ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » ACE compliance with PAM and integration to CyberArk

Post new topic  Reply to topic
 ACE compliance with PAM and integration to CyberArk « View previous topic :: View next topic » 
Author Message
Lone_Wanderer
PostPosted: Sun May 12, 2024 10:44 pm    Post subject: ACE compliance with PAM and integration to CyberArk Reply with quote

Novice

Joined: 16 Jan 2017
Posts: 11
Hi all,

I have customer, who is implementing PAM across all of their service/priviledged accounts.

When it comes to ACE, right now, we have:

1. legacy mqsisetdbparms credentials that can be moved to a vault
2. current mqsisetdbparms credentials that cannot be moved to a vault
3. current mqsicredentials credentials that already sit in a vault

The reqirement from the customer is that every exisitng account is managed by CyberArk. The problem I forsee with this is is that I know of no way to integrate this with existing ACE infrastructure. For example, when the account that we use for connectivity to LDAP is migrated to PAM and it's password is changed every 3 months, right now the only way I can think of to propagate this change to ACE would be to run mqsisetdbparms again, either manually or via script.

Our ACE nodes run on AIX LPARs.

How does the industry approach this problem? Surely IBM has some sort of more elegant solution for this. Because even the vault isn't perfect. Yeah, it's a file, but same with my LDAP example. the moment some credentials change in that Vault because of CyberArk policy, I see myself running mqsicredentials again.

Thank you, kind regards
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon May 13, 2024 7:20 pm    Post subject: Reply with quote

Jedi Knight

Joined: 25 Mar 2003
Posts: 2502
Location: Melbourne, Australia
Hi Lone Wanderer,
We use both CyberArk PAM and ACE on AIX.
Our IT security policy allows exceptions for "service accounts" to exist with unknown or non-expiring passwords. It would be quite disruptive for us to regularly change passwords on ACE services like DB connections and https web service calls etc. for little improvement in overall security. Legacy products like ACE/IIB/WMB were not built with concepts in mind like easy and no-impact password / credentials rotation.
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » ACE compliance with PAM and integration to CyberArk
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.