Standard AMS interception:

IBM MQ Advanced Message Security (or AMS) is available as part of IBM MQ Advanced, IBM MQ Appliance, or as an optionally installable component for IBM MQ on z/OS (it is not available as an optional install for IBM MQ on distributed, as of January 2017). AMS expands IBM MQ’S security services to provide data signing and encryption at the message level. The expanded services guarantee that message data has not been modified between when it is originally placed on a queue and when it is retrieved. In addition, AMS verifies that a sender of message data is authorized to place signed messages on a target queue.

From MQ version 7.5 onwards, applications compiled against MQ client libraries are eligible for AMS interception as messages leave, or arrive at, the client.
The setup details for the standard AMS can be found Here

What happens when application performs a MQPUT?

When the application performs an MQPUT to an MQ queue for which an AMS security policy is defined, the AMS interceptor intercepts the operation, and applies the necessary signing/encryption specified in the policy to the message data before the MQPUT request is sent to the queue manager. 

In the case of a client-mode connection, using a server-connection channel on the queue manager, the message data is protected both in transit and at rest on the queue manager, regardless of whether SSL/TLS is enabled on the channel, although it may still be desirable to configure SSL/TLS on the channel to authenticate client connections and assert the integrity of the MQ control flows on the channel. This is illustrated as follows.

Application performs MQPUT

What happens when application performs a MQGET?

When the application performs MQGET from the Queue for which AMS policy is defined and application is connected in client mode, using a server connection channel, the message data is protected unless AMS intercept decrypt the message in the receiving application side successfully.This is illustrated as follows.

Application performs MQGET

MCA interception:

In some cases, it is not feasible to apply protection at the client side, typically when the client code is built or linked against an older level of MQ client libraries.

There is a feature called MCA interception which allows a Queue manager running under IBM MQ with a licensed install of Advanced Message Security to selectively enable policies to be applied for server connection channels. MCA interception allows clients that remain outside AMS to still be connected to a queue manager and their messages to be encrypted and decrypted.
Example to set up the AMS-MCA interception can be found Here

What happens when application performs MQPUT?

The Message Channel Agent (MCA) is the name given to the process servicing the server-connection channel instance, receiving requests from a client connected via the channel. MCA interception allows the protection policy to be applied to the message by the MCA when it first arrives at the queue managerThis is illustrated as follows:

MCA interception: Application performs MQPUT

As the message is only protected when it arrives at the queue manager, then it is desirable to apply an SSL/TLS configuration to the server-connection channel, in order to protect the message while it is in transit prior to reaching the MCA.

What happens when application performs MQGET?

When the application performs MQGET from the Queue for which AMS policy is defined and application is connected in client mode, Messages are unprotected before being sent over the channel on MQGET.

MCA interception: Application performs MQGET

So again, it is desirable to apply an SSL/TLS configuration to the server-connection channel, in order to protect the message while it is in transit prior to reaching client application.

Note:

1.Using MCA interception and AMS-enabled client leads to double-protection of messages which might be problematic for receiving applications.

How to disable IBM MQ AMS at the client side,can be found Here

2.The messages protected by MCA interception are the same as client-intercepted messages, and so MCA intercepted and client-intercepted applications are interoperable.

Example: This following diagram shows client interception is used for MQPUT and MCA interception is used for MQGET. And it can be vice versa.

AMS interception and MCA interception are used by PUT application and GET application respectively

Leave a Reply