| Author |
Message
|
| w1ndy |
 Posted: Thu Jun 13, 2013 6:10 am Post subject: WMQ 7.5 and AMS on Linux |
 |
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
Hi,
I've been footering with WMQ AMS on our new shiny Linux server. Having gone through the Infocentre Quick Start Guide. I now have Alice and Bob sharing encrypted messages.
Has anyone got a numpty guide they could share on how to do this at a queue manager level? For example I have three queue managers all running under their own userid's the idea behind which was to have them encrypt messages and decrypt messages sent between them
Any assistance gratefully received.
Windy |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Jun 13, 2013 6:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So...
SSL on channels will encrypt/decrypt messages sent between two queue managers.
AMS lets you encrypt/decrypt messages that sit on queues, such that only known users can read or write those messages.
It's possible that one could configure a queue manager service user as an AMS user, and have it encrypt/decrypt any messages that are processed by things like MCAs and Command Server and etc... But it will put a brutal workload on the qmgr, and likely cause instability because not every internal MQ process will expect that it needs to call a message exit or use AMS functionality...
It's also not clear that this needs to be done, if one has otherwise ensured that only the queue manager service user can access internal queues, and that only relevant and necessary users can access the queue manager's file stores.
EDIT: Nor is it clear that there would be any "sensitive" informatoin in queue manager internal messages that would benefit from being encrypted. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Jun 14, 2013 8:04 am Post subject: Re: WMQ 7.5 and AMS on Linux |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| w1ndy wrote: |
| Has anyone got a numpty guide they could share on how to do this at a queue manager level? For example I have three queue managers all running under their own userid's the idea behind which was to have them encrypt messages and decrypt messages sent between them |
AMS is designed to encrypt messages between applications. Which messages were you thinking of when you wanted to encrypt messages between queue managers?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| w1ndy |
| Posted: Mon Jun 17, 2013 12:13 am Post subject: AMS |
|
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
Thanks Morag and Jeff, I totally realise that SSL deals with in-flight message encryption. Clumsy wordage.
I'm trying to get my head around the user scenario.
I don't have a concept like alice and bob, whereby they pass each other wee messages. I am looking for an enterprise solution, where we get messages from and send messages too external companies. Then once they hit our WMQ Hub they can be delivered to back end queue managers and clients.
Whilst these messages are snoozing on queues I want them encrypted.
So I have set up my linux queue managers to each run under a 'service account' and thats where I am coming from.
Thanks for taking the time to respond
Windy
Tesco Bank |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Jun 17, 2013 1:02 am Post subject: Re: AMS |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| w1ndy wrote: |
I don't have a concept like alice and bob, whereby they pass each other wee messages. I am looking for an enterprise solution, where we get messages from and send messages too external companies. Then once they hit our WMQ Hub they can be delivered to back end queue managers and clients.
Whilst these messages are snoozing on queues I want them encrypted. |
If I understand what you're describing, your alice is actually in another enterprise and is sending messages into an application in your own enterprise which will be read by bob. Since alice is in another company you cannot mandate that they use AMS, so you want to catch the messages as they come in over a channel and encrypt them from your boundary inwards. When the appropriate application (run under bob) reads the messages from the queue in your system, at that point the message is decrypted. Am I close?
Assuming I'm on the right track, you should be aware that scenarios like this can be covered by intercepting the SVRCONN channel and applying AMS at that point (read MCA interception. Note that this does not apply to QMgr-QMgr channels (go here if you need to raise a requirement).
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| w1ndy |
| Posted: Mon Jun 17, 2013 6:23 am Post subject: MCA Intercept |
|
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
Thanks Morag, I had read that, again, sadly the documentation is not that clear where to set this up. It is my intention to try this out though. I have Bob and Alice now putting and getting as clients (Windows Server) from Linux 7.5 queue manager  
Ultimate goal is to have an rpg call on iSeries reading from an ams encrypted queue.
Cheers
Windy |
|
| Back to top |
|
|
| w1ndy |
| Posted: Tue Jun 18, 2013 12:16 am Post subject: RFE |
|
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
|
| Back to top |
|
|
| w1ndy |
| Posted: Tue Oct 29, 2013 4:56 am Post subject: Re: AMS |
|
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
| Quote: |
If I understand what you're describing, your alice is actually in another enterprise and is sending messages into an application in your own enterprise which will be read by bob. Since alice is in another company you cannot mandate that they use AMS, so you want to catch the messages as they come in over a channel and encrypt them from your boundary inwards. When the appropriate application (run under bob) reads the messages from the queue in your system, at that point the message is decrypted. Am I close?
Assuming I'm on the right track, you should be aware that scenarios like this can be covered by intercepting the SVRCONN channel and applying AMS at that point (read MCA interception. Note that this does not apply to QMgr-QMgr channels (go here if you need to raise a requirement).
Cheers
Morag |
So the solution I have come up with here is to have a 'message mover' application which will decrypt the messages being sent from the 3rd party which will be encrypted using MCA intercept.
The message mover will run under a non-interative account and its sole function will be to take these messages from a local queue on my hub encrypted and write them to a remote queue unencrypted.
(This will ensure that the messages at rest on the hub are encrypted at rest)
This queue exists on another queue manager (running on IBMi, which doesn't support AMS) for processing by a business application.
How does that sound Morag?
Windy
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Oct 29, 2013 8:29 am Post subject: Re: AMS |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| w1ndy wrote: |
The message mover will run under a non-interative account and its sole function will be to take these messages from a local queue on my hub encrypted and write them to a remote queue unencrypted.
(This will ensure that the messages at rest on the hub are encrypted at rest)
This queue exists on another queue manager (running on IBMi, which doesn't support AMS) for processing by a business application.
|
If the channel to the remote QM is not running, the messages will be sitting in the XMITQ to the other QM. Unencrypted.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| w1ndy |
| Posted: Wed Oct 30, 2013 1:32 am Post subject: |
|
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
Thanks Peter, I did realise that, buts whats a boy to do 
Personally I don't think this AMS is all its cracked up to be but my powers that be see it as the 'messages at rest' panacea.
Windy |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Nov 04, 2013 4:05 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| w1ndy wrote: |
| Thanks Peter, I did realise that, buts whats a boy to do |
Have you looked at MQ Enterprise Security Suite? It does everything you have been asking about (encryption of data at rest & data inflight) plus it is supported on all platforms discussed including IBM i (OS/400).
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| w1ndy |
| Posted: Tue Nov 05, 2013 1:27 am Post subject: |
|
|
Apprentice
Joined: 19 Jan 2011
Posts: 38
|
Looks good Roger, thanks. We have tried to contact Capitalware recently with regard to MQ Auditor by registering for a trial, then subsequently filling out a contact form with bo success
Maybe you could rattle some cages for me. The AMS solution you have also looks to be the bizo given its platform coverage.
Windy
Andrew-dot-x-dot-Miller-at-tescobank.com
(middle name Xylophone)
EDIT by exerk: Windy, I've taken the liberty of obfuscating your email address to prevent screen-scraping bots flooding you with junk at a later date. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Nov 05, 2013 9:30 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| w1ndy wrote: |
| Looks good Roger, thanks. We have tried to contact Capitalware recently with regard to MQ Auditor by registering for a trial, then subsequently filling out a contact form with bo success |
I just checked the support email and my email and there are no recent emails from anyone at Tesco Bank. The last emails I can find are from 2011. Cyrus Semmence asked for an "Online demo of MQ Auditor". I replied with that's pretty difficult and it would be better to do a trial at your location. I never heard back from him.
You are more than welcome to have free trials (it includes free support) of MQ Auditor and MQ Enterprise Security Suite. I'll try and send you an email to that obfuscated email but if you don't receive anything then send an email to support@capitalware.biz (exerk don't obfuscate it - I use SpamAssassin to get rid of spam emails)
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
