ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportMQSeries Security

Post new topicReply to topic
MQSeries Security View previous topic :: View next topic
Author Message
arnabkundu
PostPosted: Wed Sep 26, 2001 2:53 am Post subject: Reply with quote

Newbie

Joined: 25 Sep 2001
Posts: 3

We plan to use IBM MQ series between IBM Mainframe and Sun Solaris, with TCP/IP protocol. For this environment -
Does MQ Series offer any Network Security?
Does it ensure that only authorized client can send request and response goes only to the authorized client?
Does it provide any protection against hacking?

[ This Message was edited by: arnabkundu on 2001-09-26 03:53 ]
Back to top
View user's profile Send private message
kolban
PostPosted: Wed Sep 26, 2001 5:12 am Post subject: Reply with quote

Grand Master

Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA

This is a pretty big and open question. There has been much written of this in the manuals. Suggest that you review the Administration Guide and the Intersystem Communication Guide. The index will help, use words like security.

In short summary, MQSeries provides the infrastructure for network based security including the hooks for data encryption, peer-authentication and queue access authorization. In all these cases, MQSeries exposes "User Exits" into which code may be hooked to perform these tasks. In some cases, IBM supplies fully usable examples, in others they are left to the end-user to develop or purchase from 3rd parties. A number of IBM redbooks also exist on this subject which include fully workable solutions.
Back to top
View user's profile Send private message
bduncan
PostPosted: Wed Sep 26, 2001 10:13 am Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Here is the link to the IBM redbook that covers MQSeries channel encryption:
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/SG245306.html?Open

Also, if you look in the code repository on this site, you will find the source code from that redbook along with the necessary RSA library files. I have compiled and tested this channel exit with success, so if you have any problems with it just let me know...


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
pmane
PostPosted: Wed Oct 17, 2001 11:33 pm Post subject: Reply with quote

Acolyte

Joined: 17 Oct 2001
Posts: 50

I have a similer question but not on security but on user authentication . Is it possible to use some kind of authentication ? I have gone through the DCE documentation. I want to use it on Solaris. Can some one let me know simple steps to use this . Which encryption will DES use ? Also what I understand is this is just a server to server authentication . Can I have a login user ID and password authentication ? If yes then can I establish a session with the customer till he logs out . Is is possible to do this in MQ or I should code this in my MQ application logic ?
Back to top
View user's profile Send private message
ussm120
PostPosted: Thu Nov 01, 2001 5:00 am Post subject: Reply with quote

Newbie

Joined: 28 Oct 2001
Posts: 9

Hi,

We have performance problems due to channel exits and now we start a project to investigate Policy Director for MQ and MQSecure!

Mohammed
Back to top
View user's profile Send private message
bduncan
PostPosted: Thu Nov 01, 2001 11:09 am Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Mohammed,
I'm not sure if you'll find any performance gains with either of those products, because in the end, they are just channel-exits as well.


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
Tibor
PostPosted: Sat Nov 03, 2001 11:44 am Post subject: Reply with quote

Grand Master

Joined: 20 May 2001
Posts: 1033
Location: Hungary

Quote:

On 2001-11-01 11:09, bduncan wrote:
Mohammed,
I'm not sure if you'll find any performance gains with either of those products, because in the end, they are just channel-exits as well.


False answer... These products offer application level security solutions. They change standard mq libs, that's why its performance may be better.
Back to top
View user's profile Send private message
bduncan
PostPosted: Mon Nov 05, 2001 10:38 am Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

But Tibor, with a product like MQSecure, in most applications it is unnecessary to use their application level API. It's not often that one would want to encrypt part of the data in a particular message, but leave the rest as clear-text. Usually it's all or nothing. And in such cases it's still behaving as a library or DLL being called by the queue manager during the exit process, which as far as I know, is exactly what the redbooks' exit does...


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
EddieA
PostPosted: Mon Nov 05, 2001 11:26 am Post subject: Reply with quote

Jedi

Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles

Hey Brandon,

The question about using the API vs Channels exits is not usually an 'all or nothing' question.

With the Channel exits, you are only protecting the data whilst it's in transit from one QM to another. The messages are still in clear text on both the sending and receiving QMs.

With the APIs, the messages are encoded from application to application. That way, it's impossible to 'snoop' on them while they're sitting on a queue. This is important to some customers.

Cheers.

_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0
Back to top
View user's profile Send private message
bduncan
PostPosted: Mon Nov 05, 2001 11:56 am Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Yes, I agree. I was only referring to the APIs as the apply to the messages when they are actually travelling over the network; as far as security on the queues themselves, if you are encrypting and decrypting on the application level, then there really isn't a need for a channel exit to handle encryption, though you may still want one for authentication purposes. But most clients are content with the user-level security that MQSeries provides to keep people from snooping the queues themselves. And file-system permissions can preclude people from viewing the "q" files themselves - at least on unix...


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
Tibor
PostPosted: Mon Nov 05, 2001 6:03 pm Post subject: Reply with quote

Grand Master

Joined: 20 May 2001
Posts: 1033
Location: Hungary

My post written about security level not performance (remember the keyword: 'may be').
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportMQSeries Security
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.