ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » IBM MQTT Security approach

Post new topic  Reply to topic
 IBM MQTT Security approach « View previous topic :: View next topic » 
Author Message
varunv
PostPosted: Tue Oct 01, 2019 6:20 pm    Post subject: IBM MQTT Security approach Reply with quote

Novice

Joined: 04 Feb 2009
Posts: 16

Hi ,
We have a requirement where the external applications (IOT applications ) will connect IBM MQTT QMGR using web ui and do messaging with dynamic subscripts. It will subscribe IOT events.

External application communicates internal MQTT qmgr through DMZ server. Since it is an web applications and they have 30,000 to 40,000 connections we wonder if SSL will works here ! Can you guys share your ideas to the best approach for MQTT security.

Appreciate your quick help here. [/b]
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Tue Oct 01, 2019 11:42 pm    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

Hello,

I guess, SSL will work, but may be very slow.

According to this https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q003050_.htm you need lots of memory and many file descriptors. In Addition, for SSL handshake I would expect that you Need some CPUs.

I suggest to run some performance tests to get a useful answer, because this depends on your specific hardware.

Do you have a crypto processor on board? This should speed up the SSL handshake.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
varunv
PostPosted: Wed Oct 02, 2019 6:25 am    Post subject: Reply with quote

Novice

Joined: 04 Feb 2009
Posts: 16

Hubert,
Thank you for your reply. As there are huge no of applications and web applications interacting with MQTT qmgr the SSL need many certificates to authenticate with all external parries to internal applications . So we are looking is there any other approach for MQTT security for our situation.
Appreciate any thoughts on it.

Thanks
Varun
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Wed Oct 02, 2019 6:48 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

varunv wrote:
the SSL need many certificates to authenticate with all external parries to internal applications


I don't understand this. Are you working with self-signed certificates? Then indeed you have to exchange lots of certificates.

But when you use a PKI (Public Key Infrastructure) then the QMgr would only need e few certificates: The signer certificate(s) of the PKI(s).
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
Vitor
PostPosted: Wed Oct 02, 2019 6:54 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

HubertKleinmanns wrote:
varunv wrote:
the SSL need many certificates to authenticate with all external parries to internal applications


I don't understand this. Are you working with self-signed certificates? Then indeed you have to exchange lots of certificates.

But when you use a PKI (Public Key Infrastructure) then the QMgr would only need e few certificates: The signer certificate(s) of the PKI(s).




It's no different in principle to a "normal" queue manager with a large number of peer queue managers and/or a large number of client connections.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
varunv
PostPosted: Wed Oct 02, 2019 9:45 am    Post subject: Reply with quote

Novice

Joined: 04 Feb 2009
Posts: 16

Hi,
Yes self-signed certificates.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Oct 02, 2019 10:27 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

varunv wrote:
Yes self-signed certificates.


Then a) you're in a trap of your own making and b) your set up isn't that secure any way.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » IBM MQTT Security approach
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.