| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ 7.5 Encryption of Messages on Channels |
« View previous topic :: View next topic » |
| Author |
Message
|
| gpklos |
 Posted: Thu Apr 30, 2015 10:56 am Post subject: MQ 7.5 Encryption of Messages on Channels |
 |
|
Centurion
Joined: 24 May 2002
Posts: 108
|
I have a few questions related to SSL. We are looking to encrypt our MQ message data when it flows over channels within our corporate network. I know MQ supports SSL, but I have some questions about it. We mainly use clients which connect to Windows and z/OS queue managers. We also have queue manager to queue manager connectivity.
1. Can I encrypt data going across channels just using the facilities that come with MQ? (NOT Advanced Message Security).
a. I'm pretty sure that can be done, but can it be done so that NO changes are required on the Applications side?
2. I know that Advanced Message Security allows you to do the encryption, etc, but what is the advantage of using AMS, if MQ is already able to support the SSL and encryption?
Thanks in advance.
Gary |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Apr 30, 2015 11:10 am Post subject: Re: MQ 7.5 Encryption of Messages on Channels |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9396
Location: US: west coast, almost. Otherwise, enroute.
|
| gpklos wrote: |
I have a few questions related to SSL. We are looking to encrypt our MQ message data when it flows over channels within our corporate network. I know MQ supports SSL, but I have some questions about it. We mainly use clients which connect to Windows and z/OS queue managers. We also have queue manager to queue manager connectivity.
1. Can I encrypt data going across channels just using the facilities that come with MQ? (NOT Advanced Message Security).
a. I'm pretty sure that can be done, but can it be done so that NO changes are required on the Applications side? |
No application changes are required. MQ changes at both ends of the channel are required.
| gpklos wrote: |
2. I know that Advanced Message Security allows you to do the encryption, etc, but what is the advantage of using AMS, if MQ is already able to support the SSL and encryption?
Thanks in advance.
Gary |
MQ uses SSL/TLS to encrypt messages flowing across channels. AMS encrypts messages at rest in MQ queues.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 30, 2015 12:30 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
MQ SSL can be configured on MQ channels (qmgr - qmgr) without change to application
MQ SSL can be configured on MQI channels (client - qmgr) by setting appropriate environment config.
If your applications are using MQCONNX, they will have to change. |
|
| Back to top |
|
|
| gpklos |
| Posted: Fri May 01, 2015 3:21 am Post subject: |
|
|
Centurion
Joined: 24 May 2002
Posts: 108
|
So if I understand correctly, which I think I do, any application which is using the MQ client to connect to a queue manager, will either make environment variable changes, etc or if using MQCONNX, then they will have to make program changes?
Now from what you have said AMS encrypts messages while they sit on the queues. Again we still don't need that, but if we did buy AMS, would that make the encryption on the channels any easier (ie. No application changes at all for client to queue manager)?
Thanks,
Gary |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri May 01, 2015 4:09 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
AMS is for end to end encryption.
you could even send an encrypted message over an SSL/TLS secured channel!
AMS (AFAIK) works totally independently to any other encryption you may be using in your environment including channels.
Therefore my guess is that using AMS would not make implementing Channel encryption any easier BUT it would present you with a whole raft of other problems.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri May 01, 2015 4:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gpklos wrote: |
| So if I understand correctly, which I think I do, any application which is using the MQ client to connect to a queue manager, will either make environment variable changes, etc or if using MQCONNX, then they will have to make program changes? |
If the client connection is defined using the MQSERVER environment variable then it will need to be replaced with a CLNTCONN (TAB file) as the environment variable doesn't support SSL parameters, but this will be transparent to the application. If the application is making an MQCONNX call then by design they've elected to define the client connection within the application rather than letting the administrator do it. So any change to the channel parameters (be it SSL details or a port number change) require a code change and that's just the outcome of their design decision.
| gpklos wrote: |
| Now from what you have said AMS encrypts messages while they sit on the queues. Again we still don't need that, but if we did buy AMS, would that make the encryption on the channels any easier (ie. No application changes at all for client to queue manager)? |
Doesn't have any impact on channel SSL at all, except that AMS requires SSL channel security to be in place so it can authenticate who's trying to read / write the encrypted messages on the queue. But the SSL channel security it requires is the one out of the base product.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gpklos |
| Posted: Fri May 01, 2015 11:00 am Post subject: |
|
|
Centurion
Joined: 24 May 2002
Posts: 108
|
Thanks for the quick replies. I think I understand things better now and know how to proceed.
Thanks!
Gary |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
