| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| MQCE, SSL, MQ Advanced Message Security |
« View previous topic :: View next topic » |
| Author |
Message
|
| tczielke |
 Posted: Sun Mar 09, 2014 4:39 am Post subject: |
 |
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Yes, I can see that now. My underlying concern with the SSL/TLS approach has been how the encryption algorithm that will be used between the client and server could be snooped by an intruder and then knowing the aglorithm could make it easier to decrypt the data. However, I did do more research on methods like parallel brute force attacks, and that does take a long time as Roger stated. However, I still do think that an encyrption approach that would not have to share the agreed upon encryption algorithm between the client and server (I was thinking the Capitalware MQCE product would be able to do that) because it is already known by the partners does add another layer of security. The less knowledge the hacker knows about the encryption method being used, the better. Thanks again for the replies. I appreciate the time and the information!
Thanks,
Tim |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sun Mar 09, 2014 6:45 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| tczielke wrote: |
| ... I did do more research ... However, I still do think that an encyrption approach that would not have to share the agreed upon encryption algorithm between the client and server (I was thinking the Capitalware MQCE product would be able to do that) because it is already known by the partners does add another layer of security. |
The agreed-upon algorithm is NOT shared; rather, it is one of those already published and publicly known. Keep reading.
The two ends of the channel exchange some private random data that only they know. Keep reading. You need to understand how public keys are acquired from a CA, and how public/private keys are used to encrypt/decrypt.
Knowing the encryption/hashing algorithms, and having access to the encrypted data, does NOT give you (a hacker) enough information to decrypt the encrypted data. Keep reading.
You need to understand CRLs, key expiry, and more.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| jfecq |
| Posted: Sun Mar 09, 2014 10:44 pm Post subject: |
|
|
Apprentice
Joined: 24 Sep 2012
Posts: 36
|
Thank you!
| RogerLacroix wrote: |
Hi,
Ok. Lets go over a few points first:
(1) MQ SSL is included with MQ but requires SSL certificates and is used to encrypt data as it passes over MQ channels (between 2 points only) i.e. data in flight
(2) MQCE is a Capitalware product that provides encryption for WebSphere MQ (WMQ) message data over WMQ channels. i.e. data in flight
(3) WMQ AMS is an IBM product that provides end-to-end encryption or application level encryption of message data. i.e. the message data is encrypted when the application does the MQPUT and is not decrypted until the receiving application performs an MQGET.
I created MQCE as a direct competitor to MQ SSL. Why, because MQ SSL is messy and requires a LOT of manual effort by the MQAdmin.
Major Features of MQCE:
- Easy to set up and configure (unlike SSL)
- No application changes required
- Can be configured as either queue manager to queue manager or client application to queue manager solution
- All message data flowing over a channel will be encrypted (nothing missed or forgotten)
- Secure encryption/decryption methodology using AES with 128, 192 or 256-bit keys
- Standard MQ feature, GET-with-Convert, is supported
- Provides high-level logging capability for encryption / decryption processing
- Cost is $299.00 (cheaper in volume) per queue manager plus 15% yearly maintenance and support fee
Here are some MQ SSL disadvantages:
- SSL Certificates must be purchased YEARLY at a cost of roughly $400 USD.
- SSL certificates expire, requiring regular repurchase, renewal and then the MQAdmin needs to deploy the SSL certificates.
- There is no logging capability to see who accessed which queue manager.
- This form of security is only as secure as the integrity of the client side certificates. Anyone who possesses a copy of the certificate will have full access (It is extremely easy to copy a keystore on a Windows Server).
- SSL is Node-to-Node security and NOT End-to-End security. Node-to-Node security that any application running on the server can connect to the queue manager. It is far better to control each application that is connecting to a queue manager (i.e. End-to-End).
Configuration / Management:
- When a customer purchases MQCE license(s), they get permanent MQCE license keys that do NOT expire.
- SSL Certs expire yearly. If you forgot to update a queue manager's SSL Cert and it expires then your channels stop working.
If an MQAdmin has 100 queue managers, how much wasted time do they spend YEARLY, just to update each queue manager's SSL Cert?
| jfecq wrote: |
| If you are able to provide any google result where the 3 are being compared, I will be greatly grateful. |
You cannot compare WMQ AMS to either MQ SSL or MQCE. Its like comparing a bicycle to a car. Just because both have wheels does not make them similar. You can only can compare MQ SSL to MQCE as I did above.
Now stepping sideways, I created an umbrella product called: MQ Enterprise Security Suite (MQESS) to originally compete against IBM's WMQ Extended Security Edition (WMQ ESE) which IBM revamped and updated to WMQ AMS. MQESS is simply 3 Capitalware products (MQAUSX, MQCE & MQME) in 1 and costs $100 less than purchasing the 3 individually. You can read more about MQESS at http://www.capitalware.com/mqess_overview.html
Now if you want a comparison of Capitalware's MQESS and IBM's WMQ AMS then go to: http://www.capitalware.com/rl_blog/?p=409
Hopefully that helps.
Regards,
Roger Lacroix
Capitalware Inc. |
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 13, 2014 1:24 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
If you have any more questions about MQCE, you can post them here or send an email to support@capitalware.com
We offer free trials for all Capitalware products (including free support). If you want to play around with MQCE then send an email to support@capitalware.com and I will set you up with the software and temporary license keys.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| 547c547 |
| Posted: Fri Jul 04, 2014 11:29 pm Post subject: Awesome explanation |
|
|
Acolyte
Joined: 16 Jun 2014
Posts: 51
|
| RogerLacroix wrote: |
Hi,
Ok. Lets go over a few points first:
(1) MQ SSL is included with MQ but requires SSL certificates and is used to encrypt data as it passes over MQ channels (between 2 points only) i.e. data in flight
(2) MQCE is a Capitalware product that provides encryption for WebSphere MQ (WMQ) message data over WMQ channels. i.e. data in flight
(3) WMQ AMS is an IBM product that provides end-to-end encryption or application level encryption of message data. i.e. the message data is encrypted when the application does the MQPUT and is not decrypted until the receiving application performs an MQGET.
I created MQCE as a direct competitor to MQ SSL. Why, because MQ SSL is messy and requires a LOT of manual effort by the MQAdmin.
Major Features of MQCE:
- Easy to set up and configure (unlike SSL)
- No application changes required
- Can be configured as either queue manager to queue manager or client application to queue manager solution
- All message data flowing over a channel will be encrypted (nothing missed or forgotten)
- Secure encryption/decryption methodology using AES with 128, 192 or 256-bit keys
- Standard MQ feature, GET-with-Convert, is supported
- Provides high-level logging capability for encryption / decryption processing
- Cost is $299.00 (cheaper in volume) per queue manager plus 15% yearly maintenance and support fee
Here are some MQ SSL disadvantages:
- SSL Certificates must be purchased YEARLY at a cost of roughly $400 USD.
- SSL certificates expire, requiring regular repurchase, renewal and then the MQAdmin needs to deploy the SSL certificates.
- There is no logging capability to see who accessed which queue manager.
- This form of security is only as secure as the integrity of the client side certificates. Anyone who possesses a copy of the certificate will have full access (It is extremely easy to copy a keystore on a Windows Server).
- SSL is Node-to-Node security and NOT End-to-End security. Node-to-Node security that any application running on the server can connect to the queue manager. It is far better to control each application that is connecting to a queue manager (i.e. End-to-End).
Configuration / Management:
- When a customer purchases MQCE license(s), they get permanent MQCE license keys that do NOT expire.
- SSL Certs expire yearly. If you forgot to update a queue manager's SSL Cert and it expires then your channels stop working.
If an MQAdmin has 100 queue managers, how much wasted time do they spend YEARLY, just to update each queue manager's SSL Cert?
| jfecq wrote: |
| If you are able to provide any google result where the 3 are being compared, I will be greatly grateful. |
You cannot compare WMQ AMS to either MQ SSL or MQCE. Its like comparing a bicycle to a car. Just because both have wheels does not make them similar. You can only can compare MQ SSL to MQCE as I did above.
Now stepping sideways, I created an umbrella product called: MQ Enterprise Security Suite (MQESS) to originally compete against IBM's WMQ Extended Security Edition (WMQ ESE) which IBM revamped and updated to WMQ AMS. MQESS is simply 3 Capitalware products (MQAUSX, MQCE & MQME) in 1 and costs $100 less than purchasing the 3 individually. You can read more about MQESS at http://www.capitalware.com/mqess_overview.html
Now if you want a comparison of Capitalware's MQESS and IBM's WMQ AMS then go to: http://www.capitalware.com/rl_blog/?p=409
Hopefully that helps.
Regards,
Roger Lacroix
Capitalware Inc. |
 |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
