O=YourOrg, L=YourLoc, ST=YourState, C=YourCountry

2. Create a keystore.conf file to identify the location of the keystore and the certificate

stop the agent:
fteStopAgent AGT_NAME

Create a security policy to protect the SYSTEM.FTE.DATA.AGT_NAME queue.

setmqspl -m QMANAGER -p SYSTEM.FTE.DATA.AGT_NAME -s SHA1 -a "CN=fteuser, OU=MFT, O=YourOrg, L=YourLoc, ST=YourState, C=YourCountry"
-e AES128 -r "CN=fteuser, OU=MFT, O=YourOrg, L=YourLoc, ST=YourState, C=YourCountry"

where: setmqspl -m -p (-remove | -s
[-a ]* [-e [-r ]+] [-t <0|1>])

- ensure that the user has access to system policy queue

setmqaut -m QMANAGER -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p fteuser +browse
setmqaut -m QMANAGER -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p fteuser +put

start the fte agent
fteStartAgent AGT_NAME