Having got a basic AMS set up working (on z/OS), it takes a bit of planning (and getting your head round it) to add more users and get the certificates in the right place when you have more than one queue manager. For example for someone to get an encrypted message the putting userid on the remote queue manager needs the getter’s public certificate. If there are 1000 potential putters, you start to see the complexity of the problem.
As I have tried to implement AMS across my baby enterprise I’ve realised you need a process for maintaining the key stores. When using multiple queue managers you have to remember which queue manger needs which options on the setmqspl command.
Basic key store management
z/OS key rings
On z/OS, each local userid has its own private key on its own keyring, with all of the shared public keys on the xxxxAMSM userid’s keyring (userid/drq.ams.keyring). Update the xxxxAMSM’x keyring, and every one picks up the change – great – easy.
You can have multiple queue managers in a single z/OS image or a sysplex, each with the xxxxAMSM address space. If they use the same started task userid, they will share the same keyring. (So to have queue managers use a different keyring, they will need a different userid.)
If any of the users are outside of the RACF key ring, you may need to export public certificates and send them to other environments: different sysplexes, or different midrange machines. The certificate will need to be imported on these other machines.
Midrange key stores
With midrange, a userid needs a key store with the private and public keys. With multiple machines you need a process to update and distribute key stores. For example:
- Create a key store in a central site. Do all maintenance to this key store, adding and removing certificates as required.
- Securely distribute this to all machines that are using AMS.
- The key store which has been distributed may have the public key for the user. You need to remove it, from the downloaded keystore and add the private key from the local machine.
- runmqakm -cert -delete -db /home/colinpaice/.mqs/shared.kdb -type kdb -pw passw0rd -label COLIN
- runmqakm -cert -export -db $private.kdb -pw passw0rd -label COLIN -target COLIN.key.p12 -target-type pkcs12 -target_pw zpassword
- runmqakm -cert -import -target /home/colinpaice/.mqs/shared.kdb -target_type kdb -pw zpassword -file COLIN.key.p12 -type p12
- when you import the private key you can use -label COLIN -new_label COLIN2 to give it a new label.
- You have to make the key the default using runmqakm -cert -setdefault (even though this is deprecated), because without this, the first certificate in the keystore is used..
- Rename the shared key stores; current to old, new to current.
- Restart the client.
- Check it all works, delete the old key store.
If you add a new user, you may need to send the user’s public key to the cental site, to get it distributed to the mid range machines, and send it to the z/OS systems to add to the xxxxAMSM key rings.
In my case I just used one client, and updated the client’s key store directly.
Adding a new user for putting messages to a queue
Signed messages
When the data is signed, the recipient needs:
- the Certificate Authority of the putter (the signer) – which the recipient may already have
- or, when the putter has used a self signed certificate, the recipient needs the public part of the putter’s self signed certificate.
When using a CA signed certificate you may not need to export anything if the receiving end already has the CA certificate in the key store or keyring.
To export and import the Certificate authority.
- To export a CA certificate from z/OS, certificate see here, the certificate owner will typically be CERTAUTH
- To export a putter’s mid range CA certificate, see here.
- To import a CA certificate on z/OS, the certificate owner could be a userid, site, or CERTAUTH (check with your security administrator). You might not have authority to use SITE or CERTAUTH.
- To import a CA certificate on mid range, see here.
When using a self signed certificate (not a good idea for production)
- export the putter’s public certificate
- import it into the midrange key stores
- import it to any other z/OS systems, and add it to the xxxxAMSM keyring.
You can use
- To export a putter’s z/OS certificate see here.
- To export a putter’s mid range certificate, see here.
- To import a certificate on z/OS for a getter, see here. Once the certificate has been imported into the xxxxAMSM keyring it is available to all uses of the queue manager, and does not need to be imported again.
- To import a certificate on mid range for a getter, see here.
Specify the list of authorised DNs
At the getting end, if the setmqspl -a option is used to specify the list of authorised signers, then the DN from the putter needs to be added to the list of authorised signers (-a…) . You should use dspmqspl -m mq -p q -export to get the current definition for the queue and use setmqspl to add the new -a data to that.
On z/OS, when you have used setmqspl to update the AMS configuration, you need to use the F xxxxAMSM,REFRESH ALL command.
Putting encrypted messages
The putter needs a private key in the keystore or key ring – though this is not used when encrypting messages.
At the putting end, the queue needs to be configured with the list of recipient DNs setmqspl … -r … .
The public certificates for these DNs need to be in the putter’s xxxxAMSM keyring, or in the mid range user’s key store.
- To export the recipients’s z/OS certificate see here. You could store this in a central file so you can just reuse it rather than having to export it every time.
- To export the recipients’s mid range certificate, see here. You could store this in a central file so you can just reuse it rather than having to export it every time.
- To import the certificate on z/OS for the putter, see here. You should only need to do this once per keyring and user.
- To import the certificate on mid range for the putter, see here. This is where you need a process for a centralised key store containing all of the public keys your organisation needs, and distributing this to all of the users. You may have a cms key store (for C programs) and a JKS key store for Java programs.
Adding a new user for getting messages from a queue
Getting signed messages
If other userids are getting signed messages from this queue there may be no additional configuration on the getting queue manager.
If you are using setmqspl … -a … see Specify the list of authorised DNs above. It may already be set if other userids are configured to get messages from this queue.
When using a CA signer certificate you may not need to export anything if the receiving end already has the CA certificate in the key store or keyring.
If the getting end does not have the CA see To export and import the Certificate authority above.
If the putter is using self signed, see When using a self signed certificate (not a good idea for production) above.
Getting encrypted messages
The getter’s private key is used to decrypt the message. Each putter needs to have access to the public key of the getter.
On the system doing the MQPUT,
- the recipient’s DN needs to be configured on the putting queue manager using setmqspl with the -r (recipient) option for the queue
- each user doing the MQPUT will need access to the recipient’s public certificate in its key store or the xxxxAMSM keyring.
Specify the list of recipient DNs
On the putting queue manager you need to add the recipient to the list of the recipients for message. Use the command dspmqspl -m QMA -p AMSQ -export to display the existing configuration for the AMSQ queue, and add the DN of the new user to the list using the setmqspl command.
You need to do this on all squeue managers which can be putting to this queue manager
On z/OS, when you have used setmqspl to update the AMS configuration, you need to use the F xxxxAMSM,REFRESH ALL command.
Get the recipients public certificate in the putters’ keyrings and key stores.
- To add a z/OS user’s public certificate to the xxxxAMSM’s keyring in the same RACF database, see here.
- To export the z/OS certificate from a recipient, see here.
- To export the mid range certificate from a recipient, see here.
- To import a certificate for putters on z/OS, see here.
- To import a certificate for putters on mid range, see here.
Other AMS blog posts
- Overview and challenges of using end to end message encryption (AMS).
- Certificate and keyring management for AMS.
- Installing AMS on z/OS.
- What certificates do I need for AMS with a client going to z/OS?
- checkAMS: program to check your AMS defintions are consistent with z/OS keyring
- Adding more users to AMS.
- Installing AMS on midrange for end to end message protection
- Understanding setmqspl to set up AMS definitions.
- How to administer AMS policies, and use the set policy command.
- Brain check and reset, needed for AMS keystores on midrange.
- Using runamscred to encrypt the passwords in the keystore.conf file.
- How do I find the recipients and signer of an AMS message?
- I have a message on the AMS DLQ – what can I do about it? and How do I process messages on the dead letter queue (DLQ)?
ColinPaice 