| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Security planning help |
« View previous topic :: View next topic » |
| Author |
Message
|
| LouML |
 Posted: Tue Jul 21, 2009 10:35 am Post subject: MQ Security planning help |
 |
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
I am the MQ administrator for our company. As a matter of fact, I am the only MQ person in our company and I'm also responsible for IBM Tivoli Monitoring and IBM Tivoli Workload Scheduler (as well as some other products).
When I took over responsibilty for MQ, the environment was a total mess . We were running unsupported software (5.0, 5.1 and 5.2 on some servers, but mostly 5.3.12). We had no security in place. Most of the queue managers have OAM disabled. We are not using SSL. SVRCONN channels have the MCAUSER set to 'mqm'. The MQ password is a joke - pretty much the entire company knows what it is. I would have changed it from day one but was told to wait until we did the security project, so we would not 'break' existing apps (I'm guessing there are embedded passwords out there somewhere). Pretty much everything we could do wrong is being done.
Well, I've recently completed upgrades to 6.0.2.6 and things have been running pretty smoothly. We're holding off on going to 7.0 until we get a few fixpacks (or sixpacks???) under our belt (and we complete this Security project). Security was the one thing we decided to hold off on until after the upgrades, so we would be able to get support from IBM if needed. Now, however, we want to start to come up with a plan to tighten our security.
We currently have about 20 Production and about 10 Development Queue Managers spread among 7 application groups. These Queue Managers are all located behind a firewall. We do not do any external MQ. We do however, have many client connections from Unix and Windows servers. I think our biggest concern is people accidentally connecting from group to group rather than any outside breeches. Another concern is people logging in as 'mqm' and doing things on their own.
I do not have much experience with MQ Security. We will be bringing in a consultant to help with this, however, I need to come up with a project plan/task list so that we can have an idea how long the consultant will be needed.
Any ideas as to what tasks need to be considered?
I'm obviously thinking:
- Change the 'mqm' password
- Lock down the SVRCONN channels
- Enable OAM
- Setup SSL
Are there any other security tasks I may have overlooked?
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
 |
| veech23 |
| Posted: Tue Jul 21, 2009 4:11 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2007
Posts: 23
Location: canberra
|
perhaps one step at a time
http://t-rob.net/2008/07/08/websphere-mq-security-heats-up/
make mqm as service account with no password
lock svrconn/rcvr/clusrcvr channels including system.auto.* with either 'nobody' or app specific users(this would give access to anyone access to app specific queues but its all about mitigating risk:) )
then secure them with SSL |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Jul 21, 2009 5:25 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 21, 2009 8:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And you should / could also look at some security exits. CapitalWare seems to have a good one out there ($$), or if you are less support conscious blockIP2 etc... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jul 22, 2009 9:40 am Post subject: Re: MQ Security planning help |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| LouML wrote: |
| - Lock down the SVRCONN channels |
Lock down all incoming channels. Your SVRCONNs may be tight as a drum, but I'll just connect to your QM's RCVR with my QM, and start administrating it remotely. Maybe I'll create a new open SVRCONN channel to make my job easier. 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jul 22, 2009 1:07 pm Post subject: Re: MQ Security planning help |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| PeterPotkay wrote: |
| LouML wrote: |
| - Lock down the SVRCONN channels |
Lock down all incoming channels. Your SVRCONNs may be tight as a drum, but I'll just connect to your QM's RCVR with my QM, and start administrating it remotely. Maybe I'll create a new open SVRCONN channel to make my job easier. |
Add cluster channels to the list. Make sure you apply security to all SYSTEM.DEF.* and SYSTEM.AUTO.* channels.
| fjb_saper wrote: |
| And you should / could also look at some security exits. CapitalWare seems to have a good one out there ($$) |
Yes, I have 2 really good MQ security solutions: MQAUSX and MQSSX.
http://www.capitalware.biz/products.html
| fjb_saper wrote: |
| - Setup SSL |
Why go through the complexities of SSL. I'll be happy to give a free 60-trial of either MQ security products. You even get free support during the trial.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 22, 2009 1:12 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| SSL is no more complicated than any other security solution. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jul 22, 2009 1:41 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| mqjeff wrote: |
| SSL is no more complicated than any other security solution. |
I beg to differ. 
Lets say you have an MQ Admin (intermediate level) with no SSL or security exit experience.
For this MQ Admin:
- It takes less than 2 hours for a new MQAUSX (or less time for MQSSX) user to have a fully secure queue manager.
- It takes days for him/her to secure just 1 queue manager with SSL.
This information comes straight from customer's experience. About once a month I get a call or email from a very frustrated MQ Admin saying they have given up on SSL and they want to try out MQSSX or MQAUSX. 
I have 2 different customers who's MQ Admin just finish a basic MQ Administration course, they followed the simple instructions in the MQAUSX manual and now have secured their queue managers. No frustrations, no problems. (I'm not kidding.) What MQ "newbie" Admin could setup SSL on a queue manager in 2 hours?
Now maybe you have tried out other vendor security solutions that were very complex but that is not my stuff. I go to great lengths to make a default install and setup really, really easy.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Jul 22, 2009 2:13 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
You are facing a political nightmare going from zero security to security. I'm hoping that you have the full (absolute and unequivocal) support and approval of management before you begin this career-ending adventure.
If these prerequisites are in place, your first objective is to create a plan of what to do, what order to do it, and how to back out if necessary.
I'd start with something relatively simple and low-tech - enabling OAM. I'd test any and all of this in a test qmgr. Enabling OAM will limit who (which group) can MQCONNect to which qmgr, who can MQOPEN a queue, that kind of stuff. This is usually a good start; and will demonstrate your planning and technical skills (to keep you employed another day).
First, create groups - usually based on organization charts; create rules for what resources each group requires; add users to the group, turn on OAM. Pick a friendly group to begin this exercise. Once this group is complete, move on to the next group. Repeat.
Once this is tested, move it to production. You are going to do this in test, aren't you?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| LouML |
| Posted: Fri Jul 24, 2009 8:55 am Post subject: |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
Thanks you all for the comments and suggestions.
I'm taking it all under advisement and am coming up with a project plan to present to my Manager.
_________________
Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
