| Author |
Message
|
| varunv |
 Posted: Tue Oct 01, 2019 6:20 pm Post subject: IBM MQTT Security approach |
 |
|
Novice
Joined: 04 Feb 2009
Posts: 16
|
Hi ,
We have a requirement where the external applications (IOT applications ) will connect IBM MQTT QMGR using web ui and do messaging with dynamic subscripts. It will subscribe IOT events.
External application communicates internal MQTT qmgr through DMZ server. Since it is an web applications and they have 30,000 to 40,000 connections we wonder if SSL will works here ! Can you guys share your ideas to the best approach for MQTT security.
Appreciate your quick help here. [/b] |
|
| Back to top |
|
 |
| HubertKleinmanns |
| Posted: Tue Oct 01, 2019 11:42 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Hello,
I guess, SSL will work, but may be very slow.
According to this https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q003050_.htm you need lots of memory and many file descriptors. In Addition, for SSL handshake I would expect that you Need some CPUs.
I suggest to run some performance tests to get a useful answer, because this depends on your specific hardware.
Do you have a crypto processor on board? This should speed up the SSL handshake.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| varunv |
| Posted: Wed Oct 02, 2019 6:25 am Post subject: |
|
|
Novice
Joined: 04 Feb 2009
Posts: 16
|
Hubert,
Thank you for your reply. As there are huge no of applications and web applications interacting with MQTT qmgr the SSL need many certificates to authenticate with all external parries to internal applications . So we are looking is there any other approach for MQTT security for our situation.
Appreciate any thoughts on it.
Thanks
Varun |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Oct 02, 2019 6:48 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| varunv wrote: |
| the SSL need many certificates to authenticate with all external parries to internal applications |
I don't understand this. Are you working with self-signed certificates? Then indeed you have to exchange lots of certificates.
But when you use a PKI (Public Key Infrastructure) then the QMgr would only need e few certificates: The signer certificate(s) of the PKI(s).
_________________
Regards
Hubert |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 02, 2019 6:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| HubertKleinmanns wrote: |
| varunv wrote: |
| the SSL need many certificates to authenticate with all external parries to internal applications |
I don't understand this. Are you working with self-signed certificates? Then indeed you have to exchange lots of certificates.
But when you use a PKI (Public Key Infrastructure) then the QMgr would only need e few certificates: The signer certificate(s) of the PKI(s). |
It's no different in principle to a "normal" queue manager with a large number of peer queue managers and/or a large number of client connections.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| varunv |
| Posted: Wed Oct 02, 2019 9:45 am Post subject: |
|
|
Novice
Joined: 04 Feb 2009
Posts: 16
|
Hi,
Yes self-signed certificates. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 02, 2019 10:27 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| varunv wrote: |
| Yes self-signed certificates. |
Then a) you're in a trap of your own making and b) your set up isn't that secure any way.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
