Since we launched the MQ on Cloud service in March this year the most popular requests we’ve had from our users is for more advanced security capabilities, which demonstrates the importance users are rightly placing on security in the cloud. Today we are pleased to announce that we are delivering on those requests with the availability of new features to enable AMS and TLS configuration in the MQ cloud service as described below.

Both these new features are available for queue managers running at “v9.1.0 revision 2” and above, so deploy a new queue manager or upgrade an existing one today using the MQ on Cloud service to get started!

1. Enable IBM MQ Advanced Message Security (AMS) to allow message-level encryption and signing

Existing MQ users may already be familiar with the Advanced Message Security (AMS) feature which provides the ability to encrypt and/or sign individual messages as they flow through the system in order to prevent message content being viewed by administrators or malicious actors, or detect if it has been modified in transit.

We are pleased to announce that the MQ cloud service now supports both patterns for using AMS;

  • Application AMS is the recommended approach and provides end-to-end encryption – message data is encrypted or signed transparently by the MQ client library before it is transmitted to the queue manager, and can be decrypted only by the intended receiving application once the message reaches the receiving application’s process, ensuring the message data is protected for the entire path from sender to receiver applications. See AMS user scenarios for details on how to configure Application AMS
  • Queue manager AMS allows you to get many of the benefits of AMS without needing to make changes to existing applications – configuration is made on the queue manager to encrypt or sign the message when it is received by the queue manager, and decrypt as the message is being passed to the receiving application. This can be useful in scenarios where you cannot alter the sending application, such as when the message is sent by an application owned by a partner organisation or by a packaged vendor application. See our tutorial on enabling Queue manager AMS in the cloud service for details

2. Configure connections to the queue manager using mutual TLS authentication

We have also introduced the new capability in the IBM Cloud service console to enable you to configure the queue manager keystore file, allowing you to;

  • Import client certificates presented by your application so that they are trusted by the queue manager when the client creates a connection
  • Import and configure your own TLS certificates and apply them to be used as server certificates by the queue manager or individual channels

This gives you the ability to configure mutual TLS authentication on connections to the queue manager for either applications connecting to send and receive messages, or channels connecting one queue manager to another queue manager.

To get started deploy or upgrade a queue manager to “v9.1.0 revision 2” then click into the queue manager details and look for the “Key store” and “Trust store” tabs in the service console as illustrated in the screenshot below, and try the TLS tutorial in our Documentation pages.


Don’t forget, these new features are only available for queue managers running at “v9.1.0 revision 2” and above, so deploy a new queue manager or upgrade an existing one today using the MQ on Cloud service!

We love to hear your feedback so if you have any comments on these new features or any other part of the MQ on Cloud service please get in touch using the comment section below, or by Twitter @matrober.

Join The Discussion

Your email address will not be published.