In some scenarios, securing access to a messaging infrastructure is not enough - teams must also secure access to message content. Come to this session to learn how to provide end-to-end message protection where message contents are secure from the point they are sent to the point they are received, including while at rest on queues. This session starts by describing the theory and capabilities of the product. Then CSX provides a real-world customer example in which it presents its experiences and recommendations for securing messages across distributed and z/OS platforms. Topics covered include an overview of message level security, when it is appropriate to deploy this level of protection, how the message protection is applied, how it can be administered, and the new features available in the latest version of IBM WebSphere MQ.
3. Š 2014 IBM Corporation
Technical Introduction To
WebSphere MQ
Advanced Message Security (AMS)
Morag Hughson
hughson@uk.ibm.com
4. Why use message-level security?
Base WebSphere MQ networks
⢠Authentication and authorization is scoped to the connection
⢠SSL/TLS channels provide additional connection-scoped security
⢠Channel context setting provides some per-message authorization
â But based on unauthenticated MQMD.UserID
WebSphere MQ AMS complements WebSphere MQ's connection-level security
⢠Provides authentication, authorization and accountability scoped at the message level
Increasing impact of regulatory compliance
⢠Payment Card Industry Data Security Standard (PCI-DSS)
⢠Health Insurance Portability & Accountability Act (HIPAA)
⢠European Union Privacy Directive
⢠FIPS, Suite-B, FISMA
Provide additional security for Command & Control traffic
Any time many identities are aggregated over a single connection
5. N
O
T
E
S
Message Level Protection â Notes
⢠Advanced Message Security is a feature of WebSphere MQ that
provides Application Level Security, also known as Message Level
Protection.
⢠Message Level Protection provides assurance that messages have not
been altered in transit. For example, when issuing payment information
messages, ensure the payment amount does not change before
reaching the receiver.
⢠Message Level Protection provides assurance that messages originated
from the expected source . For example, when processing control
messages, validate the sender.
⢠Message Level Protection provides assurance that messages can only
be viewed by intended recipient(s). For example, when sending
confidential information.
6. AMS Key Features
Secures sensitive or high-value WebSphere MQ messages
⢠Privacy via message content encryption
⢠It leverages digital certificates (X.509) and Public Key encryption to protect
WebSphere MQ messages
Detects and removes rogue or unauthorized messages before they are
processed by receiving applications
⢠Authentication via certificate above and beyond operating system
Verifies that messages are not modified between sender and receiver
⢠Message Integrity via digital signature of message content
Protects messages not only when they flow across the network but
when they are at rest in queues
Messages from existing WebSphere MQ applications are transparently
secured using âinterceptorsâ
⢠No application changes are necessary
No pre-requisite products other than WebSphere MQ
Successor to WebSphere MQ Extended Security Edition (ESE)
7. 8
MQIC
No changes required to existing applications
Server/Client
Interceptors
JMS
QMGRQMGR QMGR
Channel Agent Channel Agent
Application Application JMS Application
Replacement mqic lib
Renamed MQIC
JMS
JMQI
JMQI Intercept
MQ API (mqm lib)
API
Exit
7.1 Clients Use API Exits
Pre 7.1 ClientServer
API Exit Library Replacement JMQI Intercept
7.5 Interception is built-in 7.5 Interception is built-in
8. N
O
T
E
S
Interceptors - Environments supported
⢠MQ AMS functionality is implemented in âinterceptorsâ
â˘There are no long running processes or daemons (except in z/OSÂŽ)
â˘Existing MQ applications do not require changes
⢠These interceptors have evolved over the last few releases.
⢠Before MQ V7.1
â˘Three interceptors are provided:
1.MQ Server interceptor for local (bindings mode) MQI API and Java⢠applications -
Implemented as standard API exit on distributed, and âprivateâ API exit on z/OS
2.MQ Client API interceptor for remote (client mode) MQ API applications â
Implemented as a library replacement
3.MQ Java client interceptor for remote (client mode) MQ JMS and MQ classes for java
applications (J2EE and J2SE).
â With WebSphere MQ V7.1 MQI clients gain the ability to use API exits, so the
MQ Client API interceptor becomes the same API exit as the MQ Server
interceptor.
â With WebSphere MQ V7.5, AMS is no longer a separate product and becomes a
feature of WebSphere MQ with the interceptor code becoming embedded in the
product. No need to configure API exits anymore.
9. Interceptors (z/OS)
Pre-V8.0 (two started tasks)
⢠Main Task: ssidAMSM
â Runs API interceptor
â Enforces policies
⢠Data Services task: ssidAMSD
â Performs signature and encryption
â Calls System SSL PKCS#7
Services (uses SAF keyrings)
WebSphere MQ V8
⢠Single task: ssidAMSM
⢠Started/stopped with QMgr
⢠âPrivateâ API Exit code is now
embedded in the product
QMGR (ssidMSTR)
Application
MQ API
âPrivateâ
API Exit
8.0 Interception is built-in
AMS main
(ssidAMSM)
AMS Data
Services
(ssidAMSD)
10. N
O
T
E
S
Interceptors (z/OS) - Notes
⢠On z/OS before MQ V8, the MQ Server interceptor for local (bindings mode) is
implemented as a âprivateâ API exit on z/OS.
⢠In V8, similar to the change made on Distributed in V7.5, AMS is pulled into the
base WebSphere MQ product. Itâs documentation is also pulled into the
WebSphere MQ Information Center.
⢠This provides a better integration with the queue manager including tie-in of the
start/stop of the AMS address space with start-up and shut-down of the queue
manager. Calling the AMS address space to do the encryption/decryption work
is more efficient and due to no longer using the vendor API call intercept method
(the âprivateâ API exit), it is less likely to conflict with other OEM products.
⢠The previous two separate AMS address spaces, ssidAMSM (main) and
ssidAMSD (data services) are now combined into a single address space,
ssidAMSM. Any authorities that were previously required by ssidAMSD are now
needed on ssidAMSM instead. ssidAMSM now consumes the encryption CPU.
The utility that is used on z/OS to setup policies is renamed from DRQUTIL to
CSQ0UTIL.
⢠There are no changes to the keyring names, and the hardened version of the
policies which are stored as messages on the
SYSTEM.PROTECTION.POLICY.QUEUE have the same shape, so existing
policies just work.
⢠AMS is still priced separately as OTC and has a separately installed FMID which
is an enablement module for AMS.
11. Message protection policies
Two types of policies:
⢠Message Integrity policy
⢠Message Privacy policy
Created or updated or removed by
command âsetmqsplâ
⢠or by AMS plug-in for WebSphere MQ Explorer (GUI)
⢠Defining message integrity policies
⢠Defining message privacy policies
Policies are stored in queue
âSYSTEM.PROTECTION.POLICY.QUEUEâ
Display policies with command âdspmqsplâ
⢠or by AMS plug-in for WebSphere MQ Explorer (GUI)
Each protected queue can have only one policy
⢠For distributed queuing, protect the queue
locally (source QM) as well as the remote (target QM)
âCompromised messagesâ in queue
âSYSTEM.PROTECTION.ERROR.QUEUEâ
Message Data
Message Data
PDMQ Header
PKCS #7 Envelope
Signature
Message PropertiesMessage Properties
<< qmgr >>
Q. PROTECTED
POLICIES
ERROR
12. N
O
T
E
S
Advanced Message Security â Notes
⢠Advanced Message Security (AMS) provides message protection
policies to allow message content to be signed and encrypted. The
application is unaware of the service and so the application programmer
need not worry about coding it into his application, however, before the
message is even placed on the queue it can be encrypted, thus ensuring
that it's contents are never exposed. The message is encrypted while is
resides on the queue, while it is transported across the network - the
channels are unaware that the content is encrypted since they are
content agnostic anyway - and is still encrypted when it is placed on the
target queue. At the point where the receiving application gets the
message off the queue the application level security service decrypts the
data and presents it to the application.
⢠Configuration of these policies is done using the setmqspl (set MQ
security policy) command, or via equivalent function in the MQ Explorer
GUI. Once defined these policies are stored in a special queue called
the SYSTEM.PROTECTION.POLICY.QUEUE. The policies can also be
displayed, using the dspmqspl command, or again, via the MQ Explorer
GUI.
13. Message integrity policy definition
Signature algorithms:
⢠MD5, SHA1, SHA256*, SHA384* or
SHA512*
The list of authorized signers is
optional
⢠If no authorized signers are specified
then any application can sign
messages.
⢠If authorized signers are specified then
only messages signed by these
applications can be retrieved.
⢠Messages from other signers are sent
to the error queue
On z/OS, same setmqspl program
and parms used as SYSIN DD for
PGM=DRQUTIL (CSQ0UTIL in V8)
Can also define policies via the MQ
Explorer GUI.
Syntax:
setmqspl
-m <queue_manager>
-p <protected_queue_name>
-s <SHA1 | MD5>
-a <Authorized signer DN1>
-a <Authorized signer DN2>
:
Example:
setmqspl -m MYQM
-p MY.Q.INTEGRITY
-s SHA1
-e NONE
-a 'CN=hughson,O=ibm,C=FR'
* Note: SHA-2 algorithms available in v7.0.1.2 and higher
15. Message privacy policy definition
Encryption algorithms:
⢠RC2, DES, 3DES, AES128 and
AES256
⢠Encrypted messages are always
signed
The list of authorized signers is
optional
It is mandatory to specify at
least one message recipient
Retrieved messages which do
not meet AMS policy sent to the
SYSTEM.PROTECTION.
ERROR.QUEUE
⢠Eg: Policy contains authorized
signer list and sender is not on it
Syntax:
setmqspl
-m <queue_manager>
-p <protected_queue_name>
-s <SHA1 | MD5>
-e <encryption algorithm>
-a <Authorized signer DN1>
-a <Authorized signer DN2>
-r < Message recipient DN1>
-r < Message recipient DN2>
Example:
setmqspl -m MYQM
-p MY.Q.PRIVACY
-s SHA1
-e AES128
-a 'CN=hughson,O=ibm,C=GB'
-r 'CN=ginger,O=ibm,C=JP'
-r 'CN=saadb,OU=WBI,O=ibm,C=FR'
16. Integrity message format
MQ Message AMS Signed Message
Message Data
PDMQ Header
PKCS #7 Envelope
Signature
Message PropertiesMessage Properties
Message Data
17. Privacy message format
Message Data
PDMQ Header
PKCS #7 Envelope
Message PropertiesMessage Properties
Key encrypted with certificate
Data encrypted with key
MQ Message AMS Signed Message
Message Data
Signature
19. WebSphere MQ AMS configuration file
WebSphere MQ AMS interceptors require a configuration file,
eg. KEYSTORE.CONF, which contains:
⢠Type of keystore: CMS, JKS, JCEKS
⢠Location of the keystore.
⢠Label of the personal certificate.
⢠Passwords to access keystore and private keys
(or .sth stash for CMS format)
Interceptors locate the configuration file using one of the
following methods:
⢠Environment variable MQS_KEYSTORE_CONF=<path to conf file>.
⢠Checking default locations and file names.
â Platform dependent. For example in UNIXÂŽ: â$HOME/.mqs/keystore.confâ
Location :
ProducerKeystore
Label: MyDN
KEYSTORE . CONF
20. Keystores and X.509 certificates
An application protected by AMS needs:-
⢠On distributed - a keystore
â Types: CMS, JKS and JCEKS
⢠On z/OS - a SAF keyring
â Named âdrq.ams.keyringâ
The keystore contains
⢠A personal X.509 certificate and associated private key
⢠trusted certificates
â to validate message signers
â to obtain the public keys of encrypted message recipients
Create using:-
⢠iKeyman GUI
⢠Command line â runmqakm
⢠SAF commands, e.g. RACDCERT in RACFŽ
⢠3rd party key management software
Alice's Digital
Certificate
CA Sig
A
Private
A
Public
YourDN
Trusted Cert
Public Keys
MyDN
Personal Cert
Private keys
Producer
Keystore
21. N
O
T
E
S
Keystores and X.509 certificates
⢠Each MQ application producing or consuming protected messages
requires access to a keystore that contains a personal X.509 (v2/v3)
certificate and the associated private key.
⢠The keystore and certificate is accessed by the MQ AMS interceptors.
⢠The keystore must contain trusted certificates to validate message
signers or to obtain the public keys of encrypted message recipients
⢠Keystore can be the same as that used for MQ SSL
⢠Several types of keystore are supported (Distributed): CMS, JKS and
JCEKS.
⢠On Distributed MQ, the IBM Key Management (iKeyman, part of GSKit)
is provided to create and do simple management of local keystores
⢠On z/OS, standard SAF product (eg. RACF) used to create certificates
which are SAF-managed and must be on a keyring named
âdrq.ams.keyringâ
⢠3rd party software is available from IBM (or others) to provide more
robust, industrialisation of keystore maintenance. For the IBM TivoliÂŽ
Key Lifecycle Manager, see:
http://www.ibm.com/software/tivoli/products/key-lifecycle-mgr/
23. ⢠East coast railroad headquartered in Jacksonville FL
⢠Ranked #19 âBest Places to Workâ Computer World
⢠31,000 employees
⢠21,000 route miles in 23 states
⢠4,000 locomotives
⢠100,000 owned or leased freight cars
⢠1,200 trains per day
⢠20,000 carloads per day
Who is CSX?Who is CSX?Who is CSX?
2626262626262626
24. 2727272727272727
âThe messages passing between our HR and Medical applications must be encrypted.â
Why?
â˘To protect personal information (i.e. SSN, medical information)
What?
â˘WebSphere MQ Messages
Where?
â˘PeopleTools Application (LinuxÂŽ)
â˘WebSphere MQ QMGR (Linux)
â˘WebSphere MQ QMGR (z/OS)
â˘WebSphere Message Broker (Linux)
â˘WebSphere Application Server (Linux)
** Object names in this presentation do not represent real objects on our system
Business Requirement
25. 2828282828282828
⢠Linux WebSphere MQClient v7.1.0.8
⢠PeopleTools Application (Non-IBM Java)
⢠.bindings (SSL)
⢠Java Keystore (.jks)
⢠Certificates exchanged between PS and QMGR
⢠Linux WebSphere MQ HA QMGR v7.5.0.2
⢠PSOFT.Q (QR)
⢠MEDICAL.Q (QL)
⢠QMGR Keystore
⢠Certificates exchanged between PS and QMGR
⢠Server Connection Channel (SSL)
⢠z/OS WebSphere MQ QMGR v7.1.0 (w/ RACF)
⢠PSOFT.Q (QL)
⢠MEDICAL.Q (QR)
⢠z/OS WebSphere Message Broker v7.0.0
⢠Message Flow
⢠Linux WebSphere Application Server Cluster v7.0.0.29
⢠Medical Application
⢠JMS WAS definitions (Activation Specs and Queues)
Architecture â Pre AMS
33. 3636363636363636
Linux PeopleTools App â First Attempt - Did Not Work
This did not work because PeopleTools uses non-IBM Java
⢠The AMS interceptor does not support non-IBM Java
37. 4040404040404040
Tasks to enable AMS
1.Make sure you have SSL enabled on your SVRCONN
Channel
2.Must use pre 7.5 MQClient (or 7.5.0.4 fix)
**AMS is not installed on this non-IBM Java Client
The AMS MCA Interceptor on the HA QMGR is acting as
a surrogate for the Client application to encrypt the
messages
Linux PeopleTools Application / MQClient
38. 4141414141414141
Platform:
â˘Linux RHEL 6
Software:
â˘PeopleTools 8.5.3 (non IBM java)
â˘WebSphere MQ Client V7.0.1.8 (** Must be Pre 7.5 Client (or 7.5.0.4) to use MCA Interceptor)
Notes:
â˘Because PeopleTools is a non-IBM java application we could not use AMS on the client
â˘We opted to use the AMS MCA interceptor option
â˘If you are using the AMS MCA interceptor option, you must have SSL turned on for the
SVRCONN channel.
â˘In addition, you will need to use a version of MQ Client that does not come packaged with AMS
(or a version where AMS can be turned off):
⢠Pre 7.5 MQClient (or)
⢠MQClient 7.5.0.4 (with parameter to set AMS off)
Linux PeopleTools Application / MQClient Details
41. 4444444444444444
Tasks to enable AMS
1.Install AMS
2.Create the AMS keystore
3.Create the AMS keystore.conf
4.Create / Import / Export Digital Certificates
5.Add MCA interceptor definitions to the keystore.conf
6.Create Policies
Linux HA QMGR
42. 4545454545454545
Platform:
â˘Linux RHEL 6
Software:
â˘WebSphere MQ 7.5.0.2
â˘WebSphere MQ AMS V7.5.0.2
Configuration:
â˘Channels
⢠Sender (XMQ1.TO.ZMQ1)
⢠Receiver (ZMQ1.TO.XMQ1)
⢠Server Conn (XMQ1.XMQ1.PSOFT.CL) *** SSL must be turned on ***
â˘Queues
⢠PSOFT.Q (QR)
⢠MEDICAL.Q (QL)
â˘Keystore (AMS / XMQ1) *** Not the same keystore that is used for the SVRCONN SSL ***
⢠XMQ1AMS personal cert
⢠ZMQ1BRK cert (imported from z/OS)
â˘Policies:
⢠PSOFT.Q
⢠MEDICAL.Q
Linux HA QMGR Details
44. 4747474747474747
⢠Policy Commands
setmqspl -m XMQ1 âp PSOFT.Q -s <DIGITAL SIGNATURE ALG> -e <DIGITAL ENC ALG> -a
âCN=XMQ1AMS,OU=XMQ1AMSDEV,O=<COMPANY>,C=<COUNTRY>â -r
âCN=ZMQ1BRK,OU=DEV_ZMQ1BRK,O=<COMPANY>,C=<COUNTRY>â
setmqspl -m XMQ1 âp MEDICAL.Q -s <DIGITAL SIGNATURE ALG> -e <DIGITAL ENC ALG> -
a âCN=ZMQ1BRK,OU=DEV_ZMQ1BRK,O=<COMPANY>,C=<COUNTRY>â -r
âCN=MEDICAL,OU=DEV_MEDICAL,O=<COMPANY>,C=<COUNTRY>â
setmqspl -m XMQ1 âp PSOFT.Q âremove
Note:
⢠Because the PeopleTools application uses non-IBM Java, we opted to use the MCA interceptor
feature of AMS.
⢠There are 2 separate keystores:
1.QMGR keystore:
⢠Stores the certificates for the QMGR and the PeopleTools Client
⢠Provides the SVRCONN channel SSL
2.The AMS keystore:
⢠Stores the certificates for AMS and the Broker
⢠Provides the AMS encryption (between XMQ1AMS and ZMQ1BRK (z/OS))
Linux HA QMGR Details
55. 5858585858585858
Tasks to enable AMS
1.Install AMS
2.Create Java Keystore
3.Create Keystore.conf
4.Enable AMS Java Command
5.Update WAS Keystore.conf variable
6.Copy ESE and Security Policy files to WAS
7.Create / Import / Export Digital Certificates
Linux WebSphere Application Server Cluster
56. 5959595959595959
Platform:
â˘Linux RHEL 6
Software:
â˘Websphere Application Server ND V7.0.0.29
â˘WebSphere MQ AMS V7.0.1.1
Configuration:
â˘WAS JVM Arguments
⢠MQS_KEYSTORE.CONF ** set to WAS keystore.conf path
⢠Copy ESE jar files (for Pre 7.5 AMS)
⢠com.ibm.mq.ese.jar
⢠(to) $WASPATH/installedConnectors/wmq.jmsra.rar
â˘Copy IBM SDK Polcy files
⢠local_policy.jar
⢠US_export_policy.jar
⢠(to) $WASPATH/java/jre/lib/security
â˘Enable AMS Java Command
⢠$AMS_PATH/bin/cfgmqs -enable âjava
â˘Java keystore (.jks)
⢠MEDICAL personal cert
⢠ZMQ1BRK (Broker from z/OS) Imported cert
Linux WebSphere Application Server Cluster Details
58. 6161616161616161
⢠AMS does not support non-IBM Java
⢠To use the MCA interceptor, you must use a version of the MQClient (pre 7.5) that does not
include AMS (or get the 7.5.0.4 fix)
⢠For the MCA interceptor, SSL (non-AMS) must be set on the client / server channel to keep
messages encrypted (until MCA interceptor takes over)
⢠Be aware of syntax differences between the keytool and runmqakm commands
⢠Consider establishing standards when creating the Policies - All DN parameter options may not
be acceptable on all platforms (e.g. SP vs ST)
⢠Policies and certificates must match exactly (parameter order matters)
⢠Issues with conversion of the message data from EBCIDIC to ASCII after the âMQGETâ
⢠Make sure you use MQGMO_CONVERT in the application
⢠Do not rely in channels CONVERT(YES)
⢠Know where problem/error information is logged
Lessons Learned
59. 6262626262626262
⢠Surrogate access is useful for verifying your z/OS certs - submit batch jobs as ZMQ1BRK to browse
messages
⢠âsudo su â â access is useful for verifying your Linux application certs - sudo su â application-id
⢠You can test with your own personal certs using utilities like amqsputc on Linux and batch MQ programs on
z/OS (or File Manager for MQ)
⢠Write a java program to test your java keystores. amqsputc does not work with a .jks keystore
⢠Note: JmsProducer or JmsConsumer samples could also be used.
⢠AMS does not stop access to the queue, you still need to secure your queue using object level security
⢠When you set your policy on the AliasQ, you can still view the QL
⢠Turning on encryption will increase the size of your message
⢠Each time you add a Receiver to your policy, it increases the size of the message
⢠AMS requires different skill sets; MQ; RACF; Java Certs; Distributed platforms Certs
⢠Make friends with your colleagues in other departments!
Lessons Learned
60. 6363636363636363
WMQ AMS Info Center:
http://pic.dhe.ibm.com/infocenter/mqams/v7r0m1/index.jsp?topic=%2Fco
m.ibm.mqese.doc%2FMQESEic_homepage.htm
WMQ AMS Product Page:
http://www-03.ibm.com/software/products/en/wmq-ams/
Secure Messaging Scenarios with WebSphere MQ:
http://www.redbooks.ibm.com/abstracts/sg248069.html
Additional Information
62. Legal Disclaimer
⢠Š IBM Corporation 2014. All Rights Reserved.
⢠The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this
publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBMâs current product plans and strategy, which are subject to change by IBM
without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to,
nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software.
⢠References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in this presentation may change at any time at IBMâs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue
growth or other results.
⢠All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance
characteristics may vary by customer.
⢠IBM, the IBM logo, WebSphere, z/OS, RACF and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both.
⢠Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
⢠UNIX is a registered trademark of The Open Group in the United States and other countries.
⢠Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.