| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| how to access broker jks store without knowning the password |
« View previous topic :: View next topic » |
| Author |
Message
|
| lium |
 Posted: Thu Jul 17, 2014 7:43 am Post subject: how to access broker jks store without knowning the password |
 |
|
Disciple
Joined: 17 Jul 2002
Posts: 184
|
As everybody know, the broker has the jks keystore in the broker level.
We want to implement our encryption/decryption with the RSA. So we can use the public key to encrypt the message with the public key, and decrypt the message with security when we want to log the message to the queue or database(the message might include confidential content and we want it to be encrypted even he has access to the queue or table).
We intend to use java security to encrypt/decrypt rather than ia9w support pack. So we need to open the jks keystore to load the certificate. However, we don't want to know about the keystore password in message flow.
For message broker, the keystore password can be set through mqsisetdbparms, so I am wondering if we can invoke message broker API to access the keystore. If yes, do you know what java object I should use for this purpose?
Thanks, |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jul 17, 2014 9:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Color me blind, but there is something that I am not getting in your scenario!
If you are talking about messages in flight there is not much that you would need to do... but set the security policies so that the messages travel on https secured connections... wsse and SOAP will round this up.
If you are talking about messages at rest on a queue, MQ AMS will gladly take care of this for you...
Can you be more specific at what you are trying to do? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| lium |
| Posted: Thu Jul 17, 2014 9:25 am Post subject: |
|
|
Disciple
Joined: 17 Jul 2002
Posts: 184
|
This is not for transport.
Advanced Message security(AMS) needs extra license and management, which is not that good.
AMS only solves the queue logging. we need consistent solution for both mq and database table.
In case of exception, original message will be stored, for example, into database table. We want to encrypt that before it is inserted. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jul 17, 2014 9:30 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| lium wrote: |
This is not for transport.
Advanced Message security(AMS) needs extra license and management, which is not that good.
AMS only solves the queue logging. we need consistent solution for both mq and database table.
In case of exception, original message will be stored, for example, into database table. We want to encrypt that before it is inserted. |
Typically that second part (DB insert and retrieval) is a DB solution driven by the user name used to access the data. So the broker would have nothing to do and the data would be in the DB in encrypted format...
Changing the encryption key every so often (PCI reqs) will however make the db unavailable for some time, unless there is a careful design taking into account the need for changing the keys and the data.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
