Secure Messages with IBM WebSphere MQ Advanced Message Security

© 2014 IBM Corporation
Secure Messages with
IBM WebSphere MQ
Advanced Message Security
Morag Hughson (IBM)
Carol Benders (CSX)
Carl Conrad (CSX)

Agenda
Introductions
• Morag Hughson
• Carol Benders
• Carl Conrad
Technical Introduction To
IBM® WebSphere® MQ Advanced Message Security
CSX AMS Architecture
CSX AMS Implementation
CSX AMS Testing
Lessons Learned
Q&A

© 2014 IBM Corporation
Technical Introduction To
WebSphere MQ
Advanced Message Security (AMS)
Morag Hughson
hughson@uk.ibm.com

Why use message-level security?
Base WebSphere MQ networks
• Authentication and authorization is scoped to the connection
• SSL/TLS channels provide additional connection-scoped security
• Channel context setting provides some per-message authorization
– But based on unauthenticated MQMD.UserID
WebSphere MQ AMS complements WebSphere MQ's connection-level security
• Provides authentication, authorization and accountability scoped at the message level
Increasing impact of regulatory compliance
• Payment Card Industry Data Security Standard (PCI-DSS)
• Health Insurance Portability & Accountability Act (HIPAA)
• European Union Privacy Directive
• FIPS, Suite-B, FISMA
Provide additional security for Command & Control traffic
Any time many identities are aggregated over a single connection

N
O
T
E
S
Message Level Protection – Notes
• Advanced Message Security is a feature of WebSphere MQ that
provides Application Level Security, also known as Message Level
Protection.
• Message Level Protection provides assurance that messages have not
been altered in transit. For example, when issuing payment information
messages, ensure the payment amount does not change before
reaching the receiver.
• Message Level Protection provides assurance that messages originated
from the expected source . For example, when processing control
messages, validate the sender.
• Message Level Protection provides assurance that messages can only
be viewed by intended recipient(s). For example, when sending
confidential information.

AMS Key Features
Secures sensitive or high-value WebSphere MQ messages
• Privacy via message content encryption
• It leverages digital certificates (X.509) and Public Key encryption to protect
WebSphere MQ messages
Detects and removes rogue or unauthorized messages before they are
processed by receiving applications
• Authentication via certificate above and beyond operating system
Verifies that messages are not modified between sender and receiver
• Message Integrity via digital signature of message content
Protects messages not only when they flow across the network but
when they are at rest in queues
Messages from existing WebSphere MQ applications are transparently
secured using “interceptors”
• No application changes are necessary
No pre-requisite products other than WebSphere MQ
Successor to WebSphere MQ Extended Security Edition (ESE)

8
MQIC
No changes required to existing applications
Server/Client
Interceptors
JMS
QMGRQMGR QMGR
Channel Agent Channel Agent
Application Application JMS Application
Replacement mqic lib
Renamed MQIC
JMS
JMQI
JMQI Intercept
MQ API (mqm lib)
API
Exit
7.1 Clients Use API Exits
Pre 7.1 ClientServer
API Exit Library Replacement JMQI Intercept
7.5 Interception is built-in 7.5 Interception is built-in

N
O
T
E
S
Interceptors - Environments supported
• MQ AMS functionality is implemented in “interceptors”
•There are no long running processes or daemons (except in z/OS®)
•Existing MQ applications do not require changes
• These interceptors have evolved over the last few releases.
• Before MQ V7.1
•Three interceptors are provided:
1.MQ Server interceptor for local (bindings mode) MQI API and Java™ applications -
Implemented as standard API exit on distributed, and “private” API exit on z/OS
2.MQ Client API interceptor for remote (client mode) MQ API applications –
Implemented as a library replacement
3.MQ Java client interceptor for remote (client mode) MQ JMS and MQ classes for java
applications (J2EE and J2SE).
– With WebSphere MQ V7.1 MQI clients gain the ability to use API exits, so the
MQ Client API interceptor becomes the same API exit as the MQ Server
interceptor.
– With WebSphere MQ V7.5, AMS is no longer a separate product and becomes a
feature of WebSphere MQ with the interceptor code becoming embedded in the
product. No need to configure API exits anymore.

Interceptors (z/OS)
Pre-V8.0 (two started tasks)
• Main Task: ssidAMSM
– Runs API interceptor
– Enforces policies
• Data Services task: ssidAMSD
– Performs signature and encryption
– Calls System SSL PKCS#7
Services (uses SAF keyrings)
WebSphere MQ V8
• Single task: ssidAMSM
• Started/stopped with QMgr
• “Private” API Exit code is now
embedded in the product
QMGR (ssidMSTR)
Application
MQ API
“Private”
API Exit
8.0 Interception is built-in
AMS main
(ssidAMSM)
AMS Data
Services
(ssidAMSD)

N
O
T
E
S
Interceptors (z/OS) - Notes
• On z/OS before MQ V8, the MQ Server interceptor for local (bindings mode) is
implemented as a “private” API exit on z/OS.
• In V8, similar to the change made on Distributed in V7.5, AMS is pulled into the
base WebSphere MQ product. It’s documentation is also pulled into the
WebSphere MQ Information Center.
• This provides a better integration with the queue manager including tie-in of the
start/stop of the AMS address space with start-up and shut-down of the queue
manager. Calling the AMS address space to do the encryption/decryption work
is more efficient and due to no longer using the vendor API call intercept method
(the “private” API exit), it is less likely to conflict with other OEM products.
• The previous two separate AMS address spaces, ssidAMSM (main) and
ssidAMSD (data services) are now combined into a single address space,
ssidAMSM. Any authorities that were previously required by ssidAMSD are now
needed on ssidAMSM instead. ssidAMSM now consumes the encryption CPU.
The utility that is used on z/OS to setup policies is renamed from DRQUTIL to
CSQ0UTIL.
• There are no changes to the keyring names, and the hardened version of the
policies which are stored as messages on the
SYSTEM.PROTECTION.POLICY.QUEUE have the same shape, so existing
policies just work.
• AMS is still priced separately as OTC and has a separately installed FMID which
is an enablement module for AMS.

Message protection policies
Two types of policies:
• Message Integrity policy
• Message Privacy policy
Created or updated or removed by
command ‘setmqspl’
• or by AMS plug-in for WebSphere MQ Explorer (GUI)
• Defining message integrity policies
• Defining message privacy policies
Policies are stored in queue
‘SYSTEM.PROTECTION.POLICY.QUEUE’
Display policies with command ‘dspmqspl’
• or by AMS plug-in for WebSphere MQ Explorer (GUI)
Each protected queue can have only one policy
• For distributed queuing, protect the queue
locally (source QM) as well as the remote (target QM)
“Compromised messages” in queue
‘SYSTEM.PROTECTION.ERROR.QUEUE’
Message Data
Message Data
PDMQ Header
PKCS #7 Envelope
Signature
Message PropertiesMessage Properties
<< qmgr >>
Q. PROTECTED
POLICIES
ERROR

N
O
T
E
S
Advanced Message Security – Notes
• Advanced Message Security (AMS) provides message protection
policies to allow message content to be signed and encrypted. The
application is unaware of the service and so the application programmer
need not worry about coding it into his application, however, before the
message is even placed on the queue it can be encrypted, thus ensuring
that it's contents are never exposed. The message is encrypted while is
resides on the queue, while it is transported across the network - the
channels are unaware that the content is encrypted since they are
content agnostic anyway - and is still encrypted when it is placed on the
target queue. At the point where the receiving application gets the
message off the queue the application level security service decrypts the
data and presents it to the application.
• Configuration of these policies is done using the setmqspl (set MQ
security policy) command, or via equivalent function in the MQ Explorer
GUI. Once defined these policies are stored in a special queue called
the SYSTEM.PROTECTION.POLICY.QUEUE. The policies can also be
displayed, using the dspmqspl command, or again, via the MQ Explorer
GUI.

Message integrity policy definition
Signature algorithms:
• MD5, SHA1, SHA256*, SHA384* or
SHA512*
The list of authorized signers is
optional
• If no authorized signers are specified
then any application can sign
messages.
• If authorized signers are specified then
only messages signed by these
applications can be retrieved.
• Messages from other signers are sent
to the error queue
On z/OS, same setmqspl program
and parms used as SYSIN DD for
PGM=DRQUTIL (CSQ0UTIL in V8)
Can also define policies via the MQ
Explorer GUI.
Syntax:
setmqspl
-m <queue_manager>
-p <protected_queue_name>
-s <SHA1 | MD5>
-a <Authorized signer DN1>
:
Example:
setmqspl -m MYQM
-p MY.Q.INTEGRITY
-s SHA1
-e NONE
-a 'CN=hughson,O=ibm,C=FR'
* Note: SHA-2 algorithms available in v7.0.1.2 and higher

AMS DRQUTIL/CSQ0UTIL commands on z/OS
//CFAMSAD JOB 'Make MQ AMS queues',CLASS=A,MSGLEVEL=(1,1),
// NOTIFY=&SYSUID
/*JOBPARM SYSAFF=ZT01
//******************************************************************
//* Administer MQ Advanced Message Service (AMS) *
//******************************************************************
// SET DIR='/u/hughson'
// SET FN='drqdserv.envars'
//*
//DRQUTIL EXEC PGM=DRQUTIL,
// PARM='ENVAR("_CEE_ENVFILE=&DIR./&FN") /'
//STEPLIB DD DSN=WMQ.AMS.V7R1.SDRQLOAD,DISP=SHR
// DD DSN=WMQ.V7R0M1.SCSQANLE,DISP=SHR
// DD DSN=WMQ.V7R0M1.SCSQAUTH,DISP=SHR
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
setmqspl -m QZ09
-p TO.SECRET.FROMZ
-s SHA1
-e RC2 -r "CN=hughson,O=ibm,C=GB"
/*
//
Point to
parameters
Execute AMS
admin
commands
_DRQSERV_QMGR=QZ09
_DRQSERV_MSG_LOGGING=stderr_logging
_DRQSERV_MSG_LEVEL=*.i
_DRQSERV_MSG_FOLDING=no
_DRQ_INIT_THREADS=20
_DRQ_MAX_THREADS=100
NLSPATH=/usr/lpp/mqmese/V7R0M1/lib/nls/msg
/%L/…£LANG=En_US.IBM-1047 TZ=EST5EDT
drqdserv.envars

Message privacy policy definition
Encryption algorithms:
• RC2, DES, 3DES, AES128 and
AES256
• Encrypted messages are always
signed
The list of authorized signers is
optional
It is mandatory to specify at
least one message recipient
Retrieved messages which do
not meet AMS policy sent to the
SYSTEM.PROTECTION.
ERROR.QUEUE
• Eg: Policy contains authorized
signer list and sender is not on it
Syntax:
setmqspl
-m <queue_manager>
-p <protected_queue_name>
-s <SHA1 | MD5>
-e <encryption algorithm>
-r < Message recipient DN1>
-r < Message recipient DN2>
Example:
setmqspl -m MYQM
-p MY.Q.PRIVACY
-s SHA1
-e AES128
-a 'CN=hughson,O=ibm,C=GB'
-r 'CN=ginger,O=ibm,C=JP'
-r 'CN=saadb,OU=WBI,O=ibm,C=FR'

Integrity message format
MQ Message AMS Signed Message
Message Data
PDMQ Header
PKCS #7 Envelope
Signature
Message Data

Privacy message format
Message Data
PDMQ Header
PKCS #7 Envelope
Key encrypted with certificate
Data encrypted with key
MQ Message AMS Signed Message
Message Data
Signature

WebSphere MQ AMS configuration file
WebSphere MQ AMS interceptors require a configuration file,
eg. KEYSTORE.CONF, which contains:
• Type of keystore: CMS, JKS, JCEKS
• Location of the keystore.
• Label of the personal certificate.
• Passwords to access keystore and private keys
(or .sth stash for CMS format)
Interceptors locate the configuration file using one of the
following methods:
• Environment variable MQS_KEYSTORE_CONF=<path to conf file>.
• Checking default locations and file names.
– Platform dependent. For example in UNIX®: “$HOME/.mqs/keystore.conf”
Location :
ProducerKeystore
Label: MyDN
KEYSTORE . CONF

Keystores and X.509 certificates
An application protected by AMS needs:-
• On distributed - a keystore
– Types: CMS, JKS and JCEKS
• On z/OS - a SAF keyring
– Named “drq.ams.keyring”
The keystore contains
• A personal X.509 certificate and associated private key
• trusted certificates
– to validate message signers
– to obtain the public keys of encrypted message recipients
Create using:-
• iKeyman GUI
• Command line – runmqakm
• SAF commands, e.g. RACDCERT in RACF®
• 3rd party key management software
Alice's Digital
Certificate
CA Sig
A
Private
A
Public
YourDN
Trusted Cert
Public Keys
MyDN
Personal Cert
Private keys
Producer
Keystore

N
O
T
E
S
Keystores and X.509 certificates
• Each MQ application producing or consuming protected messages
requires access to a keystore that contains a personal X.509 (v2/v3)
certificate and the associated private key.
• The keystore and certificate is accessed by the MQ AMS interceptors.
• The keystore must contain trusted certificates to validate message
signers or to obtain the public keys of encrypted message recipients
• Keystore can be the same as that used for MQ SSL
• Several types of keystore are supported (Distributed): CMS, JKS and
JCEKS.
• On Distributed MQ, the IBM Key Management (iKeyman, part of GSKit)
is provided to create and do simple management of local keystores
• On z/OS, standard SAF product (eg. RACF) used to create certificates
which are SAF-managed and must be on a keyring named
“drq.ams.keyring”
• 3rd party software is available from IBM (or others) to provide more
robust, industrialisation of keystore maintenance. For the IBM Tivoli®
Key Lifecycle Manager, see:
http://www.ibm.com/software/tivoli/products/key-lifecycle-mgr/

• East coast railroad headquartered in Jacksonville FL
• Ranked #19 “Best Places to Work” Computer World
• 31,000 employees
• 21,000 route miles in 23 states
• 4,000 locomotives
• 100,000 owned or leased freight cars
• 1,200 trains per day
• 20,000 carloads per day
Who is CSX?Who is CSX?Who is CSX?
2626262626262626

2727272727272727
“The messages passing between our HR and Medical applications must be encrypted.”
Why?
•To protect personal information (i.e. SSN, medical information)
What?
•WebSphere MQ Messages
Where?
•PeopleTools Application (Linux®)
•WebSphere MQ QMGR (Linux)
•WebSphere MQ QMGR (z/OS)
•WebSphere Message Broker (Linux)
•WebSphere Application Server (Linux)
** Object names in this presentation do not represent real objects on our system
Business Requirement

2828282828282828
• Linux WebSphere MQClient v7.1.0.8
• PeopleTools Application (Non-IBM Java)
• .bindings (SSL)
• Java Keystore (.jks)
• Certificates exchanged between PS and QMGR
• Linux WebSphere MQ HA QMGR v7.5.0.2
• PSOFT.Q (QR)
• MEDICAL.Q (QL)
• QMGR Keystore
• Server Connection Channel (SSL)
• z/OS WebSphere MQ QMGR v7.1.0 (w/ RACF)
• PSOFT.Q (QL)
• MEDICAL.Q (QR)
• z/OS WebSphere Message Broker v7.0.0
• Message Flow
• Linux WebSphere Application Server Cluster v7.0.0.29
• Medical Application
• JMS WAS definitions (Activation Specs and Queues)
Architecture – Pre AMS

2929292929292929
Architecture – Pre AMS

3030303030303030
Architecture – With AMS
AMS 7.0

3131313131313131
• Linux MQClient PeopleTools Application
• PeopleTools Application (Non-IBM Java)
• .bindings (SSL)
• Linux WebSphere MQ HA QMGR v7.5.0.2
• PSOFT.Q (QR)
• MEDICAL.Q (QL)
• Server Conn Channel +SSL
• QMGR Keystore
• WebSphere Advanced Message Security v7.5.0.2
• AMS Keystore
• AMS keystore.conf
• Certificates exchanged between XMQ1AMS (Linux AMS) and ZMQ1BRK (z/OS
Broker)
• Define Policies for PSOFT.Q and MEDICAL.Q
Continued…
Architecture – AMS

3232323232323232
• z/OS WebSphere MQ QMGR v7.1.0 (w/ RACF)
• PSOFT.Q (QL)
• MEDICAL.Q (QR)
• z/OS WebSphere Advanced Message Security v7.0.1
• RACF Keyring – drq.ams.keyring
• AMS Keyring
• Import Certificates from
• ZMQ1BRK / XMQ1AMS / MEDICAL
• Define Policies for PSOFT.Q and MEDICAL.Q
• z/OS WebSphere Message Broker v7.0.0
• Message Flow
• Broker Keyring
• Exchange Certificates in Broker Keyring between
• ZMQ1BRK / XMQ1AMS / MEDICAL
Continued

3333333333333333
• Linux WebSphere Application Server Cluster v7.0.0.29
• Medical Application
• JMS WAS definitions (Activation Specs and Queues)
• WebSphere MQ AMS V7.0.1.1
• AMS and SSL jar files
• /opt/ibm/WebSphere/MQAMS/bin/cfgmqs -enable –java
• Keystore.conf
• Certificates exchanged between
• MEDICAL and ZMQ1BRK

3434343434343434
Architecture – With AMS - Breakdown
AMS 7.0

3535353535353535
Linux PeopleTools App – First Attempt

3636363636363636
Linux PeopleTools App – First Attempt - Did Not Work
This did not work because PeopleTools uses non-IBM Java
• The AMS interceptor does not support non-IBM Java

3737373737373737
Linux PeopleTools App – 2nd Attempt – MCA Interceptor

3838383838383838
AMS 7.0

3939393939393939
Linux PeopleTools Application

4040404040404040
Tasks to enable AMS
1.Make sure you have SSL enabled on your SVRCONN
Channel
2.Must use pre 7.5 MQClient (or 7.5.0.4 fix)
**AMS is not installed on this non-IBM Java Client
The AMS MCA Interceptor on the HA QMGR is acting as
a surrogate for the Client application to encrypt the
messages
Linux PeopleTools Application / MQClient

4141414141414141
Platform:
•Linux RHEL 6
Software:
•PeopleTools 8.5.3 (non IBM java)
•WebSphere MQ Client V7.0.1.8 (** Must be Pre 7.5 Client (or 7.5.0.4) to use MCA Interceptor)
Notes:
•Because PeopleTools is a non-IBM java application we could not use AMS on the client
•We opted to use the AMS MCA interceptor option
•If you are using the AMS MCA interceptor option, you must have SSL turned on for the
SVRCONN channel.
•In addition, you will need to use a version of MQ Client that does not come packaged with AMS
(or a version where AMS can be turned off):
• Pre 7.5 MQClient (or)
• MQClient 7.5.0.4 (with parameter to set AMS off)
Linux PeopleTools Application / MQClient Details

4242424242424242
AMS 7.0

4343434343434343
Linux HA QMGR

4444444444444444
Tasks to enable AMS
1.Install AMS
2.Create the AMS keystore
3.Create the AMS keystore.conf
4.Create / Import / Export Digital Certificates
5.Add MCA interceptor definitions to the keystore.conf
6.Create Policies
Linux HA QMGR

4545454545454545
Platform:
•Linux RHEL 6
Software:
•WebSphere MQ 7.5.0.2
•WebSphere MQ AMS V7.5.0.2
Configuration:
•Channels
• Sender (XMQ1.TO.ZMQ1)
• Receiver (ZMQ1.TO.XMQ1)
• Server Conn (XMQ1.XMQ1.PSOFT.CL) *** SSL must be turned on ***
•Queues
• PSOFT.Q (QR)
• MEDICAL.Q (QL)
•Keystore (AMS / XMQ1) *** Not the same keystore that is used for the SVRCONN SSL ***
• XMQ1AMS personal cert
• ZMQ1BRK cert (imported from z/OS)
•Policies:
• PSOFT.Q
• MEDICAL.Q
Linux HA QMGR Details

4646464646464646
• Keystore.conf contents:
cms.keystore=/$MQHOME/.ssl/key
cms.certificate.channel.XQM1.XQM1.PSOFT.CL=XMQ1AMS
Sample Commands:
• Create keystore
runmqakm -keydb -create -db key.kdb -pw <password>l -type kdb –stash
• Create QMGR (XMQ1AMS) personal cert
runmqakm -cert -create -dn "CN=XMQ1AMS,OU=XMQ1AMSDEV,O=<COMPANY>,C=<COUNTRY>" -label
XMQ1AMS -db key.kdb -size <KEYSIZE> -ca false -expire 365
• Import XMQ1BRK cert
runmqakm -cert -add -db key.kdb -label XMQ1BRK -file XMQ1BRK.cer -trust enable
• Export QMGR (XMQ1) personal cert
runmqakm -cert -extract -label XMQ1AMS -db key.kdb -target XMQ1AMS.cert -format ascii
• List certs
runmqakm -cert -list -db key.kdb (list cert labels)
runmqakm –cert –details –db key.kdb –label XMQ1AMS (details for specific label)

4747474747474747
• Policy Commands
setmqspl -m XMQ1 –p PSOFT.Q -s <DIGITAL SIGNATURE ALG> -e <DIGITAL ENC ALG> -a
“CN=XMQ1AMS,OU=XMQ1AMSDEV,O=<COMPANY>,C=<COUNTRY>” -r
“CN=ZMQ1BRK,OU=DEV_ZMQ1BRK,O=<COMPANY>,C=<COUNTRY>”
setmqspl -m XMQ1 –p MEDICAL.Q -s <DIGITAL SIGNATURE ALG> -e <DIGITAL ENC ALG> -
a “CN=ZMQ1BRK,OU=DEV_ZMQ1BRK,O=<COMPANY>,C=<COUNTRY>” -r
“CN=MEDICAL,OU=DEV_MEDICAL,O=<COMPANY>,C=<COUNTRY>”
setmqspl -m XMQ1 –p PSOFT.Q –remove
Note:
• Because the PeopleTools application uses non-IBM Java, we opted to use the MCA interceptor
feature of AMS.
• There are 2 separate keystores:
1.QMGR keystore:
• Stores the certificates for the QMGR and the PeopleTools Client
• Provides the SVRCONN channel SSL
2.The AMS keystore:
• Stores the certificates for AMS and the Broker
• Provides the AMS encryption (between XMQ1AMS and ZMQ1BRK (z/OS))

4848484848484848
AMS 7.0

4949494949494949
z/OS WebSphere MQ QMGR and Broker

5050505050505050
Tasks to enable AMS
1.Define AMS started tasks
2.Define RACF AMS Keyrings
4.Define System.Protection queues
5.Define Queue Policies
z/OS WebSphere MQ QMGR and Broker

5151515151515151
Platform:
•z/OS 1.13
Software:
•WebSphere MQ V7.1
•WebSphere MQ AMS V7.0
•WebSphere Broker V7.0
Started Tasks:
•ZMQ1MSTR QMGR Master
•ZMQ1CHIN QMGR Channel Initiator
•ZMQ1BRK Broker and EGs
•ZMQ1AMSD AMS Data Services Task
•ZMQ1AMSM AMS Main Task
Configuration:
•Channels
Sender (ZMQ1.TO.XMQ1)
Receiver (XMQ1.TO.ZMQ1)
z/OS WebSphere MQ QMGR and Broker Details

5252525252525252
Configuration:
• Queues
• PSOFT.Q (QL)
• MEDICAL.Q (QR)
• SYSTEM.PROTECTION.ERROR.QUEUE
• SYSTEM.PROTECTION.POLICY.QUEUE
• SYSTEM.PROTECTION.SYNC.QUEUE
• RACF
• ZMQ1BRK cert OWNER=ZMQ1BRK
• XMQ1AMS cert OWNER=SITE
• MEDICAL cert OWNER=SITE
• Keyring Name: drq.ams.keyring
• ZMQ1BRK keyring
• ZMQ1BRK cert OWNER=ZMQ1BRK USAGE: PERSONAL
• XMQ1AMS cert OWNER=SITE USAGE: SITE
• MEDICAL cert OWNER=SITE USAGE: SITE
• ZMQ1AMS keyring
• ZMQ1BRK cert OWNER=ZMQ1BRK USAGE: SITE
• XMQ1AMS cert OWNER=SITE USAGE: SITE
• MEDICAL cert OWNER=SITE USAGE: SITE

5353535353535353
Configuration
•Policies
• PSOFT.Q
• MEDICAL.Q
Command Examples:
•Policies
setmqspl -m ZMQ1
-p MEDICAL.Q
-s <DIGITAL SIGNATURE ALG>
-e < DIGITAL ENCRYPTION ALG >
-a "CN=ZMQ1BRK,OU=ZMQ1BRKDEV,O=<COMPANY>,C=<COUNTRY>"
-r "CN=MEDICAL,OU=MEDICALDEV,O=<COMPANY>,C=<COUNTRY>"
dspmqspl -m ZMQ1
-p MEDICAL.Q
setmqspl -m ZMQ1
-p MEDICAL.Q
-remove

5454545454545454
Command Examples:
•RACF cert and keyring commands:
RACDCERT ID(ZMQ1BRK) +
GENCERT SUBJECTSDN(CN('ZMQ1BRK') OU('ZMQ1BRKDEV') O(‘<COMPANY>') +
L(‘<LOCATION>') C(‘COUNTRY')) +
WITHLABEL('ZMQ1BRK') +
NOTAFTER(DATE(2015-03-25)) +
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN)
RACDCERT ID(ZMQ1BRK) ALTER (LABEL('ZMQ1BRK')) TRUST
RACDCERT ADD(‘MQ.AMS.XMQ1AMS.CERT') +
SITE WITHLABEL(‘XMQ1AMS')
RACDCERT ADD(‘MQ.AMS.MEDICAL.CERT') +
SITE WITHLABEL(‘MEDICAL')
RACDCERT ID(ZMQ1BRK) ADDRING(drq.ams.keyring)
RACDCERT ID(ZMQ1BRK) CONNECT(ID(ZMQ1BRK) LABEL('ZMQ1BRK') +
RING(drq.ams.keyring) DEFAULT USAGE(PERSONAL))

5555555555555555
Command Examples:
•RACF cert and keyring commands:
RACDCERT ID(ZMQ1BRK) CONNECT(SITE LABEL(‘MEDICAL') +
RING(drq.ams.keyring) USAGE(SITE))
RACDCERT ID(ZMQ1BRK) CONNECT(SITE LABEL(‘XMQ1AMS') +
RACDCERT ID(ZMQ1AMS) CONNECT(ID(ZMQ1BRK) LABEL('ZMQ1BRK') +
•Refresh RACF and AMS
SETROPTS RACLIST(DIGTRING) REFRESH
SETROPTS RACLIST(DIGTCERT) REFRESH
/F ZMQ1AMSD,REFRESH (refresh AMS address space)
/F ZMQ1AMSM,REFRESH (refresh AMS address space)

5656565656565656
AMS 7.0

5757575757575757
Linux WebSphere Application Server Cluster (Medical App)
AMS 7.0

5858585858585858
Tasks to enable AMS
1.Install AMS
2.Create Java Keystore
3.Create Keystore.conf
4.Enable AMS Java Command
5.Update WAS Keystore.conf variable
6.Copy ESE and Security Policy files to WAS
Linux WebSphere Application Server Cluster

5959595959595959
Platform:
•Linux RHEL 6
Software:
•Websphere Application Server ND V7.0.0.29
•WebSphere MQ AMS V7.0.1.1
Configuration:
•WAS JVM Arguments
• MQS_KEYSTORE.CONF ** set to WAS keystore.conf path
• Copy ESE jar files (for Pre 7.5 AMS)
• com.ibm.mq.ese.jar
• (to) $WASPATH/installedConnectors/wmq.jmsra.rar
•Copy IBM SDK Polcy files
• local_policy.jar
• US_export_policy.jar
• (to) $WASPATH/java/jre/lib/security
•Enable AMS Java Command
• $AMS_PATH/bin/cfgmqs -enable –java
•Java keystore (.jks)
• MEDICAL personal cert
• ZMQ1BRK (Broker from z/OS) Imported cert
Linux WebSphere Application Server Cluster Details

6060606060606060
Sample Commands:
•Create the Java keystore
• keytool -genkey -keyalg <KEYALG> -alias MEDICAL -keystore key.jks -storepass PASS1 -validity 365 -
keysize <KEY_SIZE> -dname " CN=MEDICAL,OU=MEDICALDEV,O=<COMPANY>,C=<COUNTRY>" –
keypass PASS1
•Import Broker (XMQ1BRK) cert
• keytool -import -alias XMQ1BRK -file broker.cer -keystore key.jks -storepass PASS1
•Export Personal (MEDICAL) cert
• keytool -export -rfc -alias MEDICAL –file medical.cer -keystore key.jks -storepass PASS1
•List certs
• keytool –list –keystore key.jks –storepass PASS1
• keytool –list –v –keystore key.jks –storepass PASS1 (-v for detail)
Keystore.conf contents:
jks.keystore = $KEYSTOREPATH/key *** No Suffix on keystore file ****
jks.certificate = MEDICAL
jks.encrypted = no
jks.keystore_pass =PASS1
jks.key_pass =PASS1
jks.provider = IBMJCE
Linux WebSphere Application Server Cluster - Details

6161616161616161
• AMS does not support non-IBM Java
• To use the MCA interceptor, you must use a version of the MQClient (pre 7.5) that does not
include AMS (or get the 7.5.0.4 fix)
• For the MCA interceptor, SSL (non-AMS) must be set on the client / server channel to keep
messages encrypted (until MCA interceptor takes over)
• Be aware of syntax differences between the keytool and runmqakm commands
• Consider establishing standards when creating the Policies - All DN parameter options may not
be acceptable on all platforms (e.g. SP vs ST)
• Policies and certificates must match exactly (parameter order matters)
• Issues with conversion of the message data from EBCIDIC to ASCII after the “MQGET”
• Make sure you use MQGMO_CONVERT in the application
• Do not rely in channels CONVERT(YES)
• Know where problem/error information is logged
Lessons Learned

6262626262626262
• Surrogate access is useful for verifying your z/OS certs - submit batch jobs as ZMQ1BRK to browse
messages
• “sudo su – “ access is useful for verifying your Linux application certs - sudo su – application-id
• You can test with your own personal certs using utilities like amqsputc on Linux and batch MQ programs on
z/OS (or File Manager for MQ)
• Write a java program to test your java keystores. amqsputc does not work with a .jks keystore
• Note: JmsProducer or JmsConsumer samples could also be used.
• AMS does not stop access to the queue, you still need to secure your queue using object level security
• When you set your policy on the AliasQ, you can still view the QL
• Turning on encryption will increase the size of your message
• Each time you add a Receiver to your policy, it increases the size of the message
• AMS requires different skill sets; MQ; RACF; Java Certs; Distributed platforms Certs
• Make friends with your colleagues in other departments!
Lessons Learned

6363636363636363
WMQ AMS Info Center:
http://pic.dhe.ibm.com/infocenter/mqams/v7r0m1/index.jsp?topic=%2Fco
m.ibm.mqese.doc%2FMQESEic_homepage.htm
WMQ AMS Product Page:
http://www-03.ibm.com/software/products/en/wmq-ams/
Secure Messaging Scenarios with WebSphere MQ:
http://www.redbooks.ibm.com/abstracts/sg248069.html
Additional Information

Legal Disclaimer
• © IBM Corporation 2014. All Rights Reserved.
• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this
publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM
without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to,
nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software.
• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue
growth or other results.
• All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance
characteristics may vary by customer.
• IBM, the IBM logo, WebSphere, z/OS, RACF and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both.
• Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
• UNIX is a registered trademark of The Open Group in the United States and other countries.
• Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

Secure Messages with IBM WebSphere MQ Advanced Message Security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Secure Messages with IBM WebSphere MQ Advanced Message Security

Ähnlich wie Secure Messages with IBM WebSphere MQ Advanced Message Security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Secure Messages with IBM WebSphere MQ Advanced Message Security