| Author |
Message
|
| wmbwmq |
 Posted: Mon Mar 05, 2012 8:51 am Post subject: IP based authentication. |
 |
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
One of our QMGRs is a performance critical and we have seutp full fledged OAM based security on svrconn. But this doesnot stop a developer who knows the name of the channel connecting to QMGR from their desktop with put/get permission on relevant queues. What is the best way to avoid this? I know there is a security exit from capitalware but can this be done using SSL or some other ? . Please note that we want to avoid any kind of encryption at per message level.
Thank you. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Mar 05, 2012 8:55 am Post subject: Re: IP based authentication. |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmbwmq wrote: |
| I know there is a security exit from capitalware |
Also BlockIP2
| wmbwmq wrote: |
| but can this be done using SSL or some other ? . |
SSL is another way to achieve this, though clearly not IP based (which your subject line indicated).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmbwmq |
| Posted: Mon Mar 05, 2012 9:04 am Post subject: |
|
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
| okay, if not IP we can actually live with certificate thing also . So using SSL, during setup how to turnoff the message encryption thing ? sorry i am not that good in ssl. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Mar 05, 2012 9:23 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Migrate to V7.1 and use the in-built channel security it offers.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Mar 05, 2012 9:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| wmbwmq wrote: |
| okay, if not IP we can actually live with certificate thing also . So using SSL, during setup how to turnoff the message encryption thing ? sorry i am not that good in ssl. |
The name of the SSLCIPH controls what portions of the exchange are encrypted.
In most cases, adding full encryption is not a significant overhead. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Mar 05, 2012 9:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmbwmq wrote: |
| So using SSL, during setup how to turnoff the message encryption thing ? |
Don't use it in the first place? A better question would be if you're worried about unauthorised people inserting messages why not use encryption? If the answer is "because we need the messages to go as fast as possible" be ashamed.
| wmbwmq wrote: |
| sorry i am not that good in ssl. |
Then you'd better be before you start trying to configure it, or find an alternative method. It's a bit unforgiving (for obvious reasons - a badly configured SSL set up looks a lot like someone trying to break in!)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmbwmq |
| Posted: Mon Mar 05, 2012 2:25 pm Post subject: |
|
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
The server is in trusted zone and messages payloads are in fact encrypted at app level so why encrypt it again at MQ? So our requirement is to only authenticate hence i was considering using SSL without the message encryption thing but may be at handshake level , i was checking if it is possible in the first place.
and lol, why would i be ashamed and for what? requirements change. Tasks get prioritized. Otherwise people would want to live in a bank vault instead of home sweet home. And even if you are using SSL with 1024 bit encryption you think you are safe? think again. So its more like what level of security i can live with for now. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Mar 05, 2012 2:51 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| wmbwmq wrote: |
| So using SSL, during setup how to turnoff the message encryption thing ? sorry i am not that good in ssl. |
You should at least feel a bit guilty for not telling us that the message payload is already encrypted by the app. How would we know this? Our response was one of collective incredulity.
If all you are after is authentication, SSL will work fine. While the handshake is labor-intensive, it only occurs at channel-attach time - which should be fairly infrequent.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Mar 05, 2012 5:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmbwmq wrote: |
| The server is in trusted zone and messages payloads are in fact encrypted at app level so why encrypt it again at MQ? So our requirement is to only authenticate hence i was considering using SSL without the message encryption thing but may be at handshake level , i was checking if it is possible in the first place. |
And I knew the data was encrypted how? If the server is in a trusted zone why do you need IP level security on WMQ rather than network security?
| wmbwmq wrote: |
| and lol, why would i be ashamed and for what? requirements change. Tasks get prioritized. |
Knowing what you're doing is always a priority requirement. Giving all the circumstances when you ask a question is a priority requirement.
| wmbwmq wrote: |
| Otherwise people would want to live in a bank vault instead of home sweet home. |
Most bank data does live in a vault (or the electronic equivalent) rather than a sweet little house.
| wmbwmq wrote: |
| And even if you are using SSL with 1024 bit encryption you think you are safe? think again. |
Yes, but cracking 1024 bit SSL does keep people amused for a while. But it's always easier to crack a system using the user's password they've put on a Post-It on their desk rather than in transit.
| wmbwmq wrote: |
| So its more like what level of security i can live with for now. |
Or the level your security audit function will live with.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmbwmq |
| Posted: Mon Mar 05, 2012 9:50 pm Post subject: |
|
|
Acolyte
Joined: 18 Jul 2011
Posts: 66
|
Thank you mqjeff, exerk, bruce and vitor for the valuable suggestions. I have a good understanding now.
vitor, may be you are right; i can't decide when it comes to security. My main focus in general have always been on attacks from outside of the organization. And when it comes to someone inside the organizatio?...the whole thing looks a little gray to me. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Mar 06, 2012 5:35 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmbwmq wrote: |
| And when it comes to someone inside the organizatio?...the whole thing looks a little gray to me. |
Grey or dark blue; the suit colour of choice for an auditor. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
