| Author |
Message
|
| hopsala |
 Posted: Tue Oct 17, 2006 12:51 pm Post subject: WBI v6\ All OS\ message encryption |
 |
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
(this is sort of a followup to http://www.mqseries.net/phpBB2/viewtopic.php?p=154337#154337)
Does anyone know a product which encrypts message data?
I have a system in which Application A sends data through MQ, which is read by a WBI flow, and then sent to Application B. I need a product that enables both the application side (in various common languages - C, Java, etc) and WBI flows to encript and decript messages.
Preferably if some sort of "encrypt" node is supplied for WBI processing, which seems to me most convenient.
So, any thoughts? recommendations?
Thanks
Last edited by hopsala on Sat Nov 11, 2006 3:13 am; edited 1 time in total |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Oct 17, 2006 1:01 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
WebSphere MQ Extended Security Edition.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Wed Nov 08, 2006 1:18 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| jefflowrey wrote: |
| WebSphere MQ Extended Security Edition. |
Did some more research on TAMBI, and I fail to see how this can be achieved.
TAMBI works by using WMQs API EXITs, and takes the userid that the requesting process runs under, that is, the message flow user - which is none other than the broker user. All encryption/decryption is done with the set of conditions and credentials configured for that specific user, so that in WMBs case, all flows can decrypt any message designated to any flow.
This is hardly one-to-one encryprion. That is why I wanted an API, because, for the time being, it is the only way to tighten WMB security (should have probably stated this, my bad).
Anyway, TAMBI does not come with a security suite, but a product called DSTK by Primeur (a sub-product of DSMQ) does, although it does not supply a customized WMB node. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Nov 08, 2006 1:25 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
JavaComputeNode and JSSE?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 08, 2006 9:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jefflowrey wrote: |
| JavaComputeNode and JSSE? |
Or java compute node and JCE... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Nov 09, 2006 2:28 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Too many acronyms, not enough time.
_________________
I am *not* the model of the modern major general.
Last edited by jefflowrey on Thu Nov 09, 2006 3:22 am; edited 1 time in total |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Nov 09, 2006 2:49 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
So am I correct in saying your dream scenario is this:
Application A writes message, it's encrypted & sent to the message broker, execution group Z decrypts, processes and sends on the message which is reencrypted and sent to Application B.
A->B messages can't be processed by execution group Y because it can't decrypt them, Application C can't send messages to B via Z because it can't encrypt them.
That about it?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Nov 10, 2006 1:47 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| jefflowrey wrote: |
| Too many acronyms, not enough time. |
Indeed; yet all these wonderous acronyms don't supply a plug-in node...
What, am I the only one who finds this to be a better solution than coding?
| Vitor wrote: |
| ... A->B messages can't be processed by execution group Y because it can't decrypt them, Application C can't send messages to B via Z because it can't encrypt them. |
Ya - that about it. Detailed Dream Scenario (aka DDS) would be that normal applications (i.e not WMB) would encript using API exit products (TAMBI, DSMQE2E) so that everything is done automatically according to user name, and that my WMB flows would start and end with a encrypt/decrypt nodes - nodes that I did not develop and do not need to maintain, but came with this imaginary security package.
Too much to ask? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Nov 10, 2006 2:01 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| hopsala wrote: |
Too much to ask? |
Yes - to implment your DDS you need to RYO JCN 
(You can never have too many acronyms)
Seriously, I think to achieve this the previous posters are right and you'll need to hand craft (Roll Your Own) Java Compute Node using your choice of the methods available.
Unless of course you can imagine a vendor that produces this imaginary security package. I've met a number of pre-sales people who seem to provide functionality by imagining their product can do it, so it's not that much of a leap... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hopsala |
| Posted: Sat Nov 11, 2006 2:54 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| Vitor wrote: |
| I've met a number of pre-sales people who seem to provide functionality by imagining their product can do it, so it's not that much of a leap... |
So I see you've been in contact with IBM sales 
Anyway, being an advisor and not the client, I take comfort in the fact that I will not be the one coding it. Oh unfathomable lord of the consultants, I thank thee. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Nov 13, 2006 1:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| hopsala wrote: |
| Vitor wrote: |
| I've met a number of pre-sales people who seem to provide functionality by imagining their product can do it, so it's not that much of a leap... |
So I see you've been in contact with IBM sales
Anyway, being an advisor and not the client, I take comfort in the fact that I will not be the one coding it. Oh unfathomable lord of the consultants, I thank thee. |
I would not wish to impune any software or consultancy company directly (according to my lawyer!). Suffice it to say I've worked for a number of both, none of whom are the one mentioned, and ended up with a client going "the other guy said it wouldn't be a problem". Responses from the pre-sales people involved have ranged from the selfish "It isn't a problem - for me" to the more honest "If we're admited it couldn't do it we wouldn't have got the sale"; with all shades in between.
The unfathomable lord of consultants has decreed it's my lot to sort it out.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
