| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Suggestions for CipherSpec between MVS & Win2000? |
« View previous topic :: View next topic » |
| Author |
Message
|
| scott9 |
 Posted: Sun Dec 28, 2003 8:31 pm Post subject: Suggestions for CipherSpec between MVS & Win2000? |
 |
|
Acolyte
Joined: 11 Jul 2002
Posts: 62
Location: Sacramento,CA
|
Our project team has requested 128 bit DES encryption for QMGRs between MVS and Win2000. Table 1 on page 146 in the IBM MQ Security document (SC34-6079-01) lists several CipherSpec options, but few of them offer DES with 128 bit encryption. Additionally, the DES options available seem to have limitations on Z/OS and OS/400 systems. We will eventually convert our OS/390 to Z/OS and I'm not sure if we will ever have OS/400, but I don't want to limit our future hardware options.
I'm considering RC4_MD5_US for it's versatility, but it doesn't satisfy the project requirement (which, incidentally I'm trying to have removed). Anyway, I'm not entirely versed in SSL, CipherSpecs, or Certificates and I wanted some experienced opinions. Does anybody here use DES encryption with MQ between MVS and Windows? I'm not sure if it's pertinent, but we use RACF on MVS for security. |
|
| Back to top |
|
 |
| interactivechannel |
| Posted: Tue Dec 30, 2003 12:18 pm Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
| 128bit DES doesn't exist. I assume they're after triple DES, which is a DES operation 3 times giving an effective key length of 168bit. Cipherspecs are set on each channel pair, so if your current requirement is to have SSL between Win and zOs you can use Triple DES with SHA. When a project comes along that needs to secure communication between OS400 and one of these you can choose from what's available then and create an exception to the rule due to a platform limitation for that channel pair. |
|
| Back to top |
|
|
| scott9 |
| Posted: Tue Dec 30, 2003 1:55 pm Post subject: Thanks and a new question |
|
|
Acolyte
Joined: 11 Jul 2002
Posts: 62
Location: Sacramento,CA
|
Thanks for the response. I'll extend this discussion a little longer with a new question. We're getting more information about the configuration requirements in MVS for SSL. Apparently, there may be special TCP/IP configuration requirements to allow SSL to work on MVS. I have yet to find any additional TCP/IP configuration requirements documented in the myriad documentation I have accumulated on the subject.
We currently have a stable MQ environment with running channels and successful transmission of data between MVS and Windows. My new question is: If we implement SSL in this stable MQ environment, do we need to add any additional TCP/IP components to MVS? For instance, does SSL become a new resource that must be tracked, labeled, and controlled from within RACF and TCP/IP? |
|
| Back to top |
|
|
| interactivechannel |
| Posted: Sat Jan 03, 2004 3:18 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
| SSL does need to be enabled on the z/Os host and there is a panel in RACF for managing certificate and key rings. Once SSL is available a guide to the RACDCERT command will be very handy. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
