IBM MQ - SSL Encrypted Message Browsable in MQ Explorer

Question

I have done an SSL configuration for my IBM MQ v9, created a Java client, and added the certificates both sides. A Put and Get messages works fine. My issue is I'm able to browse the message using the MQ Explorer in the server. Is it because the message is decrypted and shown? Can I keep this message encrypted to a MQ Admin user who has access to the MQ explorer.

Any advice is very much appreciated.

Thanks in advance,

Yasothar

Answer 1

Configuring encryption at the channel level only encrypts data in motion (on the network).

Messages on a queue are not encrypted unless you do this at the application layer or use the IBM MQ Advanced Message Security (AMS) extension of the product, this requires additional configuration with different certs to represent the putting and getting applications as well as policies to tell MQ AMS what to encrypt and who can receive.

Even with IBM MQ AMS configured, someone with MQ admin authority can still override configurations to allow viewing of messages sent, since the the MQ admin controls the policy, so can easily add themselfs as a new recipient so they can also view message that are sent.