| Author |
Message
|
| pfarrel |
 Posted: Thu Jul 31, 2014 5:56 am Post subject: Encryption of Data in-flight |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I want to encrypt data going in and out of a queue manager ( data in flight ). Seems pretty simple for queue manager to queue manager connections. I put a cert into each queue manager, specify a cipherspec on the sender and receiver channels. Either exchange public keys, or store a root and issuing cert from one side on the other. That's about it. Not too difficult.
However it appears to be quite a nightmare for SVRCONN channels. It is starting to look like I have to change all my applications so that they provide a cipherspec. Even if I'm not really interested in authentication, I have to do this to get the encryption. It is looking like a huge amount of work, unless I'm missing something. Is there an easier way ? What am I missing ? All I want to do is encrypt the data in flight. Ideas welcome ! |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jul 31, 2014 6:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
In the case of client connections, I would hazard that there's not much point encrypting unless you've authenticated that the source is a valid one. In regard to '...I have to change all my applications so that they provide a cipherspec...", how do your applications handle their connections? MQCONNX? CCDT?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Thu Jul 31, 2014 6:11 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
| We are not currently using CCDT. Applications connect over a SVRCONN channel. We have some control over who is connecting by using Channel Authentication. Additional authentication will be introduced at a later time ( using v8 features ). Right now I want to encrypt transmissions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 31, 2014 6:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| pfarrel wrote: |
| Additional authentication will be introduced at a later time ( using v8 features ). Right now I want to encrypt transmissions. |
The reason WMQ is designed to require authentication and encryption is, as my most worthy associate points out, it's a bit pointless encrypting data in flight so the Russian Mafia can't read it if the target of the transmission has not been authenticated and could be the Russian Mafia.
In your scenario I'd be more inclined to ask the network people to encrypt IP traffic between the endpoints rather than encrypt via MQ.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 31, 2014 6:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| In your scenario I'd be more inclined to ask the network people to encrypt IP traffic between the endpoints rather than encrypt via MQ. |
 I'd be a bit leary of letting the network people put anything in the way of my MQ connections. But I suspect you've actually tried this...
Regardless, it seems a better idea for pfarrel to get a handle on managing MQ client connections and set up procedures and etc.
pfarrel - every MQ client connects using a SVRCONN channel. The question is "where is the definition" stored. If the applications are using the MQSERVER environment variable, then you can relatively easily change them to use the MQ environment variables that point to a CCDT, and then create a CCDT that includes the cipherspec.
If the applications are all written using MQCONNX and their own built-in configuration stuff, then you need to get them all to change so they include the cipherspec of your choice.
Remember that every MQ channel has two halfs - a sender side and a receiver side. a SVRCONN is the receiver side of a CLNTCONN. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 31, 2014 6:45 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| Vitor wrote: |
| In your scenario I'd be more inclined to ask the network people to encrypt IP traffic between the endpoints rather than encrypt via MQ. |
I'd be a bit leary of letting the network people put anything in the way of my MQ connections. But I suspect you've actually tried this... |
I have, and I'm not saying that doesn't it requires similar skills to juggling china plates. But after a few false starts it can be done.
| mqjeff wrote: |
| Regardless, it seems a better idea for pfarrel to get a handle on managing MQ client connections and set up procedures and etc. |
This would indeed be a better idea; I was attempting to provide an expedient short term solution.
| mqjeff wrote: |
| pfarrel - every MQ client connects using a SVRCONN channel. The question is "where is the definition" stored. If the applications are using the MQSERVER environment variable, then you can relatively easily change them to use the MQ environment variables that point to a CCDT, and then create a CCDT that includes the cipherspec. |
| mqjeff wrote: |
| If the applications are all written using MQCONNX and their own built-in configuration stuff, then you need to get them all to change so they include the cipherspec of your choice. |
Actually determining if this is being done, even by reference to the developers, makes encrypting network traffic seem easy....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 31, 2014 7:14 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| mqjeff wrote: |
| If the applications are all written using MQCONNX and their own built-in configuration stuff, then you need to get them all to change so they include the cipherspec of your choice. |
Actually determining if this is being done, even by reference to the developers, makes encrypting network traffic seem easy.... |
How easy it is to confuse hard won and bitter experience with massive cynicism... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Aug 01, 2014 4:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Also keep in mind that self signed certs get old pretty fast, the more of them you need. It will be much easier using a CA signed cert. This could be an internal CA (no cost). If you company doesn't already have an internal CA, MQ key management can help you set one up.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Aug 12, 2014 3:00 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
|
|
