wmq ese introduction

8/3/2019 WMQ ESE Introduction

http://slidepdf.com/reader/full/wmq-ese-introduction 1/14

1

®

IBM Software Group

© IBM Corporation

End to end security for WebSphere MQ

An Introduction to WebSphere MQ Extended Security Edition

Carl Farkas

IBM SW TechWorks zWebSphere

Paris, France

[email protected]

IBM Software Group

2

Agenda

Problem statement

Introduction and product overview

Architecture review

Implementation details

Product administration

Conclusion



2

IBM Software Group

Robbing the bank - yesterday

IBM Software Group

Robbing the bank – today

Queues

Customer

Application

Customer

Application

Queues

QM QM

B a d G u y

Familiar Threats,Different Environment

Internet

Extranet

Intranet

001110010100001 001110010100001

0 1 1 1 0 0 1 1



3

IBM Software Group

Controlling access to data - Whatorganisations want

Authentication

Authorisation / Control

Integrity

Privacy

Audit trail

Centrally managed

Availability

IBM Software Group

6

What do we need for MQ?To provide end to end security for the MQ network

AAA

Authentication of users into the network

Authorisation of their access to queues / queue managers

Can’t access messages you are not authorised to

Keeping an Audit trail of which queues have been accessed and by whom

Protect message payloads

When messages are on queues or in transit

Do not allow message data to be tampered with

Know without a doubt, the sender of a message

Centrally managed



4

IBM Software Group

7

What WMQ Provides Today

Users are based on Operating System ID

Users are unique to machines and not across the enterprise

No passwords are used for authorisation

Not 100% secure

SSL channels

Protects messages in transit

Messages at rest are in the clear

Object Authority Manager (OAM) / RACF limits access to resources

OAM is on a per machine basis, hard to administer a large network

RACF applies to a single sysplex

IBM Software Group

WebSphere MQ - native

M QP UT

M Q GE T

M Q OP E N

M Q C ONN

QueueManager

OAM

OK?

y/n

Queues

MCA

MQI Stub

Customer Apps

MCA

Queues

SSL here

B a d G u y



5

IBM Software Group

9

What WMQ ESE Providesbeyond WMQ

Authentication

PKI approach to uniquely identify users

Users are stored in a LDAP repository and map onto certificates

Authorisation

Users can be granted or denied access to put and get to queues

Users can be granted access to client connect to the queue manager

Policies centrally managed

Auditing

User access to queues can be audited

The user, object name and success or failure of the access attempt are

logged

IBM Software Group

10

Other WMQ ESE Benefits Message protection

Users are based on certificates making them unique across enterprises

Sign messages

Tells us who the message came from

Ensures that the message hasn’t been tampered with

Can encrypt the message payload for end-to-end security

Messages protected on the queues

Addresses audit and other requirements of Sarbanes-Oxley

Central Administration

WMQ security policies, users, groups and audit levels are centrally managed

GUI or command line interfaces



6

IBM Software Group

11

WMQ ESE Architecture

IBM Software Group

12

Methods of interception WMQ ESE needs to intercept the application API calls to subject

them to security

The different interfaces are:

1. WMQ applications binding locally to a distributed queue manager

2. WMQ applications binding to a z/OS queue manager

3. WMQ Client and JMS applications client side interception4. WMQ Client and JMS applications server side interception



7

IBM Software Group

13

1. Distributed server interceptor model (API Exits)

M QP UT

M Q GE T

M Q OP E N

M Q C ONN

QueueManager

OAM

Code Exits

ACLs

Users

GSKit/

ACME

OK?

y/n

Queues

MCA

Customer Apps

MQ ESEServer

( pdmqd )MQ ESE

API

ExitsCertsLDAP Server

Policy Server Policy

Replica

??

MQI Stub

IBM Software Group

14

2. z/OS server interceptor model//CL00PUT JOB 1,MSGCLASS=H

//*

// EXEC PGM=OEMPUTX,REGION=0M,

// PARM=('-mVCT7 -N1. -X -clear -pm -s12 ')

//SYSIN DD *

-QCLASS00_NONE

-FILEDD:MSGIN

//STEPLIB DD DISP=SHR,DSN=PP.ACCMAN.V4R1.SDRQAUTH

// DD DSN=PUBVIC.V531.SCSQAUTH,DISP=SHR

// DD DSN=PUBVIC.V531.SCSQANLE,DISP=SHR

// DD DISP=SHR,DSN=PAICE.IP13.LOAD

//MSGIN DD DISP=SHR,DSN=CLASS00.TAMBI.MSGDATA(HELLO)

//SYSPRINT DD SYSOUT=*

Add TAMBI as the firstlibrary to load



8

IBM Software Group

15

3. (C or JMS) MQ Client SecurityExit – Client side

M C A

T AMBI i n t er c e p t or

WMQ

QueueManager

TAMBIInterceptor

WMQ Apps

WMQ

C/Java

Client

WMQClient Apps

MQI C / JMS

MQI

MQI

WMQ ClientWMQ Server

“R” = new permission bit to allow/deny connection

TAMBISecurity

Exit

IBM Software Group

16

4. (C or JMS) MQ Client SecurityExit – Server side

M

C A

T AMBI I n t er c e p t or

TAMBISecurity

Exit

WMQQueue

Manager

TAMBIInterceptor

WMQ Apps

WMQ

C/JavaClient

WMQClient cert

based

SSL Channel

WMQClient Apps

User Key/Cert

MQIC / JMS

SSL

MQI

MQI

WMQ ClientWMQ Server

“R” = new permission bit to allow/deny connection



9

IBM Software Group

17

WMQ ESE Administration

IBM Software Group

18

Interfaces for Administrators

Command line interface

Web Based GUI interface



10

IBM Software Group

19

Policy Server conceptsPDMQ

Queue

TAMBI.DEAD.QUEUE

IN.QUEUE

MYQM

Q-enc-strengthQ-sig-algorithm

Q-recipients

Qname-resolution

PKI-enc-strength

PKI-sig-algorithm

Error-handling-Q

Global

Per Queue Manager

Per Queue

OUT.QUEUE

IBM Software Group

20

Access Control Lists -(ACL) E Grant Put Permission

Application can place messages onto the queue

ACL checked on MQOPEN (in PUT mode)

D Grant Get Permission

Application can retrieve messages from the queue

ACL checked on MQOPEN (in GET mode)

R User is allowed to connect to the queue manager remotely

Using WBIBroker plug-in

User jon Trx

Group sales Trm[PDMQ]E

Group admin Trxmcd[PDMQ]DE

Any-other Tr

Unauthenticated T

ACL Entry

Type ID Permissions



11

IBM Software Group

21

POPs specify the security policy for a queue or queue manager:

The security for messages put to the queue

None – message is sent as normal

Integrity – Message is digitally signed by the sender

Encrypt – Message is signed and encrypted by the sender

The time of day that the object can be accessed

The audit level for the queue (none, permit, deny, error, admin)

Protected Object Policies – (POP)

IBM Software Group

22

Auditing Events recorded when specified auditable events occur at:

MQOPEN, MQPUT, MQPUT1, MQGET, MQCLOSE

Auditing Options allow different levels of detail to be logged:

permit: Records only successful accesses

deny: Records only denied requests for access

admin: Records OPEN, CLOSE, PUT, and GET operations on protected WMQqueues

error: Records any unsuccessful GET operations

Audit records stored as XML on distributed and SMF on z/OS

Audit Records Include:

- AM User ID, WMQ Message ID

- Sender PKI ID (if message signed)

- Date and Time

- Encryption and Signing algorithms



12

IBM Software Group

23

WMQ ESE Auditing<event rev="1.2">

<date>2005-11-07-23:25:25.296-05:00I-----</date>

<outcome status="0">0</outcome>

<originator blade="ivadminapi"><component rev="0.1">pdmq</component>

<action>0</action>

<location>dropzone</location>

</originator>

<accessor name="mq_pki_ldap">

<principal auth="IV_LDAP_V3.0" domain="Default"> jdement</principal>

</accessor>

<target resource="0"><object>/PDMQ/Queue/QM_dropzone/JEFF</object></target>

<data>

<data tag="action">MQOPEN</data>

<data tag="operation">E</data>

<data tag="result">access denied or azn check failed</data>

<data tag="qop">integrity</data>

<data tag="ProcessId">3456</data>

</data>

</event>

Queue

Use jon Trx

Group admin Trxmcd[PDMQ]DE

Any-other Tr

Unauthenticated T

IBM Software Group

24

Summary WMQ data needs to be protected at rest and in flight

No need to update or modify existing deployed WMQ applications.

ESE is transparent

Centralised administration of both access control to queues,

data protection and security audit policies

WMQ ESE provides end to end security for WMQ networks



13

IBM Software Group

25

IBM Software Group

26

Public Private Key Cryptography



14

IBM Software Group

27

Cryptography explained – slide 1

AliceAlice

Hi BobHi Bob

AliceAliceHi BobHi Bob

AliceAlice

Alice

Alice

encrypt w/encrypt w/public keypublic key

E8*5%er

messagefor Bob

Bob

aN!3q*nB5+

encrypt w/encrypt w/symmetricsymmetric

keykey

Symmetrickey

b2cea738a209065

Di g e s t

Di g e s t

q!T4@xJ**G

q!T4@xJ**Gencrypt w/encrypt w/private keyprivate key

IBM Software Group

28

Cryptographyexplained – slide 2

b2cea738a209065DigestDigest

aN!3q*nB5+

E8*5%er

messagefor Bob

CA

Bob

BobBob

decrypt w/decrypt w/private keyprivate key

Hi BobHi Bob

AliceAlice

Yes, messagecame from

Alice

decrypt w/decrypt w/symmetricsymmetric

keykeyq!T4@xJ**G

Hi BobHi Bob

AliceAlice

Alice

q!T4@xJ**G

Hi BobHi BobAliceAlice

Alice

CA

=

☺

b2cea738a209065decrypt w/decrypt w/public keypublic key

wmq ese introduction

Documents