| Author |
Message
|
| arnabkundu |
 Posted: Wed Sep 26, 2001 2:53 am Post subject: |
 |
|
Newbie
Joined: 25 Sep 2001
Posts: 3
|
We plan to use IBM MQ series between IBM Mainframe and Sun Solaris, with TCP/IP protocol. For this environment -
Does MQ Series offer any Network Security?
Does it ensure that only authorized client can send request and response goes only to the authorized client?
Does it provide any protection against hacking?
[ This Message was edited by: arnabkundu on 2001-09-26 03:53 ] |
|
| Back to top |
|
 |
| kolban |
| Posted: Wed Sep 26, 2001 5:12 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
This is a pretty big and open question. There has been much written of this in the manuals. Suggest that you review the Administration Guide and the Intersystem Communication Guide. The index will help, use words like security.
In short summary, MQSeries provides the infrastructure for network based security including the hooks for data encryption, peer-authentication and queue access authorization. In all these cases, MQSeries exposes "User Exits" into which code may be hooked to perform these tasks. In some cases, IBM supplies fully usable examples, in others they are left to the end-user to develop or purchase from 3rd parties. A number of IBM redbooks also exist on this subject which include fully workable solutions. |
|
| Back to top |
|
|
| bduncan |
| Posted: Wed Sep 26, 2001 10:13 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Here is the link to the IBM redbook that covers MQSeries channel encryption:
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/SG245306.html?Open
Also, if you look in the code repository on this site, you will find the source code from that redbook along with the necessary RSA library files. I have compiled and tested this channel exit with success, so if you have any problems with it just let me know...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| pmane |
| Posted: Wed Oct 17, 2001 11:33 pm Post subject: |
|
|
Acolyte
Joined: 17 Oct 2001
Posts: 50
|
| I have a similer question but not on security but on user authentication . Is it possible to use some kind of authentication ? I have gone through the DCE documentation. I want to use it on Solaris. Can some one let me know simple steps to use this . Which encryption will DES use ? Also what I understand is this is just a server to server authentication . Can I have a login user ID and password authentication ? If yes then can I establish a session with the customer till he logs out . Is is possible to do this in MQ or I should code this in my MQ application logic ? |
|
| Back to top |
|
|
| ussm120 |
| Posted: Thu Nov 01, 2001 5:00 am Post subject: |
|
|
Newbie
Joined: 28 Oct 2001
Posts: 9
|
Hi,
We have performance problems due to channel exits and now we start a project to investigate Policy Director for MQ and MQSecure!
Mohammed
|
|
| Back to top |
|
|
| bduncan |
| Posted: Thu Nov 01, 2001 11:09 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Mohammed,
I'm not sure if you'll find any performance gains with either of those products, because in the end, they are just channel-exits as well.
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| Tibor |
| Posted: Sat Nov 03, 2001 11:44 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| Quote: |
On 2001-11-01 11:09, bduncan wrote:
Mohammed,
I'm not sure if you'll find any performance gains with either of those products, because in the end, they are just channel-exits as well.
|
False answer... These products offer application level security solutions. They change standard mq libs, that's why its performance may be better.
|
|
| Back to top |
|
|
| bduncan |
| Posted: Mon Nov 05, 2001 10:38 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
But Tibor, with a product like MQSecure, in most applications it is unnecessary to use their application level API. It's not often that one would want to encrypt part of the data in a particular message, but leave the rest as clear-text. Usually it's all or nothing. And in such cases it's still behaving as a library or DLL being called by the queue manager during the exit process, which as far as I know, is exactly what the redbooks' exit does...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| EddieA |
| Posted: Mon Nov 05, 2001 11:26 am Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Hey Brandon,
The question about using the API vs Channels exits is not usually an 'all or nothing' question.
With the Channel exits, you are only protecting the data whilst it's in transit from one QM to another. The messages are still in clear text on both the sending and receiving QMs.
With the APIs, the messages are encoded from application to application. That way, it's impossible to 'snoop' on them while they're sitting on a queue. This is important to some customers.
Cheers.
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| bduncan |
| Posted: Mon Nov 05, 2001 11:56 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Yes, I agree. I was only referring to the APIs as the apply to the messages when they are actually travelling over the network; as far as security on the queues themselves, if you are encrypting and decrypting on the application level, then there really isn't a need for a channel exit to handle encryption, though you may still want one for authentication purposes. But most clients are content with the user-level security that MQSeries provides to keep people from snooping the queues themselves. And file-system permissions can preclude people from viewing the "q" files themselves - at least on unix...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| Tibor |
| Posted: Mon Nov 05, 2001 6:03 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
My post written about security level not performance (remember the keyword: 'may be' ).
|
|
| Back to top |
|
|
|
|
