ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » where is AMS needed for IBM MQ?

Post new topic  Reply to topic Goto page 1, 2  Next
 where is AMS needed for IBM MQ? « View previous topic :: View next topic » 
Author Message
MQMB&WAS
PostPosted: Wed Oct 25, 2017 6:58 am    Post subject: where is AMS needed for IBM MQ? Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

Hi Guys,
I have this scenario, My java app connects and puts messages to a local qmgr A, the messages are then routed to a qmgr B on mainframe and from B messages are routed to a Vendor qmgr C.

Now the Vendor wants to use AMS for encryption and is planning to enable AMS on qmgr C.
Now, from my side, do I need to enable AMS on both the qmgrs A and B? or on just the qmgr A? Appreciate you help.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 25, 2017 7:14 am    Post subject: Re: where is AMS needed for IBM MQ? Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

MQMB&WAS wrote:
Now, from my side, do I need to enable AMS on both the qmgrs A and B? or on just the qmgr A?


It depends a lot on why the vendor is switching to AMS. You'll certainly need it on A and on B if the vendor is concerned about secured messages sitting unprotected on an xmitq.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Oct 25, 2017 7:24 am    Post subject: Re: where is AMS needed for IBM MQ? Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Vitor wrote:
MQMB&WAS wrote:
Now, from my side, do I need to enable AMS on both the qmgrs A and B? or on just the qmgr A?


It depends a lot on why the vendor is switching to AMS. You'll certainly need it on A and on B if the vendor is concerned about secured messages sitting unprotected on an xmitq.


Define sitting unprotected on the xmitq... They'd still be encrypted yes?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
MQMB&WAS
PostPosted: Wed Oct 25, 2017 7:31 am    Post subject: Re: where is AMS needed for IBM MQ? Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

Vitor wrote:
MQMB&WAS wrote:
Now, from my side, do I need to enable AMS on both the qmgrs A and B? or on just the qmgr A?


It depends a lot on why the vendor is switching to AMS. You'll certainly need it on A and on B if the vendor is concerned about secured messages sitting unprotected on an xmitq.


What if I just have MQ Client instead of Server at A? would I need AMS at B?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 25, 2017 10:13 am    Post subject: Re: where is AMS needed for IBM MQ? Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

fjb_saper wrote:
Vitor wrote:
MQMB&WAS wrote:
Now, from my side, do I need to enable AMS on both the qmgrs A and B? or on just the qmgr A?


It depends a lot on why the vendor is switching to AMS. You'll certainly need it on A and on B if the vendor is concerned about secured messages sitting unprotected on an xmitq.


Define sitting unprotected on the xmitq... They'd still be encrypted yes?


It's my understanding that the messages sitting on the queue are decrypted when they're read off by the sender MCA the way they're decrypted by any other application. That's why the receiver in any AMS set up doesn't need access to the PKI of the sender.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 25, 2017 10:17 am    Post subject: Re: where is AMS needed for IBM MQ? Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

MQMB&WAS wrote:
Vitor wrote:
MQMB&WAS wrote:
Now, from my side, do I need to enable AMS on both the qmgrs A and B? or on just the qmgr A?


It depends a lot on why the vendor is switching to AMS. You'll certainly need it on A and on B if the vendor is concerned about secured messages sitting unprotected on an xmitq.


What if I just have MQ Client instead of Server at A? would I need AMS at B?


What's the difference between an application with a binding connection putting to a remote queue on A that routes to C via B, and an application that's cliented directly onto B? They're still going to sit in the xmitq at B waiting to go to C.

Like I said, it all depends on why the vendor wants AMS. If they want the messages encrypted at rest because they sit in the queue for an unacceptable period of time, they may be ok with the operational risk of them wizzing through an xmitq. If they want AMS because they want the messages digitally signed at the sendor and tamper proof, that's another thing entirely.

Speak to the vendor.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
MQMB&WAS
PostPosted: Wed Oct 25, 2017 10:20 am    Post subject: Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

Application can just connect to the qmgr C in client bindings and put messages I guess. And the qmgr C could encrypt the messages as it receives?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 25, 2017 10:26 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

MQMB&WAS wrote:
Application can just connect to the qmgr C in client bindings and put messages I guess. And the qmgr C could encrypt the messages as it receives?


All my responses were in the light of the topology you described:

MQMB&WAS wrote:
puts messages to a local qmgr A, the messages are then routed to a qmgr B on mainframe and from B messages are routed to a Vendor qmgr C.


If C is now the only queue manager in use (with your app cliented onto it and the vendor application connected in whatever way it's connected) then obviously that's the only place you need to install AMS, and indeed the only place AMS would have any impact. If no application is using A, it doesn't need AMS or need even to be running......

_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
MQMB&WAS
PostPosted: Thu Oct 26, 2017 10:17 am    Post subject: Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

Vitor wrote:
MQMB&WAS wrote:
Application can just connect to the qmgr C in client bindings and put messages I guess. And the qmgr C could encrypt the messages as it receives?


All my responses were in the light of the topology you described:

MQMB&WAS wrote:
puts messages to a local qmgr A, the messages are then routed to a qmgr B on mainframe and from B messages are routed to a Vendor qmgr C.


If C is now the only queue manager in use (with your app cliented onto it and the vendor application connected in whatever way it's connected) then obviously that's the only place you need to install AMS, and indeed the only place AMS would have any impact. If no application is using A, it doesn't need AMS or need even to be running......


Thanks for your time, Vitor.
I was reading some docs online and came across the term "MQ AMS CLIENT", never heard of this before. Is this entirely different to the "MQ Clent" package that comes with IBM MQ download.
Can I use this MQ AMS Client in my scenario, couldn't find any IBM documentation on this. Appreciate your help.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Oct 26, 2017 10:26 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

I'd expect the MQ AMS Client to be a standard MQ Client with a specific keystore and truststore, containing the required certificates to successfully complete the AMS connection... Should be easy enough to try and verify...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Thu Oct 26, 2017 11:04 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

fjb_saper wrote:
I'd expect the MQ AMS Client to be a standard MQ Client with a specific keystore and truststore, containing the required certificates to successfully complete the AMS connection




It has specific code for signing and encrypting messages. If all you want is an encrypted channel, the standard client does that.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Oct 26, 2017 11:10 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

MQMB&WAS wrote:
I was reading some docs online and came across the term "MQ AMS CLIENT", never heard of this before. Is this entirely different to the "MQ Clent" package that comes with IBM MQ download.


See my response to my worthy associate.

MQMB&WAS wrote:
Can I use this MQ AMS Client in my scenario


Depends if you need it. Again, this is entirely dependent on what this vendor of your wants.

IMHO, if they want you to be using AMS then they should be providing a lot more requirements and assistance than they are. AMS is not straightforward and a bunch of random, unaccountable strangers on the Internet (one of whom is me) is not the best place to get advice.

Especially if the setup is going to be audited for any reason. Answering the question "is this solution secured according to best industry practice" with "well this guy called Vitor on the Internet said this was fine" tends not to end well.

It's worse if they know me........
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
MQMB&WAS
PostPosted: Thu Oct 26, 2017 11:42 am    Post subject: Reply with quote

Centurion

Joined: 12 Jun 2016
Posts: 130

Vitor wrote:


MQMB&WAS wrote:
Can I use this MQ AMS Client in my scenario






I meant to ask where does this fit iin my scenario.
Looks like it can encrypt the messages on its own. so, does it work if I put it in front of qmgr A?

AMS Client(to encrypt the msgs) --then puts to qmgr A-- qmgr B-- Vendor qmgr C(AMS installed here).
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Oct 26, 2017 12:22 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

MQMB&WAS wrote:
Looks like it can encrypt the messages on its own. so, does it work if I put it in front of qmgr A?




The sender MCA on A and the receiver MCA on B wouldn't be able to decrypt the messages. Which they need to do in order to insert xmit headers. Likewise on the hop from B to C. If this is what the vendor is expecting.

Stop randomly researching AMS and speak to the vendor. As I hope I've illustrated, there are a number of possible configurations here and at least 2 distinct implementations depending on the level of message security / integrity required. You are in serious danger of going down a rabbit hole with this, as well as spending a lot of money you don't need to.

Or get a consultant in with experience of message security, independently or (here's an idea) from the vendor. I repeat AMS is not an easy thing and even having decided where you're going to use it, it's not as simple as setting AMS_ENABLED=Y in the qm.ini. There are a number of moving parts and it's remarkably easy to get it to not work. One common gotcha (following my point above) is having a perfectly sensible configuration that looks great but doesn't allow the intermediate MCAs to transfer messages. Fixing that can keep you quiet for hours.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Oct 26, 2017 12:35 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Questions to ask your vendor (because I'm a nice guy):


    what are the business requirements driving the use of AMS? Why doesn't normal MQ security and message protection suffice?
    Which components on C will have AMS enabled?
    Who's paying the extra costs for AMS components on A, B and the app client?
    Who's on the hook for ensuring the PKI between the various components line up?
    What's the triage route for problems?
    If MQ v9, what level of AMS are we using?

_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » where is AMS needed for IBM MQ?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.