ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Best practices for TLS

Post new topic  Reply to topic
 Best practices for TLS « View previous topic :: View next topic » 
Author Message
blorro
PostPosted: Thu Jun 24, 2021 3:58 am    Post subject: Best practices for TLS Reply with quote

Acolyte

Joined: 09 Jan 2014
Posts: 57
Location: Sweden

What kind of strategies are you implementing in your MQ Shops for handling TLS ?
-Are you using anonymous authentication for simplicity and using SSLPEER or are you all going on mutual authentication all the way ? Both Client to QM and QMtoQM connections ?

Where can we be smart, making it manageable (140+ Queuemanagers atm, running z, A400 and Windows )?

Pointers , advice, past experiences will be gratefully accepted
_________________
"Anything is possible, all the time."
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Fri Jun 25, 2021 9:44 am    Post subject: Re: Best practices for TLS Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

blorro wrote:
Are you using anonymous authentication for simplicity and using SSLPEER or are you all going on mutual authentication all the way ?

From what my customers are telling, that use SSL/TLS, almost all are using server-side (anonymous) authentication.

blorro wrote:
Where can we be smart, making it manageable (140+ Queuemanagers atm, running z, A400 and Windows )?

Don't forget to include asking about SSL/TLS management of the certificates. SSL/TLS certificates expire yearly. I don't know how long it would take to push/renew certificates for 140 queue managers with new certificates but it is NOT a 5 minute job.

Now if you go with mutual authentication then now you have to update all MQ clients (thousands??) and the 140 queue managers each year. You definitely will need to make sure your management is up to speed on the number of man/woman hours or days needed to conmplete the yearly task.

<Vendor_Plug>
An alternative to SSL/TLS is to use Capitalware's MQ Channel Encryption solution. There is no yearly SSL/TLS certificate management.

If you prefer an end-to-end encryption solution then have a look at MQ Message Encryption.
</Vendor_Plug>

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
blorro
PostPosted: Fri Jul 02, 2021 5:43 am    Post subject: Re: Best practices for TLS Reply with quote

Acolyte

Joined: 09 Jan 2014
Posts: 57
Location: Sweden

RogerLacroix wrote:
blorro wrote:
Are you using anonymous authentication for simplicity and using SSLPEER or are you all going on mutual authentication all the way ?

From what my customers are telling, that use SSL/TLS, almost all are using server-side (anonymous) authentication.

blorro wrote:
Where can we be smart, making it manageable (140+ Queuemanagers atm, running z, A400 and Windows )?

Don't forget to include asking about SSL/TLS management of the certificates. SSL/TLS certificates expire yearly. I don't know how long it would take to push/renew certificates for 140 queue managers with new certificates but it is NOT a 5 minute job.

Now if you go with mutual authentication then now you have to update all MQ clients (thousands??) and the 140 queue managers each year. You definitely will need to make sure your management is up to speed on the number of man/woman hours or days needed to conmplete the yearly task.

<Vendor_Plug>
An alternative to SSL/TLS is to use Capitalware's MQ Channel Encryption solution. There is no yearly SSL/TLS certificate management.

If you prefer an end-to-end encryption solution then have a look at MQ Message Encryption.
</Vendor_Plug>

Regards,
Roger Lacroix
Capitalware Inc.



Thank you for your reply, it provides big value for me.!
_________________
"Anything is possible, all the time."
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Best practices for TLS
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.