Configure IBM MQ Advenced Message Security (AMS) step by step

Configure IBM MQ Advenced Message Security (AMS) step by step @ www.Vasilev.link DevOps consultant
Dec 13, 2018

Complete guide for AMS (Advenced Message Security) configuration on MQ v>8

Hello,
I am writing this article after I had a problem enabling AMS on one agent and after I couldn't find information on first look what was wrong.
First, you need to install the software. Make sure that the Advanced Message Security component is installed on the IBM® MQ installation hosting the queues for the file transfer agent.
You are enabling AMS, in case there is some confidential data that you want to transfer and want to protect from being read.

These few configurations are essential for the agent:

If you do not specify a value for the agentQMgrHost property, bindings mode is used by default.
If you specify a value for the agentQMgrHost property but do not specify values for the agentQMgrPort and agentQMgrChannel properties, a port number of 1414 and a channel of SYSTEM.DEF.SVRCONN is used by default.

If your Managed File Transfer agents are running in bindings mode, the commands that you use to create a CMS (Cryptographic Message Syntax) keystore are detailed in the Quick Start Guide ( Windows or UNIX ) for your platform.
If your Managed File Transfer agents are running in client mode, the commands you will need to create a JKS ( Java™ Keystore) are detailed in the Quick Start Guide for AMS with Java clients.

sample client mode:

agentQMgr='QMANAGER'
agentQMgrHost='QMANAGER.local'
agentName='AGT_NAME'
agentQMgrChannel='MFT.QMANAGER.CHL'
agentQMgrPort='1414'

sample JKS keystore conf:
JKS.keystore = 'keystore-dir/keystore'
JKS.certificate = 'CERT_LABEL'
JKS.encrypted = 'no'
JKS.keystore_pass = 'password'
JKS.key_pass = 'password'
JKS.provider = 'IBMJCE'

sample CMS keystore conf:
cms.keystore = 'dir/keystore_file'
cms.certificate = 'certificate_label'


In each transfer, you have a source and destination.
creating the certificates

1. Create a self-signed certificate to identify the user fteuser.
Use a Distinguished Name (DN) as follows:

CN=fteuser, OU=MFT, O=YourOrg, L=YourLoc, ST=YourState, C=YourCountry

2. Create a keystore.conf file to identify the location of the Keystore and the certificate

stop the agent:
fteStopAgent AGT_NAME

Create a security policy to protect the SYSTEM.FTE.DATA.AGT_NAME queue.
setmqspl -m QMANAGER -p SYSTEM.FTE.DATA.AGT_NAME -s SHA1 -a "CN=fteuser, OU=MFT, O=YourOrg, L=YourLoc, ST=YourState, C=YourCountry"
-e AES128 -r "CN=fteuser, OU=MFT, O=YourOrg, L=YourLoc, ST=YourState, C=YourCountry"

- ensure that the user has access to the system policy queue
setmqaut -m QMANAGER -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p fteuser +browse
setmqaut -m QMANAGER -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p fteuser +put


start the fte agent
fteStartAgent AGT_NAME