ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityHigh level question on encryption

Post new topicReply to topic
High level question on encryption View previous topic :: View next topic
Author Message
atedone
PostPosted: Tue Oct 31, 2017 4:19 am Post subject: High level question on encryption Reply with quote

Newbie

Joined: 31 Oct 2017
Posts: 5

Hi there.

I have a very high level question on message encryption.

Let's assume I have already in place a distributed environment, where my source business application is connecting, via WMQ Client, to a WMQ Server, which then interacts with other servers. Such a scenario is currently NOT encrypted.

I understand, from IBM website, that in order to encrypt such flows, I need to install a separate component - i.e. WMQ Advanced Message Security.

My questions is: does this have any impact on the source application (which is the one connecting as a Client to the Queue Manager on the server side)? Should the source application be "encryption ready"? Or is the securization of the flows only working at the queues/channels level?

Thanks
T
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Oct 31, 2017 4:37 am Post subject: Re: High level question on encryption Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25786
Location: Ohio, USA

atedone wrote:
I understand, from IBM website, that in order to encrypt such flows, I need to install a separate component - i.e. WMQ Advanced Message Security.


Not true. Channel encryption (data in flight) is provided with the base product. AMS is required for queue encryption (data at rest) and for digitally signing messages.

atedone wrote:
My questions is: does this have any impact on the source application (which is the one connecting as a Client to the Queue Manager on the server side)? Should the source application be "encryption ready"? Or is the securization of the flows only working at the queues/channels level?


The MQ product handles all encryption functions. The MQ Client (in terms of the IBM component the client application is using) needs to be properly configured but the application refers to the client as it currently does.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Oct 31, 2017 4:42 am Post subject: Re: High level question on encryption Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20066
Location: LI,NY

atedone wrote:
Hi there.

I have a very high level question on message encryption.

Let's assume I have already in place a distributed environment, where my source business application is connecting, via WMQ Client, to a WMQ Server, which then interacts with other servers. Such a scenario is currently NOT encrypted.

I understand, from IBM website, that in order to encrypt such flows, I need to install a separate component - i.e. WMQ Advanced Message Security.

My questions is: does this have any impact on the source application (which is the one connecting as a Client to the Queue Manager on the server side)? Should the source application be "encryption ready"? Or is the securization of the flows only working at the queues/channels level?

Thanks
T

If you are talking about AMS (advanced Message Security), your application needs to be 'encryption ready'. There is no point in doing AMS (encryption at rest ) if the connection from the qmgr to the client is not encrypted.
On the other hand you can encrypt the connection from the client to the queue manager and have encryption in flight without having AMS (no encryption at rest).
You will need to study the concepts of SSL/TLS and X509 certificates with PKI (Public Key Infrastructure).
Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Tue Oct 31, 2017 5:11 am Post subject: Re: High level question on encryption Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25786
Location: Ohio, USA

fjb_saper wrote:
If you are talking about AMS (advanced Message Security), your application needs to be 'encryption ready'.


I think the OP is asking what code changes within the application are needed to support AMS, which I believe to be none.

I agree with you that "the application" in a conceptual sense needs to be encryption ready; your example of using AMS to encrypt queues but leaving channels in plain text is highly appropriate. Likewise (in the topology the OP describes) having AMS on one queue manager and not the others.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Oct 31, 2017 5:25 am Post subject: Re: High level question on encryption Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20066
Location: LI,NY

Vitor wrote:
fjb_saper wrote:
If you are talking about AMS (advanced Message Security), your application needs to be 'encryption ready'.


I think the OP is asking what code changes within the application are needed to support AMS, which I believe to be none.


All depending on whether the app can handle the SSL/TLS context automatically, or if you have to define and use SSLSocketFactories and such...

But as a standard, only the application's environment would need to change.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
atedone
PostPosted: Tue Oct 31, 2017 6:14 am Post subject: Thanks a lot to both of you Reply with quote

Newbie

Joined: 31 Oct 2017
Posts: 5

Your prompt (and useful) contribution is highly appreciated.

I do not think we need AMS then... what is required is to protect the transmission, not the queues. Therefore, we will probably opt for "data in flight" (need to verify this with the IT security teams) and hence, we will simply need to perform activities on WMQ configuration, so the business application should be on the safe side in terms of implementations.

Once again, thanks a lot.

Cheers
T
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Oct 31, 2017 6:24 am Post subject: Re: Thanks a lot to both of you Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25786
Location: Ohio, USA

atedone wrote:
I do not think we need AMS then... what is required is to protect the transmission, not the queues.




I endorse the comments of my associate regarding the need for an understanding of PKI and proper certificate management as well as knowing what configuration changes to make on the MQ channels and other objects.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Oct 31, 2017 7:54 am Post subject: Re: Thanks a lot to both of you Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6072

atedone wrote:
...I do not think we need AMS then... what is required is to protect the transmission, not the queues.

I've seen this outlook at too many sites - generally speaking, the Security Team do not understand MQ and look at lock-down of access to servers etc.

The number of discussions I have had where encryption on the wire was mandated (Q. How easy is it to get a packet sniffer on to your network - A. Impossible!) but not encryption at rest (Q. Who is in the list for access to the server etc.? - A. "List of personnel cleared for mission Gainsborough, as dictated by General C. H. Melchett: You and me, Darling, obviously. Field Marshal Haig, Field Marshal Haig's wife, all Field Marshal Haig's wife's friends, their families, their families' servants, their families' servants' tennis partners, and some chap I bumped into the mess the other day called Bernard.").
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Oct 31, 2017 8:37 am Post subject: Re: Thanks a lot to both of you Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25786
Location: Ohio, USA

exerk wrote:
atedone wrote:
...I do not think we need AMS then... what is required is to protect the transmission, not the queues.

I've seen this outlook at too many sites - generally speaking, the Security Team do not understand MQ and look at lock-down of access to servers etc.

The number of discussions I have had where encryption on the wire was mandated (Q. How easy is it to get a packet sniffer on to your network - A. Impossible!) but not encryption at rest (Q. Who is in the list for access to the server etc.? - A. "List of personnel cleared for mission Gainsborough, as dictated by General C. H. Melchett: You and me, Darling, obviously. Field Marshal Haig, Field Marshal Haig's wife, all Field Marshal Haig's wife's friends, their families, their families' servants, their families' servants' tennis partners, and some chap I bumped into the mess the other day called Bernard.").


It's all about the data. If the data isn't that sensitive, you can easily meet the needs with compensating controls like properly regulated server access. Bear in mind that if access is a lax as you intimate (and I've seen my share) then AMS won't help because it's easy enough to get the unencrypted data through an unsecured application.

This site is a bank, and a fairly paranoid one, and we've not yet had a use case where AMS is needed. Not to say this day won't come, but not yet.

But every MQ channel is encrypted up the ying yang. We fear packet sniffers more than we fear anything else.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityHigh level question on encryption
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.