3429 How to transform your messaging environment to a secure messaging environment.
1. How to transform your messaging
environment to a secure
messaging environment.
Robert Parker – parrobe@uk.ibm.com
IBM Hursley – UK
2. Introduction
• Aims of this presentation
– Step by step of each security feature in MQ
– Will take an unsecured Queue Manager and secure it
– At the end we will have a secured Queue Manager
• Each security feature section will have:
– What is it and Why do you use it
– Main points of the feature
– How to configure it.
3. Available Security Features
• Connection Authentication
• Authorization
• Channel Authentication
• SSL/TLS
• Security Exits
• AMS
4. Security provided on Client to Queue Manager
connections
Channel Authentication
(BLOCKADDR)
SSL/TLS
Channel Authentication
(ADDR/USER/SSL Map)
Security Exit
Connection
Authentication
Channel Authentication
(BLOCKUSER)
Authorization
MQRC_NONE
MQRC_NOT_AUTHORIZED
Or
8. Connection Authentication – What is it?
• Authentication is used to force clients to identify themselves.
• It is usually used in combination with authorization.
• Connection authentication was added as a feature of MQ in version 8.
*****
9. Connection Authentication – Main Points
• MQ allows you to specify levels of security for connections
– Client and local can be set to different levels
– Different client connections can have different levels using Channel
Authentication records.
• Also allows two different user repositories to check supplied credentials
against
– Operating system OAM.
– LDAP Server
*****
10. Connection Authentication – How to configure it
CHCK…
NONE
OPTIONAL
REQUIRED
REQDADM
MQCONNX
Application (User4)
MQCONNX
Application (User2)
QMGR
INTERCONNECTInter process
Communications
DEFINE AUTHINFO(USE.PW) AUTHTYPE(xxxxxx)
CHCKLOCL(OPTIONAL)
CHCKCLNT(REQUIRED)
ADOPTCTX(NO)
ALTER QMGR CONNAUTH(USE.PW)
REFRESH SECURITY TYPE(CONNAUTH)
MQRC_NOT_AUTHORIZED (2035)
MQRC_NONE (0)
User
Repository
Application (User4)
11. Connection Authentication – How to configure it
DEFINE AUTHINFO(USE.OS) AUTHTYPE(IDPWOS)
DEFINE AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
CONNAME(‘ldap1(389),ldap2(389)’)
LDAPUSER(‘CN=QMGR1’)
LDAPPWD(‘passw0rd’) SECCOMM(YES)
MQCONNX
User1 + pwd1
Application (User2)
QMGR
INTERCONNECT
O/S User
Repository
(z/OS + Dist)
LDAP Server (Dist only)
12. Connection Authentication – How to configure it
DEFINE AUTHINFO(USE.PW) AUTHTYPE(xxxxxx)
CHCKCLNT(OPTIONAL)
SET CHLAUTH(‘*’) TYPE(ADDRESSMAP) ADDRESS(‘*’)
USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
ADOPTCTX(NO)
SET CHLAUTH(‘*’) TYPE(SSLPEERMAP)
SSLPEER(‘CN=*’) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR)
CHCKCLNT
ASQMGR
REQUIRED
REQDADM
QMgr
User's Digital
Certificate
CA
Sig
MQCONNX
User1 + pwd1
Application (User2)
MQRC_NONE (0)
SSL/TLS Network
Communications
MQCONNX
User3 + pwd3
Application (User4)
MQRC_NOT_AUTHORIZED (2035)
16. Authorization – What is it?
• Authorization is used to limit what connected applications can do.
• Authority can be given on a per group basis
– Windows allows per user
• Authority to perform an action is given.
– By default a user/group will not have any authority
• Best practice is to only grant minimum required authority
17. Authorization – Main points
• Each object in MQ can have separate authorities for each user/group
– Additionally you can also supply a generic object name
• MQ supplies 5 tools to view and modify authority records
– MQ Explorer
• Display, create and alter authority records for all objects
– runmqsc
• Display, create & Alter Authority records for all objects
– setmqaut
• Create & Alter authority records for requested objects
– dspmqaut
• Displays authority records for requested objects
– dmpmqaut
• Outputs authority records for requested objects, output can be inputted into QMGR.
• What user/group is used for the authority check depends on what happens before…
18. Authorization – Main points
Method Notes
Client machine user ID flowed to
server
This will be over-ridden by anything else. Rarely do you want
to trust an unauthenticated client side user ID.
MCAUSER set on SVRCONN
channel definition
A handy trick to ensure that the client flowed ID is never used
is to define the MCAUSER as ‘rubbish’ and then anything that
is not set appropriately by one of the next methods cannot
connect.
MCAUSER set by ADOPTCTX(YES) The queue manager wide setting to adopt the password
authenticated user ID as the MCAUSER will over-ride either
of the above.
MCAUSER set by CHLAUTH rule To allow more granular control of MCAUSER setting, rather
than relying on the above queue manager wide setting, you
can of course use CHLAUTH rules
MCAUSER set by Security Exit Although CHLAUTH gets the final say on whether a
connection is blocked (security exit not called in that case),
the security exit does get called with the MCAUSER
CHLAUTH has decided upon, and can change it.
19. Authorization – How to configure it
• Example 1: Granting clients the ability to read to the Queue
– Here we will give the group “readers” authority to connect
– In a command prompt
• Queue Manager to create authority record for
• Object type you are creating authority record for
• Group to give authority to
• Authorities
– + will grant authority
– - will remove authority
Setmqaut –m INTERCONNECT –t qmgr –g readers +connect
20. Authorization – How to configure it
• Example 1: Granting clients the ability to read to the Queue
– Here we will give the group “readers” GET and BROWSE authority
– In runmqsc.
• Object to grant authorities for
• Object type
• Group to grant authority
• Authority to add
SET AUTHREC PROFILE(CLIENT.DATA.Q) OBJTYPE(QUEUE) +
GROUP(‘readers’) AUTHADD(GET) AUTHADD(BROWSE)
22. Channel Authentication – What is it?
• Allows Granular control over connections
– Can Supply a whitelist or blacklist to block or allow connections
• Can filter on:
– SSL distinguished name (both issuer and subject)
– Client user ID
– Remote Queue Manager name
– IP/Hostname
• Blocking at channel (ADDRESSMAP) or listener (BLOCKADDR) level
• Values used in filters can be specific or generic
23. Channel Authentication – Main Points
• Specific rules have higher precedence than generic rules
– 1) Addressmap blocking ‘*’
2) Addressmap allowing ‘127.0.0.1’
– Any connections from 127.0.0.1 will be allowed by (2).
– Other connections blocked by (1)
• When creating Channel Authentication rule you can set it to use a
different User ID for future Authority checks:
1. NOACCESS – Blocks the connection regardless
2. CHANNEL – Use the User ID specified in Channel MCA
• If this is blank then we use the userid supplied by application
3. MAP – Use the User ID specified in this rule.
24. Channel Authentication – How to configure it.
• Example 1: Blacklisting bad connections
– Aim: Block connections from 129.1.198.X
• In Rumqsc:
• Channel name
• Rule type
• Address to match to
• Action
• Warn
SET CHLAUTH(‘CLIENT.CONNECTIONS’) TYPE(ADDRESSMAP) +
ADDRESS(‘129.1.198.*’) USERSRC(NOACCESS) WARN(NO)
25. Channel Authentication – How to configure it.
• Example 2: Whitelisting good connections
– Aim: Block connections all connections except from 129.198.1.7
• In Rumqsc:
SET CHLAUTH(‘CLIENT.CONNECTIONS’) TYPE(ADDRESSMAP) +
ADDRESS(‘*’) USERSRC(NOACCESS) WARN(NO)
SET CHLAUTH(‘CLIENT.CONNECTIONS’) TYPE(ADDRESSMAP) +
ADDRESS(‘129.198.1.7’) USERSRC(CHANNEL)
28. SSL/TLS – What is it?
• SSL/TLS is used for two reasons in MQ:
– Authentication with a Queue Manager
– Encrypting and protecting data in transit between a client or Queue Manager
and destination Queue Manager.
• Uses a certificate containing a public-private key pair in order to
establish a secure link.
– Called an SSL Handshake.
• During the SSL Handshake, asymmetric encryption is used.
– Once the handshake is completed symmetric encryption is used to transfer
data.
29. SSL/TLS – Main Points
• Channels are enabled for SSL/TLS by setting a CipherSpec.
– Only one CipherSpec can be used on a channel.
• A server Queue Manager must have a certificate
• A client application (or client Queue Manager) does not require a
certificate.
– But does require a copy of the server Queue Manager’s public certificate.
• As of MQ v8 a channel can use a different certificate than the Queue
Manager it is defined on.
30. SSL/TLS – Main Points
• MQ Supplies 3 tools for your certificate and key repository management
needs:
– strmqikm (or IBM Key Management)
• IBM JRE GUI tool for managing certificates
– runmqckm
• command line tool to manage certificates – can handle JKCS repositories
– runmqakm
• Command line tool to manage certificates – can handle Elliptic Curve certificates
• Default location for Queue Manager Key Repository is
– <MQ Data Root>/qmgrs/<QM Name>/ssl/key.kdb
• Can be changed using Queue Manager SSLKEYR attribute
• Default certificate used by the Queue Manager is
– Ibmwebspheremq<qmname>
• Can be changed in MQ v8+ using Queue Manager CERTLABL attribute
31. SSL/TLS – How to configure it
• Example 1: Setting up a Queue Manager to use SSL/TLS
• First create the Key Repository the Queue Manager will use:
– In a command prompt:
• What we are altering
• Action to perform
• Name and location of key repository to create
• Password to access the key repository
• Tells runmqakm to stash the password which is used by MQ.
runmqakm –keydb –create –db
/var/mqm/qmgrs/INTERCONNECT/ssl/key.kdb –pw passw0rd -stash
32. SSL/TLS – How to configure it
• Example 1: Setting up a Queue Manager to use SSL/TLS
• Next create the Queue Manager’s certificate
– In a command prompt
• What we are altering
• The action to perform
• Where to store the certificate
• Tells runmqakm to use the stash file to access the key repository
• The distinguished name to give the certificate
• The label to refer to the certificate
runmqakm –cert –create –db
/var/mqm/qmgrs/INTERCONNECT/ssl/key.kdb –stashed –dn
“CN=INTERCONNECT,OU=MQ,O=IBM,C=UK” –label
ibmwebspheremqinterconnect
33. SSL/TLS – How to configure it
• Example 1: Setting up a Queue Manager to use SSL/TLS
• Next set the Queue Manager to use Key Repository
– Unless you are using defaults
– In runmqsc
• Location of the key repository to use
– No file extension!
• Label of certificate to use
ALTER QMGR SSLKEYR(‘/var/mqm/qmgrs/INTERCONNECT/ssl/key’) +
CERTLABL(‘ibmwebspheremqinterconnect’)
34. SSL/TLS – How to configure it
• Example 1: Setting up a Queue Manager to use SSL/TLS
• Finally set a channel to use SSL
– In runmqsc
• Channel name
• Whether to use mutual authentication
• The CipherSpec to use on this channel
ALTER CHANNEL(‘CLIENT.CONNECTIONS’) SSLCAUTH(REQUIRED) +
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
35. SSL/TLS – How to configure it
• Example 1: Client application changes
• MQSCO structure
– SSL Security Parameters
– Location of Key Repository
– Certificate label to use (MQ v8 Only)
• MQCNO structure
– Connection Options
MQCNO cno = {MQCNO_DEFAULT};
cno.Version = MQCNO_VERSION_4;
cno.SSLConfigPtr = &sco;
MQCONNX(QMName,
&cno,
&hConn,
&CompCode,
&Reason);
MQSCO sco = {MQSCO_DEFAULT};
sco.version = MQSCO_VERSION_5
sco.KeyRepository = “/var/client/clientkeyr”;
Sco.CertificateLabel = “clientcertificate”
36. SSL/TLS – How to configure it
• Example 1: Client application
• Alternatively if you cannot adjust your application
– In command prompt
EXPORT MQSSLKEYR=var/client/clientkeyr
EXPORT MQCERTLABL=clientcertificate
37. SSL/TLS – How to configure it
• Example 1: Client application
– Ensure the certificate trust chain is complete on each side
ibmwebspheremqinterconnect
Queue Manager KeystoreClient Keystore
runmqakm –cert –extract –db
/var/mqm/qmgrs/INTERCONNECT/ssl/key.kdb –stashed –label
ibmwebspheremqinterconnect –file /var/certs/qmgr.cer
Qmgr.cer
38. SSL/TLS – How to configure it
• Example 1: Client application
– Ensure the certificate trust chain is complete on each side
ibmwebspheremqinterconnect
Queue Manager KeystoreClient Keystore
runmqakm –cert –add –db /var/client/clientkeyr.kdb –stashed
–label qmgrsignercert –file /var/certs/qmgr.cer
Qmgr.cerqmgrsignercert
39. SSL/TLS – How to configure it
• Example 1: Client application (Mutual Authentication)
– Ensure the certificate trust chain is complete on each side
ibmwebspheremqinterconnect
Queue Manager KeystoreClient Keystore
client.cerqmgrsignercert
clientcertificate
clientsignercert
runmqakm –cert –extract –db /var/client/clientkeyr.kdb
–stashed –label clientcertificate –file
/var/certs/client.cer
runmqakm –cert –add –db
/var/mqm/qmgrs/INTERCONNECT/ssl/key.kdb –stashed –label
clientsignercert –file /var/certs/client.cer
41. Security Exits – What is it?
• Security exits are bespoke, customer created exists that are ran during
the security checks.
• MQ contains an API used in the security exits to extract information
about an incoming connection.
– This information can then be used in the security exit to determine whether
to allow or disallow a connection.
• Prior to MQ v8 a security exit was used in MVS to supply connection
authentication capabilities
– CSQ4BCX3
42. Security Exits – Main Points
• Security exits are stored in <MQ Data Root>/exits/<Installation name>
– MQ will look in this folder when an exit is attached to a channel
• Exits are referenced in SCYEXIT channel attribute
– Without the file suffix or location
• As well as security exits there are also:
– Receive exits – RCVEXIT
– Send exits – SENDEXIT
• For each exit you can also supply custom data to pass to the exit using
the channel’s ***DATA attribute
– For example Security exit data using SCYDATA
43. Security Exits – How to Configure it
• First write a C Application with the following skeleton code:
void MQENTRY MQStart() {;}
void MQENTRY EntryPoint (PMQVOID pChannelExitParms,
PMQVOID pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQVOID pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
PMQCXP pParms = (PMQCXP)pChannelExitParms;
PMQCD pChDef = (PMQCD)pChannelDefinition;
/* TODO: Add Security Exit Code Here */
}
44. Security Exits – How to Configure it
• Next compile and link the exit as a Dynamic library and place in:
– <MQ Data Root>/exits/<Installation name>
45. Security Exits – How to Configure it
• Next specify the exit on the channel:
– In runmqsc
• Channel name
• Name of security exit to run
– Without location or file extension
• Custom data to pass to the security exit
ALTER CHANNEL(‘CLIENT.CONNECTIONS’) SCYEXIT(‘mqccred’) +
SCYDATA(‘sec exit data’)
47. AMS – What is it?
• AMS provides a higher level of protection to messages
• Has two levels of protection - policies
– Integrity protection
• Prevents messages from being tampered with.
• Guarantees message has been received from known source
– Integrity and privacy protection
• Same benefits as Integrity protection
• Also provides encryption to prevent unauthorised recipients seeing message
• AMS does not perform access control but simply provides privacy and
integrity to messages.
• Messages are protected using certificates that each signer and recipient will
need.
– Depending on level of protection
!*54%
@”p
48. AMS – Main points
• It is an end-to-end security model
– Messages are protected from creation until destruction
• Messages can be protected so that only authorised users can see message data
– This means even MQ Administrators cannot view a message.
• Messages are protected both in transit and at rest
– Satisfies the standards compliance for certain data types (HIPAA, PCI, etc)
• AMS is incorporated into MQ Client applications without the need for re-building
applications
– No code changes are necessary!
• Message size will increase in order to incorporate AMS format
– New message size = 1280 + [Old Message Length] + (200 x [# of recipients])
!*54%
@”p
49. AMS – Main points
• Unlike SSL, it requires the FULL trust chain
– Subject certificate, signer certificate, signer’s signer certificate, etc
• MQ has three tools for defining and managing policies
– MQ Explorer
• Define, display, delete policies
– setmqspl
• define, delete policies
– dspmqspl
• Display policies
!*54%
@”p
50. AMS – How to configure it
• Example 1: Configuring MQ to protect messages
– In a command prompt:
• Queue Manager
• Queue to protect
• Signing algorithm
• Authorised signer(s)
• Encryption algorithm
• Authorised recipient(s)
!*54%
@”p
setmqspl -m INTERCONNECT -p CLIENT.DATA.Q -s SHA512 -a
"CN=CLIENT1,O=CLIENTORG,C=UK" -e AES256 -r
"CN=CLIENT2,O=CLIENTORG,C=UK"
51. AMS – How to configure it
• Example 1: Application changes
!*54%
@”p
Alice’s
Sending/Receiving
App
AliceCertificate
MQS_KEYSTORE_CONF=/…/Keystore.conf
(Or create Keystore.conf in home directory)
No Changes Necessary!
Keystore.conf
cms.keystore=/…/Keystore
cms.certificate=AliceCertificate
Keystore
53. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
•IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global Business
Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,
OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®,
PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson, WebSphere®, Worklight®, X-
Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other
product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
54. Where can I get more information?
IBM Messaging developerWorks
developer.ibm.com/messaging
IBM Messaging Youtube
https://www.youtube.com/IBMmessagingMedia
LinkedIn
Ibm.biz/ibmmessaging
Twitter
@IBMMessaging
IBM MQ Facebook
Facebook.com/IBM-MQ-8304628654/