ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » WMQ 7.5 and AMS on Linux

Post new topic  Reply to topic
 WMQ 7.5 and AMS on Linux « View previous topic :: View next topic » 
Author Message
w1ndy
PostPosted: Thu Jun 13, 2013 6:10 am    Post subject: WMQ 7.5 and AMS on Linux Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

Hi,

I've been footering with WMQ AMS on our new shiny Linux server. Having gone through the Infocentre Quick Start Guide. I now have Alice and Bob sharing encrypted messages.

Has anyone got a numpty guide they could share on how to do this at a queue manager level? For example I have three queue managers all running under their own userid's the idea behind which was to have them encrypt messages and decrypt messages sent between them

Any assistance gratefully received.

Windy
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Thu Jun 13, 2013 6:16 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

So...

SSL on channels will encrypt/decrypt messages sent between two queue managers.

AMS lets you encrypt/decrypt messages that sit on queues, such that only known users can read or write those messages.

It's possible that one could configure a queue manager service user as an AMS user, and have it encrypt/decrypt any messages that are processed by things like MCAs and Command Server and etc... But it will put a brutal workload on the qmgr, and likely cause instability because not every internal MQ process will expect that it needs to call a message exit or use AMS functionality...

It's also not clear that this needs to be done, if one has otherwise ensured that only the queue manager service user can access internal queues, and that only relevant and necessary users can access the queue manager's file stores.

EDIT: Nor is it clear that there would be any "sensitive" informatoin in queue manager internal messages that would benefit from being encrypted.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Jun 14, 2013 8:04 am    Post subject: Re: WMQ 7.5 and AMS on Linux Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand

w1ndy wrote:
Has anyone got a numpty guide they could share on how to do this at a queue manager level? For example I have three queue managers all running under their own userid's the idea behind which was to have them encrypt messages and decrypt messages sent between them

AMS is designed to encrypt messages between applications. Which messages were you thinking of when you wanted to encrypt messages between queue managers?

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
w1ndy
PostPosted: Mon Jun 17, 2013 12:13 am    Post subject: AMS Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

Thanks Morag and Jeff, I totally realise that SSL deals with in-flight message encryption. Clumsy wordage.

I'm trying to get my head around the user scenario.

I don't have a concept like alice and bob, whereby they pass each other wee messages. I am looking for an enterprise solution, where we get messages from and send messages too external companies. Then once they hit our WMQ Hub they can be delivered to back end queue managers and clients.

Whilst these messages are snoozing on queues I want them encrypted.

So I have set up my linux queue managers to each run under a 'service account' and thats where I am coming from.

Thanks for taking the time to respond

Windy
Tesco Bank
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Mon Jun 17, 2013 1:02 am    Post subject: Re: AMS Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand

w1ndy wrote:
I don't have a concept like alice and bob, whereby they pass each other wee messages. I am looking for an enterprise solution, where we get messages from and send messages too external companies. Then once they hit our WMQ Hub they can be delivered to back end queue managers and clients.

Whilst these messages are snoozing on queues I want them encrypted.

If I understand what you're describing, your alice is actually in another enterprise and is sending messages into an application in your own enterprise which will be read by bob. Since alice is in another company you cannot mandate that they use AMS, so you want to catch the messages as they come in over a channel and encrypt them from your boundary inwards. When the appropriate application (run under bob) reads the messages from the queue in your system, at that point the message is decrypted. Am I close?

Assuming I'm on the right track, you should be aware that scenarios like this can be covered by intercepting the SVRCONN channel and applying AMS at that point (read MCA interception. Note that this does not apply to QMgr-QMgr channels (go here if you need to raise a requirement).

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
w1ndy
PostPosted: Mon Jun 17, 2013 6:23 am    Post subject: MCA Intercept Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

Thanks Morag, I had read that, again, sadly the documentation is not that clear where to set this up. It is my intention to try this out though. I have Bob and Alice now putting and getting as clients (Windows Server) from Linux 7.5 queue manager

Ultimate goal is to have an rpg call on iSeries reading from an ams encrypted queue.

Cheers

Windy
Back to top
View user's profile Send private message Send e-mail
w1ndy
PostPosted: Tue Jun 18, 2013 12:16 am    Post subject: RFE Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

I see someone beat me to the RFE

http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=29919

Here's hoping. As like the raised we need PCI/Compliance and we have Credit Card messages being sent to a queue manager at TSYS which will need to be encrypted at rest.

Thanks again

Windy
Back to top
View user's profile Send private message Send e-mail
w1ndy
PostPosted: Tue Oct 29, 2013 4:56 am    Post subject: Re: AMS Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

Quote:
If I understand what you're describing, your alice is actually in another enterprise and is sending messages into an application in your own enterprise which will be read by bob. Since alice is in another company you cannot mandate that they use AMS, so you want to catch the messages as they come in over a channel and encrypt them from your boundary inwards. When the appropriate application (run under bob) reads the messages from the queue in your system, at that point the message is decrypted. Am I close?

Assuming I'm on the right track, you should be aware that scenarios like this can be covered by intercepting the SVRCONN channel and applying AMS at that point (read MCA interception. Note that this does not apply to QMgr-QMgr channels (go here if you need to raise a requirement).

Cheers
Morag


So the solution I have come up with here is to have a 'message mover' application which will decrypt the messages being sent from the 3rd party which will be encrypted using MCA intercept.

The message mover will run under a non-interative account and its sole function will be to take these messages from a local queue on my hub encrypted and write them to a remote queue unencrypted.

(This will ensure that the messages at rest on the hub are encrypted at rest)

This queue exists on another queue manager (running on IBMi, which doesn't support AMS) for processing by a business application.



How does that sound Morag?



Windy
Quote:
Back to top
View user's profile Send private message Send e-mail
PeterPotkay
PostPosted: Tue Oct 29, 2013 8:29 am    Post subject: Re: AMS Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

w1ndy wrote:

The message mover will run under a non-interative account and its sole function will be to take these messages from a local queue on my hub encrypted and write them to a remote queue unencrypted.

(This will ensure that the messages at rest on the hub are encrypted at rest)

This queue exists on another queue manager (running on IBMi, which doesn't support AMS) for processing by a business application.


If the channel to the remote QM is not running, the messages will be sitting in the XMITQ to the other QM. Unencrypted.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
w1ndy
PostPosted: Wed Oct 30, 2013 1:32 am    Post subject: Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

Thanks Peter, I did realise that, buts whats a boy to do

Personally I don't think this AMS is all its cracked up to be but my powers that be see it as the 'messages at rest' panacea.

Windy
Back to top
View user's profile Send private message Send e-mail
RogerLacroix
PostPosted: Mon Nov 04, 2013 4:05 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

w1ndy wrote:
Thanks Peter, I did realise that, buts whats a boy to do

Have you looked at MQ Enterprise Security Suite? It does everything you have been asking about (encryption of data at rest & data inflight) plus it is supported on all platforms discussed including IBM i (OS/400).

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
w1ndy
PostPosted: Tue Nov 05, 2013 1:27 am    Post subject: Reply with quote

Apprentice

Joined: 19 Jan 2011
Posts: 38

Looks good Roger, thanks. We have tried to contact Capitalware recently with regard to MQ Auditor by registering for a trial, then subsequently filling out a contact form with bo success

Maybe you could rattle some cages for me. The AMS solution you have also looks to be the bizo given its platform coverage.

Windy

Andrew-dot-x-dot-Miller-at-tescobank.com

(middle name Xylophone)

EDIT by exerk: Windy, I've taken the liberty of obfuscating your email address to prevent screen-scraping bots flooding you with junk at a later date.
Back to top
View user's profile Send private message Send e-mail
RogerLacroix
PostPosted: Tue Nov 05, 2013 9:30 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

w1ndy wrote:
Looks good Roger, thanks. We have tried to contact Capitalware recently with regard to MQ Auditor by registering for a trial, then subsequently filling out a contact form with bo success

I just checked the support email and my email and there are no recent emails from anyone at Tesco Bank. The last emails I can find are from 2011. Cyrus Semmence asked for an "Online demo of MQ Auditor". I replied with that's pretty difficult and it would be better to do a trial at your location. I never heard back from him.

You are more than welcome to have free trials (it includes free support) of MQ Auditor and MQ Enterprise Security Suite. I'll try and send you an email to that obfuscated email but if you don't receive anything then send an email to support@capitalware.biz (exerk don't obfuscate it - I use SpamAssassin to get rid of spam emails)

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » WMQ 7.5 and AMS on Linux
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.