Before you start to configure AMS on z/OS, you need to understand if you are licensed for AMS, see here. You need to understand this so you know what value to use in your AMSPROD. If you use the wrong value, your billing may be wrong.
I used the instructions here. There are a lot of steps, but they are clear, and worked. The AMS address space is started by the queue manager, once all the set up has been done. If you try to start it by hand, it will fail.
If you have to put in change requests for changes to security profiles you may want to build one big list for the security team to do (or perhaps better,create the JCL with all of the commands, and ask the security team to run the commands for you). The security team may have views about the granularity of access to keyrings (using FACILITY (a user can access any keyring) or RDATALIB (you give access to a specific ring <ringowner>.<ringName>.LST)).
In Enable Advanced Message Security, I created a new zparm module, for example CSQZAMSP with the SPLCAP=YES and the AMSPROD=xxxx value.
I started the queue manager with
%csq9 start qmgr parm(csqzamsp)
If you need to start the queue manager without AMS, just use your previous version.
Once MQ starts, and the AMS address space starts.
If you want to change the AMS policy you need to use CSQ0UTIL.
If you change the keyring, or the AMS policy you need to refresh the AMS address space.
F qmgrAMSM,REFRESH KEYRING F qmgrAMSM,REFESH POLICY F qmgrAMSM,REFRSH ALL
If you cancel the xxxxAMSM address space the queue manager will end.
Generation of certificates.
AMS only supports RSA certificates, so you cannot use Elliptic Curves, you must use GENCERT.. RSA ( or let it default to RSA).