ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Performance Monitoring » which is the best security solution for MQ?

Post new topic  Reply to topic
 which is the best security solution for MQ? « View previous topic :: View next topic » 
Author Message
sanjoo
PostPosted: Fri May 18, 2007 6:12 am    Post subject: which is the best security solution for MQ? Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65
Anybody has some information about premeur's tool?

We are looking for security solution which will provide us tight authentication and authorization.
I have gone thru overview manuals of some products like

1. CapitalWare’s MQ Authenticate User Security Exit (MQAUSX)
2. IBM WebSphere MQ Extended Security Edition, Version 6.0 (TAMBI)
3. Primeur's Data Secure for WebSphere MQ

It seems that only TAMBI can offer authentication (with encryption) with granular authorization to MQ resources.

The other factor is auditing and reporting mechanism is not available in premeur's tool but it's there in other two.

MQAUSX look solid with value added options like Set Maximum Number of Incoming Connections per Channel and IP Filtering but it lacks authorization.

If anybody have idea about these any other product beside this...please let me know.
Thanks in advance.
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
sanjoo
PostPosted: Fri May 18, 2007 6:16 am    Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65
Sorry for not clarifying what I meant by granular authorization.

If an application connects to MQ server through app servers and by doing this user id becomes useless since identity of the requesting application is lost. And then it becomes very difficult to restrict access of MQ resources to only concerned applications.

For example, in scenario depicted in diagram below, application AAA should have visibility to only AAA_REQ queue. But since application BBB also passes same generic user id, it can also access AAA_REQ which is meant for only application AAA and vice versa.

Big question here is if two applications are running under same user id... how to granularize authorizatio? On what basis?
We don't want to do any code change at application level coz it will affect hundreads of applications.

Thanks
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Sun May 20, 2007 7:17 pm    Post subject: Re: which is the best security solution for MQ? Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
sanjoo wrote:
It seems that only TAMBI can offer authentication (with encryption) with granular authorization to MQ resources.

This is totally incorrect. MQAUSX offers FULL authentication support along with full compliance with IBM MQ's ACL structure (i.e. setmqaut).
sanjoo wrote:
but it lacks authorization.

Totally incorrect.

Please be very careful about your broad and incorrect assumptions.

sanjoo wrote:
We don't want to do any code change at application level coz it will affect hundreads of applications.

MQAUSX can be totally transparent to MQ client applications if they use Client Channel Tables or MQCONNX.

sanjoo wrote:
For example, in scenario depicted in diagram below, application AAA should have visibility to only AAA_REQ queue. But since application BBB also passes same generic user id, it can also access AAA_REQ which is meant for only application AAA and vice versa.

Authentication is done when the application issues either MQCONN or MQCONNX.

How can any authentication or ACL rules be checked if all applications are using the same UserId?

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
sanjoo
PostPosted: Thu May 24, 2007 10:46 am    Post subject: Reply with quote

Acolyte

Joined: 26 Oct 2005
Posts: 65
"How can any authentication or ACL rules be checked if all applications are using the same UserId? "

Roger.... Thanks a lot for clarifying.

But this is what the problem is.
Here the solution that I think of... if every client is given a different certificate and on server side if we could map authorization levels on basis of certificate that is passed instead of userid, this will perfectly interlock authorization and authentication.

I am not very sure...but I read somewhere tambi does this but don't knw how.

Can you please let me know how MQAUSX can help me with this?

Thanks a lot again.
Appreciate your help.
_________________
Sanjoo

Keep smiling
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Performance Monitoring » which is the best security solution for MQ?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.