| How do you manage WebSphere MQ Security? |
| We don't - OAM is disabled or MCAUSER set to mqm |
|
12% |
[ 3 ] |
| Using setmqaut commands |
|
36% |
[ 9 ] |
| Through channel exits |
|
0% |
[ 0 ] |
| Using SSL |
|
20% |
[ 5 ] |
| SSL+setmqaut+channel exits |
|
32% |
[ 8 ] |
|
| Total Votes : 25 |
|
| Author |
Message
|
| VladimirF |
 Posted: Thu Aug 07, 2008 6:49 am Post subject: How do you manage your Websphere MQ Security? |
 |
|
Newbie
Joined: 16 Apr 2008
Posts: 8
Location: PA
|
If you would please participate in this poll.
Thank You |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Thu Aug 07, 2008 4:27 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Unfortunately these are not mutually exclusive situations, so I can't give an answer.
_________________
Glenn |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Aug 07, 2008 7:44 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
I think you need to read up on MQ security to gain a better of the "who, what, where" (especially given your company has been promoting that it will be releasing an MQ security product).
Lets review your questions:
| VladimirF wrote: |
| We don't - OAM is disabled or MCAUSER set to mqm |
Sad but a lot for companies / MQAdmins actually do do this.
| VladimirF wrote: |
| Using setmqaut commands |
OAM only handles authorizations (privileges). It does not handle authentication.Â
| VladimirF wrote: |
| Through channel exits |
Channel security exits can perform security in 2 forms:
- full authentication but requires both client-side and server-side security exit pair
- filtering of IP or UserId (not authentication) and is server-side only
| VladimirF wrote: |
| Using SSL |
SSL is good node-to-node security (and not end-to-end security). Channels with SLL implemented (along with OAM) provides role-based security , and not user-based security Â
| VladimirF wrote: |
| SSL+setmqaut+channel exits |
This would be an extremely rare situation. People who actually want a secure MQ environment implement either SSL + OAM or Exit + OAM.
For the record, setmqaut is how an MQAdmin sets OAM user/group privileges.
Securing an MQ environment is a 2 phase process.
- Phase 1 is to setup authentication via a channel security exit or node-to-node security via SSL.
- Phase 2 is to apply group (user on Windows or z/OS) privileges to the MQ objects
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Thu Aug 07, 2008 11:00 pm Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Plus of course there's the option SSL + setmqaut without channel exits which is where my current client is heading today (though they may also be using channel exits as well to filter on IP and or DN over and above SSLPEER checking).
The issue of protection of message data (using digital signature and optional encryption) isn't addressed either - I assume that this is because end to end security in MQ is (regrettably) still rather a "niche" market.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Aug 07, 2008 11:10 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| RogerLacroix wrote: |
Hi,
Securing an MQ environment is a 2 phase process.
- Phase 1 is to setup authentication via a channel security exit or node-to-node security via SSL.
- Phase 2 is to apply group (user on Windows or z/OS) privileges to the MQ objects
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc. |
Group security is also possible on Windows surely?
As for z/OS - RACF groups have been around for 25 years... |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Aug 07, 2008 11:35 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| David.Partridge wrote: |
| ...end to end security in MQ is (regrettably) still rather a "niche" market. |
Surely an application responsibility?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Aug 08, 2008 7:18 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| zpat wrote: |
| RogerLacroix wrote: |
| - Phase 2 is to apply group (user on Windows or z/OS) privileges to the MQ objects |
Group security is also possible on Windows surely? |
What I was implying is for z/OS & Windows you can do both group and user privileges.
| exerk wrote: |
| David.Partridge wrote: |
| ...end to end security in MQ is (regrettably) still rather a "niche" market. |
Surely an application responsibility? |
The infrastructure should be concerned about end-to-end security and not applications. Applications should ONLY be concerns with business logic and the infrastructure should have a methodology where end-to-end security can be implemented over an application without the application making changes/or very minimal changes (i.e. like a blank).
Regards,
Roger lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Aug 09, 2008 8:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| RogerLacroix wrote: |
| The infrastructure should be concerned about end-to-end security and not applications... |
We'll have to agree to differ on this one, as I feel that using infrastructure to handle end-to-end security is like asking the Post Office to encrypt the contents of letters in transit - it's not their job, and if the content is that important it should be encrypted before injection into a carrier system.
As far as I am concerned, if end-to-end security is important it should be part of the business logic - I can see (in clear) what is on queues.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| sami.stormrage |
| Posted: Sat Aug 09, 2008 1:03 pm Post subject: |
|
|
Disciple
Joined: 25 Jun 2008
Posts: 186
Location: Bangalore/Singapore
|
| Quote: |
VladimirF wrote:
We don't - OAM is disabled or MCAUSER set to mqm
Sad but a lot for companies / MQAdmins actually do do this. |
Yep! even I did the same in test and QA enivironments..   
_________________
*forgetting everything  * |
|
| Back to top |
|
|
| sami.stormrage |
| Posted: Sat Aug 09, 2008 1:08 pm Post subject: |
|
|
Disciple
Joined: 25 Jun 2008
Posts: 186
Location: Bangalore/Singapore
|
| Quote: |
We'll have to agree to differ on this one, as I feel that using infrastructure to handle end-to-end security is like asking the Post Office to encrypt the contents of letters in transit - it's not their job, and if the content is that important it should be encrypted before injection into a carrier system.
As far as I am concerned, if end-to-end security is important it should be part of the business logic - I can see (in clear) what is on queues.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before... |
Dont you think it defies the MQ's actual job of keeping the applications away from the network jargons?
_________________
*forgetting everything * |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Aug 10, 2008 4:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sami.stormrage wrote: |
| ...Dont you think it defies the MQ's actual job of keeping the applications away from the network jargons? |
Abstracting the application from the transport has little to do with security (my view). End-to-end security is not the job of any one department, it is a collaborative effort of all departments.
Depending on the requirement it may be acceptable for traffic to put in clear, but transported encrypted. However, as I have stated my belief before, if the data is so sensitive that it should only be 'seen' by the processing applications - encrypt/decrypt it at application level.
I am a product of my environment, hence my paranoia regarding when and where encryption should take place.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sun Aug 10, 2008 7:40 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| exerk wrote: |
| Abstracting the application from the transport has little to do with security (my view). End-to-end security is not the job of any one department, it is a collaborative effort of all departments. |
If it is "All" then I call that the infrastructure's job.
| exerk wrote: |
| Depending on the requirement it may be acceptable for traffic to put in clear, but transported encrypted. However, as I have stated my belief before, if the data is so sensitive that it should only be 'seen' by the processing applications - encrypt/decrypt it at application level. |
You keep on describing node-to-node security. I don't think you understand what is meant by MQ End-To-End security.
MQ End-To-End security means as the client application does the MQPUT, the message data is encrypted and when the data is retrieved by the final application it is decrypted. This is true regardless of whether you use SSL or channel send/receive exit. Hence, no message data will be on the queue "in the clear".
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Aug 10, 2008 11:03 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| RogerLacroix wrote: |
| You keep on describing node-to-node security. I don't think you understand what is meant by MQ End-To-End security. |
Then my fault is not describing my meaning accurately. I do understand end-to-end security, and feel WMQ is just a part of it, and do not restrict myself to just a prochial view of WMQ end-to-end security.
| RogerLacroix wrote: |
| MQ End-To-End security means as the client application does the MQPUT, the message data is encrypted and when the data is retrieved by the final application it is decrypted. This is true regardless of whether you use SSL or channel send/receive exit. Hence, no message data will be on the queue "in the clear". |
Hence my comment about encryption being an application responsibility, although admittedly to a previous post in regard to WMQ end-to-end security, as WMQ does not offer (currently - maybe this should be one for the wish-list) true e2e security.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Mon Aug 11, 2008 12:06 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
There are at least two add on products that provide true MQ end-to-end security. I did the architecture, design and much of the implementation of one of them.
1) TAMBI (or whatever it is called this week) which can be purchased as part of the "extended security edition".
2) Primeur's Data Secure for Websphere MQ (DSMQ).
Not surprisingly, I'm not impartial about which one I consider the better product (the second one).
PS I don't work for Primeur these days.
Yes, I agree that it may be appropriate in many cases to have encryption and digital signature be the application's responsibility and probably to hold the data encrypted when at rest in files and databases etc as well as when moving.
However there are also many benefits from providing this sort of facility of the infrastructure. For example the application may be implemented using "off the shelf" software, and it's that data the determines that crypto is required. The end to end MQ security solutions step up to this because no application changes are necessary - it can all be done with configuration of the product.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| RaoulDuke |
| Posted: Tue Sep 09, 2008 6:50 am Post subject: |
|
|
Newbie
Joined: 09 Sep 2008
Posts: 3
|
Where do I get examples for security exits? I don't know how to secure Websphere MQ. I was told that you can use the server control channel to configure the server through every available listener. There is no possibility to restrict this somehow by default.
I can not turn off the server control channel, because I think our java client needs it to connect to the server and put/get messages.
It would help me a lot if I just had a security exit, that I could put onto the server control channel, so that it only can be used from localhost, and not from everywhere else. |
|
| Back to top |
|
|
|
|
