| Author |
Message
|
| mfsmqtech |
 Posted: Thu Apr 23, 2009 3:13 pm Post subject: message body encryption |
 |
|
Novice
Joined: 07 May 2008
Posts: 10
Location: Boston, MA
|
Hi everyone,
We currently use ssl channel encryption which works great but I have a need to take things a step further.
Some of my business units are not overjoyed that, as the mq admin, we can view message body content.
MQSeries ESE would solve the problem but it is kind of overkill.
A datapower appliance might also solve the issue but it might be pricey.
What options have you used to make this happen? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Apr 23, 2009 3:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well MQ does not care about the content of the message. Just remember that there will be no translation of a char code set into another.... as with encrypted content I expect your messages to be all with MQFMT_NONE.
The sender and receiver will have to encrypt decrypt themselves.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Thu Apr 23, 2009 4:59 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Modify the application code to encrypt and decrypt the data content of the messages. eg. Write a wrapper for the MQI that uses (say) AES and does key management.
This is probably more work and ongoing maintenance cost that using MQ ESE, and probably less secure !
_________________
Glenn |
|
| Back to top |
|
|
| sumit |
| Posted: Fri Apr 24, 2009 12:03 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
Or may be you can use Send and receive exit to encrypt and then decrypt the data.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Apr 24, 2009 3:37 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| sumit wrote: |
| Or may be you can use Send and receive exit to encrypt and then decrypt the data. |
This will not help encrypt the data sitting on the queues, so in effect its not better than SSL for solving mfsmqtech's problem.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Apr 24, 2009 5:38 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| we can view message body content |
Of course we can - we have root access. We can look at payroll data, inventory data, whatever we like. We also have ethics, and can be trusted and fired. The business unit can look at the data, too.
This is a management issue, not a technical one.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Apr 24, 2009 6:26 am Post subject: Re: message body encryption |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| mfsmqtech wrote: |
We currently use ssl channel encryption which works great but I have a need to take things a step further.
What options have you used to make this happen? |
Hi,
Have you looked at MQ Instant Secure Data (MQISD)?
MQISD is designed to encrypt data during message transmission. For encryption of data at rest, Capitalware includes a free licenses of Instant Secure Data API (ISDAPI) for each MQISD license purchased. ISDAPI allows an application to encrypt data at rest. ISDAPI is used to encrypt the message data before it reaches the queue. As a result, the data at rest in the queue is encrypted. Hence, the message data written by MQ to the MQ logfile will be encrypted. Data encrypted with ISDAPI is in a binary format and all MQ functions work as expected including message replay from MQ logfile.
Due to the concerns over XTEA, Capitalware has decided to remove XTEA from MQISD (& ISDAPI) and to replace it with AES (Advanced Encryption Standard) with key support for 128, 192 and 256 bits. Capitalware will implement the AES cryptography as published (public domain) by OpenSSH and approved by National Institute of Standards and Technology (NIST). The NIST publication for AES is Federal Information Processing Standards (FIPS) 197 2001.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
