| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ AMS and encryption |
« View previous topic :: View next topic » |
| Author |
Message
|
| rickwatsonb |
 Posted: Mon Jun 16, 2014 12:50 pm Post subject: MQ AMS and encryption |
 |
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
For me, there is still some confusion regarding MQ AMS Client message encryption and whether or not the channel has SSL.
If a JMS Client has a MQ AMS Client and security policies applied on the MQ Server, but no SSL on the channel, will the encryption algorithm be applied on the MQ AMS Client and thus the message will go across the channel encrypted?
Is it also true that if there was SSL on the channel, and a MQ AMS Client existed and security policies were in place, that the message would be encrypted twice (encryption of an encryption)?
Thanks for your time. |
|
| Back to top |
|
 |
| PaulClarke |
| Posted: Mon Jun 16, 2014 1:53 pm Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
Yes, the encryption done by the channels and that done by AMS are not connected. So, using an SSL channel with AMS will result in a double encryption. However, the encryption is being done at different times and for different reasons so it's not hard to realise why it happens this way. If you really wanted to avoid it you could, potentially, has two channels - one for secure traffic and one for non-secure traffic. I guess it is up to each installation as to how secure they want/need to make their system.
Cheers,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| mvic |
| Posted: Mon Jun 16, 2014 3:02 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| PaulClarke wrote: |
| Yes, the encryption done by the channels and that done by AMS are not connected. So, using an SSL channel with AMS will result in a double encryption. |
True for some(most?) setups, though not all. Specifically, not true when using the "Message Channel Agent (MCA) interception" facility.
http://www-01.ibm.com/support/knowledgecenter/api/content/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014780_.htm
"MCA interception allows clients that remain outside WebSphere MQ AMS to still be connected to a queue manager and their messages to be encrypted and decrypted." |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 17, 2014 10:12 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
To be completely accurate, even when you use MCA Interception there are still two lots of encryption going on.
With 'normal' AMS combined with SSL/TLS it goes like this:-
- Client message is encrypted by AMS as part of the MQPUT inside the client process
- Client channel uses SSL/TLS to send message as 1 or more encrypted transmissions
- Server-conn channel uses SSL/TLS to decrypt encrypted transmissions and recreate the message to be put to the queue - the message data is still AMS encrypted
- Authorized recipient does MQGET of message and AMS decrypts the message inside the process of the getting application
With MCA Intercepted AMS combined with SSL/TLS it goes like this:-
- Client channel uses SSL/TLS to send message as 1 or more encrypted transmissions
- Server-conn channel uses SSL/TLS to decrypt encrypted transmissions and recreate the message to be put to the queue
- As part of the MQPUT done by the server-conn channel AMS encrypts the message.
- Authorized recipient does MQGET of message and AMS decrypts the message inside the process of the getting application
So in both cases there are two different encryption steps going on, in the first they are nested so you are encrypting some data that was already encrypted, and in second they are serial so you have a time where the message is in the clear (in memory) at the queue manager.
There are of course good reasons why you might choose to do the first and be using both encryptions at once:-
- You are putting some messages to AMS protected queues and some messages to non AMS protected queues, so you still need SSL/TLS encryption for the non encrypted queues
- Data other than message data flows over a client channel, as it is actually sending/receiving flattened API calls, so you may wish to encrypt you queue names or open options or alternate user IDs etc etc. AMS does not protect these things
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
