Documentation - DOKA-NG (Functional availability is per selected plan)

User Tools

Site Tools

You are here: DOKA-NG Application Documentation » English » DOKA-NG User Documentation » Core System » Messages » MQ Encryption
en:app:020cor:030message:0200mqkey
Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book (0 page(s))
 Help

MQ Encryption

In this page we assume, that

  • DOKA-NG is operating through the MQ Client only
  • SWIFT communication between DOKA-NG, MQ and the remote counterpart is already working without encryption.

To exchange SWIFT messages with encryption do the following:

Configure SSL

Create and Configure Keystore

The MQ client contains functionality which should be used. The MQ client features the tool IBM Key Management (IKEYMAN) that can be used to create a keystore. In the keystore:

1. create a personal certificate, which must be named ibmwebspheremq<username>. username is the user which connects to MQ.

2. Import the certificate sent by the remote counterpart.

CipherSpec and Java Policy Files

Agree on a cipher spec string with the counterpart (e. g. TLS_RSA_WITH_AES_256_CBC_SHA256). Certain CipherSpec definitions (like the above example) require using the unlimited jurisdiction policy files for the JRE version used by the WebSphere MQ Explorer. 2 files are to be changed:

- US_export_policy.jar

- Local_policy.jar

in folder jre/lib/security/ of the Java SDK within MQ.

The two files can be downloaded according to release and service release under

https://www.ibm.com/support/knowledgecenter/en/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/sdkpolicyfiles.html

Test SSL

Testing can be achieved using “openssl” or “Win32 openssl” by calling the openssl command “s_client -connect …” according to the openssl syntax and passing IP address and port of the remote counterpart. As a rule test is successful if the certificate is returned (multiline alphanumeric string).

Configure DOKA-NG

Outgoing Messages

In transaction Task Manager (MGRTSK):

Panel “SWIFT Send”:

Check checkbox “Use SSL”

Enter in “Key Repository” full path to keystore incl. name of keystore without suffix, e. g. d:\doka\mqm\keystore1

Enter in “Cipher” the cipher string agreed with the counterpart (e. g. “TLS_RSA_WITH_AES_256_CBC_SHA256”)

If applicable configure analogously in the panels of the other services that use the MQ service (e. g. “SIC” or “EuroSIC”).

Incoming Messages

In transaction MQ Interface Incoming Messages (MQITSK):

Panel “Configuration”:

Make sure “Incoming SWIFT” checkbox is checked.

Grid line for “Incoming SWIFT”:

Enter in column “Key Repository” full path to keystore incl. name of keystore without suffix, e. g. d:\doka\mqm\keystore1

Enter in column “Cipher” the agreed cipher string (see above).

Restart

Shut down and restart all Instances of MGRTSK and MQITSK.

en/app/020cor/030message/0200mqkey.txt · Last modified: 2022/04/19 13:13 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki