ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Security and MQSI.

Post new topic  Reply to topic
 Security and MQSI. « View previous topic :: View next topic » 
Author Message
Steve_lane
PostPosted: Fri Feb 15, 2002 3:22 am    Post subject: Reply with quote

Newbie

Joined: 22 May 2001
Posts: 4

Hi MQ'ers,

Does anybody have any experience of security in MQSI?

My environment is the control centre on a WINNT4 desktop, the config manager on an NT4 Server, and multiple brokers in the broker domain on AIX.

I can secure with exits easily between the config manager, and the brokers. I understand that with Datasecure and Tivoli PDMQ that it is possible to introduce a secure layer between the broker and the broker qmgr, but I have never done it, and I would be interested in hearing experiences of anyone who has.

Additionally I need to secure between my configuration manager and my control centre... now I hear crys of using NT security.. but no! I want to use a security exit or something to secure CC to CM server connection channel to make it bullet proof. Any offers of products or sample code how I can do this?

Kind Regards

Steve Lane
Think Corporation Ltd
steve.lane@thinkcorporation.com

http://www.thinkcorporation.com

[ This Message was edited by: Steve_lane on 2002-02-15 03:38 ]
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
mpuetz
PostPosted: Sat Feb 16, 2002 1:34 pm    Post subject: Reply with quote

Centurion

Joined: 05 Jul 2001
Posts: 149
Location: IBM/Central WebSphere Services

Hi,

I haven't used PDMQ with MQSI myself, but since PDMQ libraries
simply replaces the standard mqm.dll library, MQSI should note and
shouldn't care.

If you want to secure your SVRCONN channels have look at the SSPI
security exit that is shipped with MQ 5.2 including source code.
The source has been stripped of comments unfortunately. If you are
working in a pure NT or pure W2000 environment you might use the
SSPI exit right away.

Check the client manual and the intercommunication manual of MQSeries
to get familiar with both installation and writing channel exits.



_________________
Mathias Puetz

IBM/Central WebSphere Services
WebSphere Business Integration Specialist
Back to top
View user's profile Send private message
Steve_lane
PostPosted: Wed Feb 20, 2002 2:01 am    Post subject: Reply with quote

Newbie

Joined: 22 May 2001
Posts: 4

Quote:

On 2002-02-16 13:34, mpuetz wrote:
Hi,

I haven't used PDMQ with MQSI myself, but since PDMQ libraries
simply replaces the standard mqm.dll library, MQSI should note and
shouldn't care.
[ Steve comment's ] I agree with the above
If you want to secure your SVRCONN channels have look at the SSPI
security exit that is shipped with MQ 5.2 including source code.
The source has been stripped of comments unfortunately. If you are
working in a pure NT or pure W2000 environment you might use the
SSPI exit right away.
[Steve's comments ] But how do you secure the MQSI CC with an exit.... I am told it would require access to the source code...
Check the client manual and the intercommunication manual of MQSeries
to get familiar with both installation and writing channel exits.



Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
ghost
PostPosted: Wed Feb 27, 2002 8:16 am    Post subject: Reply with quote

Newbie

Joined: 26 Feb 2002
Posts: 7

I have the same issue. I 've been told that since the CC is a snap-on to Microsoft Management Console and uses WinNT domain security, you don't have a solution at the GUI. However, you could restrict the server connection so that even if someone has CC, they won't be able to see the queue manager. Supposedly, MQSI version 2.1 was to address this, but the whitepapers don't mention it.
Back to top
View user's profile Send private message Send e-mail MSN Messenger
ghost
PostPosted: Wed Feb 27, 2002 8:17 am    Post subject: Reply with quote

Newbie

Joined: 26 Feb 2002
Posts: 7

I have the same issue. I 've been told that since the CC is a snap-on to Microsoft Management Console and uses WinNT domain security, you don't have a solution at the GUI. However, you could restrict the server connection so that even if someone has CC, they won't be able to see the queue manager. Supposedly, MQSI version 2.1 was to address this, but the whitepapers don't mention it.

If anyone has a solid solution without using Tivoli or other 3rd party packages, please drop me a note: jim_u_cho@hotmail.com
Back to top
View user's profile Send private message Send e-mail MSN Messenger
Miriam Kaestner
PostPosted: Wed Feb 27, 2002 11:58 pm    Post subject: Reply with quote

Centurion

Joined: 26 Jun 2001
Posts: 103
Location: IBM IT Education Services, Germany

WMQI 2.1 indeed does supports security exits for Control Center connection.
At the CC side, you have to have Java security exit code and start CC with mqsilccsec.exe.
At the ConfigMgr, you must have C security exit code which is called by the SYSTEM.BKR.CONFIG channel
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Thu Feb 28, 2002 12:40 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Policy Director at one point did not work with MQSI v2, due to the way MQSI used the DLLs or something. I believe Tivoli have fixed this. But all these products can cause problems with end-to-end security, since encrypted messages cannot be routed or transformed in MQSI.

If you decrypt them in the broker, then you tend to lose the digital signature of the original user when the broker forwards it on, as it has to use the broker id to re-encrypt, which the receiving application may not be happy about.

All this can make MQSI security designs complex. The products are evolving though to provide plug-ins for MQSI (Data Secure has these).
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Security and MQSI.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.