| Author |
Message
|
| bruce2359 |
 Posted: Fri Jun 03, 2022 3:34 am Post subject: Does AMS protect message logs? |
 |
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Client is asking how to protect MQs qmgr message log data in the Windows/UNIX file system from snoopers. Does AMS do this? Is there a 3rd-party solution?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
 |
| hughson |
| Posted: Fri Jun 03, 2022 7:55 pm Post subject: Re: Does AMS protect message logs? |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bruce2359 wrote: |
| Client is asking how to protect MQs qmgr message log data in the Windows/UNIX file system from snoopers. Does AMS do this? Is there a 3rd-party solution? |
I suppose it depends what they mean by "message log". If they mean the transactional log that is written by the queue manager, then yes, if your messages are AMS protected before arriving and not decrypted until after leaving the queue manager then the queue manager has no way of seeing, and thus writing, unprotected data to the log. This would normally be how AMS was used, with the messages only in their decrypted state inside the application processes (whether putting or getting).
If you're referring to some kind of message tracking log written by applications, then that rather depends on when the application writes to the log. If they are a authorised recipient of an AMS protected message, then the application will be given the message decrypted, and could at that point write the decrypted message data to some application log.
If you mean something else when you say "message log" please elaborate so that further comment can be made.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 03, 2022 8:40 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The usual log files used by the qmgr for persistent messages, qmgr restart, S000001.LOG, S000002.LOG, …
With AMS, when an app MQPUTS a persistent message, is it written clear text to the log then encrypted by AMS as it is put to the queue?
AMS marketing refers to AMS securing “messages at rest in queues” with TLS-like certs and such. Would seem to be an oversight for AMS not to apply the same TLS-like processes to the logged image of the message.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Jun 03, 2022 8:45 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bruce2359 wrote: |
| The usual log files used by the qmgr for persistent messages, qmgr restart, S000001.LOG, S000002.LOG, ... |
Those would indeed be the queue manager transaction log. Thank you for the clarification.
| bruce2359 wrote: |
| With AMS, when an app MQPUTS a persistent message, is it written clear text to the log then encrypted by AMS as it is put to the queue? |
No. It is not in the clear by the time it is handed over to the queue manager. The encryption takes place in the application process before it leaves the application process and is given to the queue manager's agent process to put to the queue. The queue manager never has the clear text.
| bruce2359 wrote: |
| AMS marketing refers to AMS securing "messages at rest in queues" with TLS-like certs and such. Would seem to be an oversight for AMS not to apply the same TLS-like processes to the logged image of the message. |
See above answers. Which TLS-like processes are you imagining need to be applied that are not? Please be clear what it is you are referring to.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Jun 04, 2022 5:17 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Does AMS also protect messages at rest in qmgr logs?
Which is written to logs, the clear text image or encrypted image?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Jun 04, 2022 6:16 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| bruce2359 wrote: |
Does AMS also protect messages at rest in qmgr logs?
Which is written to logs, the clear text image or encrypted image? |
| hughson wrote: |
The encryption takes place in the application process before it leaves the application process and is given to the queue manager's agent process to put to the queue. The queue manager never has the clear text.
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Jun 04, 2022 6:26 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Morag,
How about in the cases where one must use MCA Interception?
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=ams-message-channel-agent-mca-interception
Use Case: MQ Client is DataPower where MQ AMS cannot be installed. The MQ Client channel uses classic TLS (SSL) to protect the data on the wire. And MQ AMS MCA Interception is used on this client channel to encrypt the data before its placed on the queue.
A few minutes of googling and I am still not clear in this particular case where the "classic" TLS encryption for the channel ends and the MCA Interception for AMS begins. In this case, is there some period of time where the message is in plain text? And if yes, is it vulnerable to be traced or logged by the queue manager in plain text?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sat Jun 04, 2022 4:07 pm Post subject: Re: Does AMS protect message logs? |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| bruce2359 wrote: |
| Is there a 3rd-party solution? |
Have a look at MQ Message Encryption (MQME). MQME will encrypt the messages which means the message payload in the queue file and MQ recovery log files are encrypted (i.e. data at rest is encrypted). Hence, snoopers will see nothing.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| hughson |
| Posted: Sat Jun 04, 2022 7:09 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| PeterPotkay wrote: |
How about in the cases where one must use MCA Interception?
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=ams-message-channel-agent-mca-interception
Use Case: MQ Client is DataPower where MQ AMS cannot be installed. The MQ Client channel uses classic TLS (SSL) to protect the data on the wire. And MQ AMS MCA Interception is used on this client channel to encrypt the data before its placed on the queue.
A few minutes of googling and I am still not clear in this particular case where the "classic" TLS encryption for the channel ends and the MCA Interception for AMS begins. In this case, is there some period of time where the message is in plain text? And if yes, is it vulnerable to be traced or logged by the queue manager in plain text? |
In the case of AMS MCA Interception, the message is TLS decrypted before it can be AMS Encrypted. Both these steps happen in the MCA process, so before the message is written to the queue (and thus written to the log) it is encrypted, but it does spend a small period of time within the amqrmppa process in its un-encrypted state.
Therefore I suppose it is vulnerable to be traced by the amqrmppa process in the clear at that time if someone traced out data buffers at the right (or wrong) point in the workflow, but I would hope someone in IBM thought about that. There is always the possibility that someone on-box could dump out the contents of the memory of an amqrmppa process and could find the decrypted data if they timed it right. This is the downside of MCA Interception as I'm sure you realise.
Certainly it is not in the clear in the transaction logs, because it is encrypted prior to the MQPUT crossing to the "QMgr" from the "MCA". In this sense, think about the MCA/amqrmppa process as the "application" in AMS terms, even though you might also think of it as part of the "Queue Manager".
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Jun 05, 2022 5:40 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Thanks for clarifying that, Morag.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Jun 05, 2022 8:20 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Curiosity and insomnia combined to lead me to this T-Rob youtube MQ AMS post https://youtu.be/UzNME8KvQwY
He states that messages remain secured (encrypted/hashed) from MQPUT to MQGET, including in qmgr message logs.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Sun Jun 05, 2022 9:09 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| bruce2359 wrote: |
Curiosity and insomnia combined to lead me to this T-Rob youtube MQ AMS post https://youtu.be/UzNME8KvQwY
He states that messages remain secured (encrypted/hashed) from MQPUT to MQGET, including in qmgr message logs. |
yes that would agree with all the other answers you have seen on this thread.
I think that settles it then. The messages are encrypted when they are in the queue manager transaction log (what you call the message log).
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jun 06, 2022 4:04 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Thank you.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
