| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Data encryption |
« View previous topic :: View next topic » |
| Author |
Message
|
| Smarty05 |
 Posted: Wed May 02, 2007 9:28 am Post subject: Data encryption |
 |
|
Apprentice
Joined: 02 May 2007
Posts: 26
|
Hi,
we are looking for available tools to encrypt some of our Payroll applications data (not header part) end to end when sent across MQ environment ...may be on application level or MQ channel level
we have Hub and spoke MQ enviornment. Application MQ nodes (running on 5.3/6.0) are connected to MB 6.0 brokers who does message routing.
I come across tools like
1. MQ extended security edition + TIMBI (i hope both of these comes as a single bundle)
2. PRIMEUR
But not sure which one will suite best in Hub and spoke enviornment?
Does SSL will be useful to encrypt only application data, not message headers?
Anyother thoughts are very much appreciated!!!
Regards |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed May 02, 2007 9:29 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The topology of the MQ network will not matter to either of these tools.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 02, 2007 11:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
SSL when used on the channels will only encrypt the traffic channel to channel and the messages will sit in clear on the queues...
You need something like TIMBI or MQPRIMEUR to do end to end encryption...
Don't know how the brokers will be supposed to handle the traffic when it's encrypted though ... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Thu May 03, 2007 12:41 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
The products to look at are:
DSMQ from Primeur (www.primeur.com)
and TAMBI from Tivoli
My personal view is that DSMQ is superior, but then I'm biased, as I designed and wrote most of the code the their End-to-End security while I was working for them.
Regarding the issue of brokers, the product allows you to encrypt a message for multiple recipients, and if you are just using the broker to route the message, then in the current release, you can make the broker one of the recipients which will allow it to decrypt the message. DSMQ allows you to send the encrypted version of the message (cipher text) to an "archive queue" as you get the message. This capability is there to facilitate "non-repudiation" processing, but in the context of a broker and message routing, it is very useful.
What it allows you to do is to inspect the plain text, and then use the MQGET node to get the cipher text from the archive queue and send that on the final destination based on the plain text content. Clearly if you are modifying the message in the broker, then all bets are off as the message you send out isn't the same message that you read, so its effectively a new message.
Cheers
Dave |
|
| Back to top |
|
|
| Smarty05 |
| Posted: Thu May 03, 2007 1:54 am Post subject: |
|
|
Apprentice
Joined: 02 May 2007
Posts: 26
|
Thanks for your detailed insight...
At the moment, we are not transforming Payroll appl'ns data in brokers but yes,in future we may need to as integrations grow in numbers...And before going for any of these tools, would like to check whether these tools can be deployed without changing existing MQ/MB applications???
Do i need to configure these tools on HUB server with brokers also and develop/modify broker message flows to decrypt message before transformation (if required in future)? |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Thu May 03, 2007 2:26 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
The design point of both products is that the cryptographic message protection is provided without requiring modification to the application.
If you do want to decrypt an encrypted message, then the relevant product must be installed and configured on the relavant system, so if e.g. you want your broker to look at the content of a protected message the product must be setup on the system where the broker is running.
Message flows will obviously need modification to handle the sort of processing I described in my previous post.
Dave |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
