| Author |
Message
|
| amita09 |
 Posted: Thu Oct 13, 2005 8:03 pm Post subject: MQ CICS Bridge - information in (MQMD,MQCIH) |
 |
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Hi,
Anyone having experience using MQ CICS Bridge. Trying to figure out if there is a way to encrypt the information stored in (MQMD,MQCIH).
This is for a new application we propose to build. Notice that MQ CICS Bridge expects authentication information in Headers (MQMD,MQCIH) which are set by the Requesting application. This is in plain text.
Would like to find out whether these can encrypted as they are in the header. And CICS uses this info to validate with RACF. We dont want administrator seeing into the messages and figuring out the passwords
Is there an alternative ?
thanks,
regards |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri Oct 14, 2005 3:02 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you can't trust your administrator, you don't have a secure computer.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Oct 14, 2005 6:55 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
First off, I agree with jeff - there's no avoiding giving the admin all permissions.
But let's say you disagree - In that case you have two options:
1. Write API exits that encrypt on one end and decrypt on the other.
2. Write your own CICS bridge.
If you ask me, it's more trouble than it's worth. |
|
| Back to top |
|
|
| bob_buxton |
| Posted: Sat Oct 15, 2005 12:07 pm Post subject: |
|
|
Master
Joined: 23 Aug 2001
Posts: 266
Location: England
|
You can specify a PassTicket in the CIH.Authenticator field to avoid flowing passwords in the message.
A Passticket is an encrypted password single use password.
See the RACF documentation for information on creating passtickets.
_________________
Bob Buxton
Ex-Websphere MQ Development |
|
| Back to top |
|
|
| amita09 |
| Posted: Mon Oct 17, 2005 2:58 am Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
| API Exits are not supported on Z/OS :( |
|
| Back to top |
|
|
| wschutz |
| Posted: Mon Oct 17, 2005 3:05 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| amita09 wrote: |
API Exits are not supported on Z/OS  |
Actually, there are (sort of)... since the beginning (MQ V1) on zOS, you have been able to specify an API crossing exit for CICS programs.
Check out Bob's suggestion about RACF passtickets. What platform are you making the requests to CICS from?
_________________
-wayne |
|
| Back to top |
|
|
| amita09 |
| Posted: Wed Oct 26, 2005 11:01 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
If I encrypt the information in the headers MQMD,MQCIH (Username/Password) of RACF. Can MQ-CICS bridge be able to decrypt it ? Is there a way.
Because if I write an API exit even on the mainframe how will that change the behaviour of MQ-CICS bridge on the mainframe to decrypt ?
Can anyone throw more ideas ?? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 27, 2005 1:01 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You might look at the MD5 digest for the password.
I believe that this is what is stored in the RACF record.
Enjoy  |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 27, 2005 4:54 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
If I encrypt the information in the headers MQMD,MQCIH (Username/Password) of RACF before placing the message in the Queue. Can MQ-CICS bridge be able to decrypt it after getting the message? What do I need to do so that MQ CICS Bridge is able to decrypt it.
If I write an API exit will it also be intercepted when MQ-CICS issues a get request ? The username password is used to authenticate with RACF by the CICS adapter before calling the actual CICS transaction.
Is there a way to intercept the CICS bridge on the mainframe. Is API Exit useful for that as well.
I cannot use PASSTICKETS because it does not fit the requirement and I am not sure if writing an API Exit will help and that the MQ-CICS Bridge will be able to get the decrypted infomation (username/password). Pls. throw more light in to this.
THANK you. |
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Oct 27, 2005 5:07 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| I cannot use PASSTICKETS because it does not fit the requirement |
Can you tell us why you can't use it?
You can setup CICS so that everytime a CICS program issues an MQGET (which would include the bridge) the API crossing exit is called (both directions). This would allow you to decrypt the password prior to the bridge getting it.
_________________
-wayne |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 27, 2005 7:11 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
well. Thanks. so it means that Crossing API exit will work on mainframe ie. for MQ-CICS bridge.
Regarding your question on Passtickets, Well it is because the username and password being sent everytime a user on the front end does some transaction. So MQ sends this username/password each time in the MQ message. worse this is in plain text because the MQ-CICS bridge requires it in plain text.
I know there are other ways to do authentication, one when bridge starts and use a default racf id to be used..so that the cics adapters always uses this id to verify, inwhich case i dont see the requirement for the username/password in the message. But this will mean that CICS trusts all MQ Messages which is dangerous.
So we built this username/password thingy to be put in all messages. But as part of an compliance we now need to make sure there are no usernames/passwords displayed to the administrator of MQ.
Using passtickets is not an option because it will mean that the requester application will have to know everytime the latest passticket, which is a problem and mean redesign.
Correct me if I am wrong.
Once again thanks and I must admit this forum is really wonderful. Getting to learn lot of things out here. |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 27, 2005 7:14 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
Sorry forgot to ask one thing
"setup CICS so that everytime a CICS program issues an MQGET (which would include the bridge) the API crossing exit is called (both directions)."
How to set up CICS this way ? |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Oct 27, 2005 11:33 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
If you encrypt the password using the RACF method (DES) then you can ask RACF to process it already encrypted. Therefore the password need not be sent in clear text.
However the only sure way I know to encrypt the password to RACF standards is to make a RACROUTE (assembler) call in a mainframe program.
Bear in mind though that most mainframe access involves a clear text password being sent to the mainframe for verification - why it is a problem with MQSeries?
You might want to avoid repeated messages with the same password - by using a token for subsequent messages.
All this sort of stuff generally indicates a need for your own bridge program or at the very least some sort of MQ channel exit. |
|
| Back to top |
|
|
| amita09 |
| Posted: Thu Oct 27, 2005 11:59 pm Post subject: |
|
|
Novice
Joined: 13 Oct 2005
Posts: 24
|
"Bear in mind though that most mainframe access involves a clear text password being sent to the mainframe for verification - why it is a problem with MQSeries? "
I have enabled SSL on a 3270 emulator and the next thing is after doing that ... data is never at rest like in a queue or something which can be browsed...and that shows the information in clear.
"You might want to avoid repeated messages with the same password - by using a token for subsequent messages."
Not Sending repeated password will mean redesign definitely and this is not really acceptable solution at this stage.
"All this sort of stuff generally indicates a need for your own bridge program or at the very least some sort of MQ channel exit"
yeah that is what I want to avoid :roll:
Data in the message-data portion is encrypted, its only these MQCIH and MQMD information that is (authentication data) that is in clear...Man I really feel that MQ-CICS bridge allows data, I have to ask our guys to write api exits on both sides...which is really not straightforward.
Come to think of it, Moms like MQ, Sonic etc really needs a specification of a secure message by default.
any thoughts welcome!! |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Oct 28, 2005 1:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
If you want encrypted MQ messages "out of a box" - just open your wallet and purchase Tivoli Access Manager for Business Integration.
Mainframe MQ queues can be secured with RACF profiles - so the fact that messages may contain clear text passwords should not be a major concern - especially as these should be request/reply non-persistent messages that only exist for a few seconds.
If you want to use persistent - long lived messages, then use another authentication technique like IP address validation, or a shared-secret approach (encrypt the shared secret key with random data and send both the random data and the resulting hash in the message, the server encrypts the random data with it's copy of the key and compares the result to verify the keys match). |
|
| Back to top |
|
|
|
|
