| Author |
Message
|
| Monk |
 Posted: Mon Dec 10, 2007 2:58 am Post subject: MQ message integrity |
 |
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Hi All,
I had a doubt in MQ .
Is it possible that MQ Messages can be modified in transit?
for e.g
i have a xml message like so..
<Tag1>abcdsdfgdfgd</Tag1>
is it possible that on the recieving side i can recieve the message like so.
<Tag1>bbcdsdfgdfgd</Tag1>
or some characters being modifed.
my doubt is , are MQ message ,be it any format , Does MQ provide message integrity.
Note that i do not use Message digest or any of that sort to maintain message integrity.
this is just like TCP tranmission errors.
Can the messages get corrupted.?
_________________
Thimk |
|
| Back to top |
|
 |
| zpat |
| Posted: Mon Dec 10, 2007 3:36 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I have never encountered accidental corruption of messages, although data conversion can sometimes give unexpected results, usually through the data being incorrect described in the CCSID.
If you wanted to protect against deliberate corruption of messages then you would normally need to use digital signatures. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 10, 2007 4:05 am Post subject: Re: MQ message integrity |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Monk wrote: |
my doubt is , are MQ message ,be it any format , Does MQ provide message integrity.
Note that i do not use Message digest or any of that sort to maintain message integrity.
this is just like TCP tranmission errors.
Can the messages get corrupted.? |
AFAIK the MCAs use a CRC to eliminate transmission errors, though it's common for messages to appear changed due to code page problems (as zpat points out).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Mon Dec 10, 2007 4:07 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
I'd agree entirely with zpat's sentiments.
MQ doesn't provide any support "out of the box" for detecting messages that are deliberately tampered by a hacker save for the SSL support which only marginally addresses this problem (and only for messages that are in transit across an SSL channel).
If you wish to be certain of the content (and possibly privacy) of messages, then you need an "end to end" security solution that protects the messages as they leave the emitting application and checks for tamper (and decrypts if needed) as they are gotten by the final recipient.
If you wish to achieve this without any application modification, there are (as far as I know) only two products that can do this.
1) Tivoli Access Manager for Business Integration (TAMBI) which can be purchased a bundle with WebSphere MQ in the form of the "Extended Security Edition".
2) DSMQ (or to give it's full name Spazio Data Secure for WebSphere MQ) product produced by Primeur (www.primeur.com) which provides the capabilities in question, and is in my partial estimation easier to setup, use, and manage than TAMBI. 
PS Spazio is a Brand Name and should thus be considered "noise" in the full product name of DSMQ. This is particularly confusing as Primeur also have a PRODUCT called Spazio!!! Hmmm, this sounds a bit like the WebSphere and WebSphere MQ problem 
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 10, 2007 4:24 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| David.Partridge wrote: |
I'd agree entirely with zpat's sentiments.
|
As for the record would I. While MQ guards against corruption it doesn't protect against deliberate tampering without extra work.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Dec 10, 2007 8:47 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| David.Partridge wrote: |
If you wish to achieve this without any application modification, there are (as far as I know) only two products that can do this.
|
Cough! Hack! 
And another (new) product is MQ Instant Secure Data
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mvic |
| Posted: Mon Dec 10, 2007 12:59 pm Post subject: Re: MQ message integrity |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Vitor wrote: |
| AFAIK the MCAs use a CRC to eliminate transmission errors, though it's common for messages to appear changed due to code page problems (as zpat points out). |
I wasn't aware of this check - are you sure? But I seem to remember from my TCP/IP education (10 years ago roughly) that TCP did some error checking.
Re. the original question, MQ should never tamper with user data if MQGET does not specify the option MQGMO_CONVERT. It will attempt to convert user data if the MQGET specifies the option MQGMO_CONVERT. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Dec 10, 2007 3:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The assumption here was that there was no format exit that would change the data... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Monk |
| Posted: Mon Dec 10, 2007 8:03 pm Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Thanks you guys. 
_________________
Thimk |
|
| Back to top |
|
|
| SAFraser |
| Posted: Tue Dec 11, 2007 10:47 am Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
I guess one point that occurs to me.... I wonder how you have determined that the data is changed. Is it the application output that is showing the changed data? If so, I would catch and dump a message after it's put from the originating application, and then I would catch and dump the transmitted message prior to its being retrieved by the application.
I have never been hacked (that I know of!) but I have seen many instances of data that was supposedly "corrupted" by MQ when, in fact, MQ simply transported what it was given.
Just a thought.... |
|
| Back to top |
|
|
| ashu |
| Posted: Mon Dec 17, 2007 2:23 am Post subject: |
|
|
Centurion
Joined: 11 Nov 2006
Posts: 132
|
I suppose MQ does support some coversion of data... for example if applications belong to different languages and hence are supporting different character sets...like sending a Stirng data from Java to C. If not then that could be possible reason for the data getting manipulated...MQ never tampers the data 
_________________
Ashu
"It is simple to be Happy but difficult to be Simple" |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 17, 2007 2:29 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ashu wrote: |
| I suppose MQ does support some coversion of data... |
This is one of the reasons it's best to use get-with-convert rather than channel convert. The message (until read by the application) sits on the target queue in all it's original glory.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
