In this page we assume, that
To exchange SWIFT messages with encryption do the following:
The MQ client contains functionality which should be used. The MQ client features the tool IBM Key Management (IKEYMAN) that can be used to create a keystore. In the keystore:
1. create a personal certificate, which must be named ibmwebspheremq<username>. username is the user which connects to MQ.
2. Import the certificate sent by the remote counterpart.
Agree on a cipher spec string with the counterpart (e. g. TLS_RSA_WITH_AES_256_CBC_SHA256). Certain CipherSpec definitions (like the above example) require using the unlimited jurisdiction policy files for the JRE version used by the WebSphere MQ Explorer. 2 files are to be changed:
- US_export_policy.jar
- Local_policy.jar
in folder jre/lib/security/ of the Java SDK within MQ.
The two files can be downloaded according to release and service release under
Testing can be achieved using “openssl” or “Win32 openssl” by calling the openssl command “s_client -connect …” according to the openssl syntax and passing IP address and port of the remote counterpart. As a rule test is successful if the certificate is returned (multiline alphanumeric string).
In transaction Task Manager (MGRTSK):
Panel “SWIFT Send”:
Check checkbox “Use SSL”
Enter in “Key Repository” full path to keystore incl. name of keystore without suffix, e. g. d:\doka\mqm\keystore1
Enter in “Cipher” the cipher string agreed with the counterpart (e. g. “TLS_RSA_WITH_AES_256_CBC_SHA256”)
If applicable configure analogously in the panels of the other services that use the MQ service (e. g. “SIC” or “EuroSIC”).
In transaction MQ Interface Incoming Messages (MQITSK):
Panel “Configuration”:
Make sure “Incoming SWIFT” checkbox is checked.
Grid line for “Incoming SWIFT”:
Enter in column “Key Repository” full path to keystore incl. name of keystore without suffix, e. g. d:\doka\mqm\keystore1
Enter in column “Cipher” the agreed cipher string (see above).
Shut down and restart all Instances of MGRTSK and MQITSK.