This document summarizes an IBM Cloud Technical University session on transforming a messaging environment to be secure. The session covered various security features in IBM MQ including connection authentication, authorization, channel authentication using address maps and SSL peer maps, transport layer security (TLS), and security exits. It provided examples of how to configure each feature step-by-step, such as defining authentication information, setting channel authentication rules to blacklist addresses, and setting up a queue manager and channel to use TLS with certificates. The goal was to take an unsecured queue manager and secure it using these IBM MQ security features.
Diamond Application Development Crafting Solutions with Precision
Â
IBM Cloud Technical University 2016 - How to Transform Your Messaging Environment to a Secure Messaging Environment
1. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
I173
How to Transform Your Messaging
Environment to a Secure
Messaging Environment
Rob Parker, MQ Ecosystem
2. 2
⢠IBMâs statements regarding its plans, directions, and intent are subject to change or withdrawal without
notice at IBMâs sole discretion.
⢠Information regarding potential future products is intended to outline our general product direction and it
should not be relied on in making a purchasing decision.
⢠The information mentioned regarding potential future products is not a commitment, promise, or legal
obligation to deliver any material, code or functionality. Information about potential future products may not
be incorporated into any contract.
⢠The development, release, and timing of any future features or functionality described for our products
remains at our sole discretion.
⢠Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon
many factors, including considerations such as the amount of multiprogramming in the userâs job stream,
the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can
be given that an individual user will achieve results similar to those stated here.
Please Note:
3. Š 2016 IBM Corporation 3
Agenda
⢠Aims of this presentation
ď§ Step by step of each security feature in MQ
ď§ Will take an unsecured Queue Manager and
secure it
ď§ At the end we will have a secured Queue
Manager
⢠Each security feature section will have:
ď§ What is it and Why do you use it
ď§ Main points of the feature
ď§ How to configure it.
4. Š 2016 IBM Corporation 4
Available Security Features
⢠Connection Authentication
⢠Authorisation
⢠Channel Authentication
⢠Transport Layer Security (TLS)
⢠Security Exits
⢠AMS
8. Š 2016 IBM Corporation 8
Working example
⢠Queue Manager
⢠Channel Type(SVRCONN)
⢠Local Queue
⢠Channel Authentication â Disabled
⢠Connection Authentication â Disabled
⢠MQ Administrator set on Channel MCA
⢠No Security Exit
⢠TLS not configured
⢠AMS not configured
CTU
Client.Data.Q
Client.Connections
9. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
Connection Authentication
10. Š 2016 IBM Corporation 10
Introduction
⢠Authentication is used to force clients to identify
themselves.
⢠It is usually used in combination with authorisation.
⢠Connection authentication was added as a feature of
MQ in version 8.
*****
11. Š 2016 IBM Corporation 11
Main features
⢠MQ allows you to specify levels of security for
connections
ď§ Client and local can be set to different levels
ď§ Different client connections can have different
levels using Channel Authentication records.
⢠Also allows two different user repositories to check
supplied credentials against
ď§ Operating system OAM.
ď§ LDAP Server
*****
16. Š 2016 IBM Corporation 16
Configuration
⢠Object Oriented MQ classes changes
⢠JMS/XMS classes changes
MQEnvironment.properties = new Hashtable();
MQEnvironment.userID = âparrobe";
MQEnvironment.password ="passw0rd";
System.out.println("Connecting to queue manager");
MQQueueManager qMgr = new MQQueueManager(QMName);
cf = getCF();
System.out.println("Creating the Connection with UID and Password");
Connection conn = cf.createConnection(âparrobe", "passw0rd");
17. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
Authorisation
18. Š 2016 IBM Corporation 18
Introduction
⢠Authorisation is used to limit what connected
applications can do.
⢠Authority can be given on a per group basis
ď§ Windows allows per user by default
ď§ Linux can do per user with configuration
⢠Authority to perform an action is given.
ď§ By default a user/group will not have any authority
⢠Best practice is to only grant minimum required
authority
19. Š 2016 IBM Corporation 19
Features
⢠Each object in MQ can have separate authorities for
each user/group
ď§ Additionally you can also supply a generic object
name
⢠MQ supplies 5 tools to view and modify authority
records
ď§ MQ Explorer
âť Display, create and alter authority records for all
objects
20. Š 2016 IBM Corporation 20
Tools (continued)
ď§ runmqsc
âť Display, create & Alter Authority records for all
objects
ď§ setmqaut
âť Create & Alter authority records for requested
objects
ď§ dspmqaut
âť Displays authority records for requested objects
ď§ dmpmqaut
âť Outputs authority records for requested objects,
output can be inputted into QMGR.
21. Š 2016 IBM Corporation 21
Which user is used for authorization?
Method Notes
Client machine user ID flowed to
server
This will be over-ridden by anything else. Rarely do you
want to trust an unauthenticated client side user ID.
MCAUSER set on SVRCONN
channel definition
A handy trick to ensure that the client flowed ID is never
used is to define the MCAUSER as ârubbishâ and then
anything that is not set appropriately by one of the next
methods cannot connect.
MCAUSER set by
ADOPTCTX(YES)
The queue manager wide setting to adopt the password
authenticated user ID as the MCAUSER will over-ride
either of the above.
MCAUSER set by CHLAUTH rule To allow more granular control of MCAUSER setting,
rather than relying on the above queue manager wide
setting, you can of course use CHLAUTH rules
MCAUSER set by Security Exit Although CHLAUTH gets the final say on whether a
connection is blocked (security exit not called in that
case), the security exit does get called with the
MCAUSER CHLAUTH has decided upon, and can change
it.
22. Š 2016 IBM Corporation 22
Configuration
⢠Example 1: Granting clients the ability to read to the
Queue
ď§ Here we will give the group âreadersâ authority to
connect
ď§ In a command prompt
⢠Queue Manager to create authority record for
⢠Object type you are creating authority record for
⢠Group to give authority to
⢠Authorities
Setmqaut âm CTU ât qmgr âg readers +connect
23. Š 2016 IBM Corporation 23
Configuration
⢠Example 1: Granting clients the ability to read to the
Queue
ď§ Here we will give the group âreadersâ GET and
BROWSE authority
ď§ In runmqsc.
⢠Object to grant authorities for
⢠Object type
⢠Group to grant authority
⢠Authority to add
SET AUTHREC PROFILE(CLIENT.DATA.Q) OBJTYPE(QUEUE) +
GROUP(âreadersâ) AUTHADD(GET) AUTHADD(BROWSE)
24. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
Channel Authentication Records
25. Š 2016 IBM Corporation 25
Introduction
⢠Allows Granular control over connections
ď§ Can Supply a whitelist or blacklist to block or allow
connections
⢠Can filter on:
ď§ SSL distinguished name (both issuer and subject)
ď§ Client user ID (Application or final adopted)
ď§ Remote Queue Manager name
ď§ IP/Hostname
ď§ Blocking at channel (ADDRESSMAP) or listener
(BLOCKADDR) level
26. Š 2016 IBM Corporation 26
Features
⢠Values used in filters can be specific or generic
⢠Specific rules have higher precedence than generic
rules
1. Addressmap blocking â*â
2. Addressmap allowing â127.0.0.1â
ď§ Any connections from 127.0.0.1 will be allowed by
(2).
ď§ Other connections blocked by (1)
27. Š 2016 IBM Corporation 27
Features
⢠When creating Channel Authentication rule you can set
it to use a different User ID for future authority checks:
ď§ NOACCESS â Blocks the connection regardless
ď§ CHANNEL â Use the User ID specified in Channel
MCA
âť If this is blank then we use the userid supplied
by application
ď§ MAP â Use the User ID specified in this rule.
28. Š 2016 IBM Corporation 28
Configuration
⢠Example 1: Blacklisting bad connections
ď§ Aim: Block connections from 129.1.198.X
⢠In Rumqsc:
⢠Channel name
⢠Rule type
⢠Address to match to
⢠Action
⢠Warn
SET CHLAUTH(âCLIENT.CONNECTIONSâ) TYPE(ADDRESSMAP) +
ADDRESS(â129.1.198.*â) USERSRC(NOACCESS) WARN(NO)
29. Š 2016 IBM Corporation 29
Configuration
⢠In MQ Explorer:
30. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
Transport Layer Security
31. Š 2016 IBM Corporation 31
Introduction
⢠TLS is used for two reasons in MQ:
ď§ Authentication with a Queue Manager
ď§ Encrypting and protecting data in transit between a
client or Queue Manager and destination Queue
Manager.
⢠Uses a certificate containing a public-private key pair in
order to establish a secure link.
ď§ Called an SSL Handshake.
32. Š 2016 IBM Corporation 32
Features
⢠During the SSL Handshake, asymmetric encryption is
used.
ď§ Once the handshake is completed symmetric
encryption is used to transfer data.
⢠Channels are enabled for SSL/TLS by setting a
CipherSpec.
ď§ Only one CipherSpec can be used on a channel.
33. Š 2016 IBM Corporation 33
Features
⢠A server Queue Manager must have a certificate
⢠A client application (or client Queue Manager) does
not require a certificate.
ď§ But does require a copy of the server Queue
Managerâs public certificate.
⢠As of MQ v8 a channel can use a different certificate
than the Queue Manager it is defined on.
34. Š 2016 IBM Corporation 34
Tools
⢠MQ Supplies 3 tools for your certificate and key
repository management needs:
ď§ strmqikm (or IBM Key Management)
âť IBM JRE GUI tool for managing certificates
ď§ runmqckm
âť command line tool to manage certificates â can
handle JKCS repositories
ď§ runmqakm
âť Command line tool to manage certificates â can
handle Elliptic Curve certificates
35. Š 2016 IBM Corporation 35
Defaults
⢠Default location for Queue Manager Key Repository is
ď§ <MQ Data Root>/qmgrs/<QM Name>/ssl/key.kdb
âť Can be changed using Queue Manager SSLKEYR
attribute
⢠Default certificate used by the Queue Manager is
ď§ Ibmwebspheremq<qmname>
âť Can be changed in MQ v8+ using Queue
Manager CERTLABL attribute
36. Š 2016 IBM Corporation 36
Configuration
⢠Example 1: Setting up a Queue Manager to use SSL/TLS
⢠First create the Key Repository the Queue Manager will
use:
ď§ In a command prompt:
⢠What we are altering
⢠Action to perform
⢠Name and location of key repository to create
⢠Password to access the key repository
⢠Tells runmqakm to stash the password which is used by
MQ.
runmqakm âkeydb âcreate âdb /var/mqm/qmgrs/CTU/ssl/key.kdb
âpw passw0rd -stash
37. Š 2016 IBM Corporation 37
Configuration
⢠Example 1: Setting up a Queue Manager to use SSL/TLS
⢠Next create the Queue Managerâs certificate
⢠In a command prompt:
⢠What we are altering
⢠The action to perform
⢠Where to store the certificate
⢠Tells runmqakm to use the stash file to access the key repository
⢠The distinguished name to give the certificate
⢠The label to refer to the certificate
runmqakm âcert âcreate âdb /var/mqm/qmgrs/CTU/ssl/key.kdb
âstashed âdn âCN=CTU,OU=MQ,O=IBM,C=UKâ âlabel ibmwebspheremqctu
38. Š 2016 IBM Corporation 38
Configuration
⢠Example 1: Setting up a Queue Manager to use SSL/TLS
⢠Next set the Queue Manager to use Key Repository
ď§ Unless you are using defaults
ď§ In runmqsc
⢠Location of the key repository to use
ď§ No file extension!
⢠Label of certificate to use
ALTER QMGR SSLKEYR(â/var/mqm/qmgrs/CTU/ssl/keyâ) +
CERTLABL(âibmwebspheremqctuâ)
39. Š 2016 IBM Corporation 39
Configuration
⢠Example 1: Setting up a Queue Manager to use SSL/TLS
⢠Finally set a channel to use SSL
ď§ In runmqsc
⢠Channel name
⢠Whether to enforce mutual authentication
⢠The CipherSpec to use on this channel
ALTER CHANNEL(âCLIENT.CONNECTIONSâ) SSLCAUTH(REQUIRED) +
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
41. Š 2016 IBM Corporation 41
Configuration
⢠Example 1: Client application
⢠Alternatively, if you cannot adjust your application
ď§ In command prompt
EXPORT MQSSLKEYR=var/client/clientkeyr
EXPORT MQCERTLABL=clientcertificate
42. Š 2016 IBM Corporation 42
Configuration
⢠Example 1: Client application
ď§ Ensure the certificate trust chain is complete on
each side
ibmwebspheremqctu
Queue Manager KeystoreClient Keystore
runmqakm âcert âextract âdb /var/mqm/qmgrs/CTU/ssl/key.kdb
âstashed âlabel ibmwebspheremqctu âfile /var/certs/qmgr.cer
Qmgr.cer
43. Š 2016 IBM Corporation 43
Configuration
⢠Example 1: Client application
ď§ Ensure the certificate trust chain is complete on
each side
ibmwebspheremqctu
Queue Manager KeystoreClient Keystore
Qmgr.cer
runmqakm âcert âadd âdb /var/client/clientkeyr.kdb âstashed
âlabel qmgrsignercert âfile /var/certs/qmgr.cer
qmgrsignercert
44. Š 2016 IBM Corporation 44
Configuration
⢠Example 1: Client application (Mutual Authentication)
ď§ Ensure the certificate trust chain is complete on
each side
ibmwebspheremqctu
Queue Manager KeystoreClient Keystore
client.cerqmgrsignercert
clientcertificate
clientsignercert
runmqakm âcert âextract âdb /var/client/clientkeyr.kdb
âstashed âlabel clientcertificate âfile
/var/certs/client.cer
runmqakm âcert âadd âdb /var/mqm/qmgrs/CTU/ssl/key.kdb
âstashed âlabel clientsignercert âfile /var/certs/client.cer
45. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
Security Exits
46. Š 2016 IBM Corporation 46
Introduction
⢠Security exits are bespoke, customer created exists that
are ran during the security checks.
⢠MQ contains an API used in the security exits to extract
information about an incoming connection.
ď§ This information can then be used in the security
exit to determine whether to allow or disallow a
connection.
⢠Prior to MQ v8 a security exit was used in MVS to
supply connection authentication capabilities
ď§ CSQ4BCX3
47. Š 2016 IBM Corporation 47
Features
⢠Security exits are stored in
ď§ <MQ Data Root>/exits/<Installation name>
⢠MQ will look in this folder when an exit is attached to a
channel
⢠Exits are referenced in SCYEXIT channel attribute
ď§ Without the file suffix or location
48. Š 2016 IBM Corporation 48
Features
⢠As well as security exits there are also:
ď§ Receive exits â RCVEXIT
ď§ Send exits â SENDEXIT
⢠For each exit you can also supply custom data to pass
to the exit using the channelâs ***DATA attribute
ď§ For example Security exit data using SCYDATA
49. Š 2016 IBM Corporation 49
Configuration
⢠First write a C Application with the following skeleton
code:
void MQENTRY MQStart() {;}
void MQENTRY EntryPoint (PMQVOID pChannelExitParms,
PMQVOID pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQVOID pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
PMQCXP pParms = (PMQCXP)pChannelExitParms;
PMQCD pChDef = (PMQCD)pChannelDefinition;
/* TODO: Add Security Exit Code Here */
}
50. Š 2016 IBM Corporation 50
Configuration
⢠Next compile and link the exit as a Dynamic library and
place in:
ď§ <MQ Data Root>/exits/<Installation name>
51. Š 2016 IBM Corporation 51
Configuration
⢠Next specify the exit on the channel:
ď§ In runmqsc
⢠Channel name
⢠Name of security exit to run
ď§ Without location or file extension
⢠Custom data to pass to the security exit
ALTER CHANNEL(âCLIENT.CONNECTIONSâ) SCYEXIT(âmqccredâ) +
SCYDATA(âsec exit dataâ)
52. IBM Cloud Technical University 2016
25 â 28 October 2016|Madrid, Spain
Advanced Messaging Security
53. Š 2016 IBM Corporation 53
Introduction
⢠AMS provides a higher level of protection to messages
⢠Has two levels of protection - policies
ď§ Integrity protection
âť Prevents messages from being tampered with.
âť Guarantees message has been received from
known source
ď§ Integrity and privacy protection
âť Same benefits as Integrity protection
âť Also provides encryption to prevent
unauthorised recipients seeing message
!*54%
@âp
54. Š 2016 IBM Corporation 54
Features
⢠AMS does not perform access control but simply
provides privacy and integrity to messages.
⢠Messages are protected using certificates that each
signer and recipient will need.
ď§ Depending on level of protection
!*54%
@âp
55. Š 2016 IBM Corporation 55
Features
⢠It is an end-to-end security model
ď§ Messages are protected from creation until
destruction
⢠Messages can be protected so that only authorised
users can see message data
ď§ This means even MQ Administrators cannot view a
message.
⢠Messages are protected both in transit and at rest
ď§ Satisfies the standards compliance for certain data
types (HIPAA, PCI, etc)
!*54%
@âp
56. Š 2016 IBM Corporation 56
Features
⢠AMS is incorporated into MQ Client applications
without the need for re-building applications
ď§ No code changes are necessary!
⢠Message size will increase in order to incorporate AMS
format
ď§ New message size = 1280 + [Old Message Length] +
(200 x [# of recipients])
!*54%
@âp
57. Š 2016 IBM Corporation 57
Tools
⢠Unlike SSL, it requires the FULL trust chain
ď§ Subject certificate, signer certificate, signerâs signer
certificate, etc
⢠MQ has three tools for defining and managing policies
ď§ MQ Explorer
âť Define, display, delete policies
ď§ setmqspl
âť Define, delete policies
ď§ dspmqspl
âť Display policies
!*54%
@âp
58. Š 2016 IBM Corporation 58
Configuration
⢠Example 1: Configuring MQ to protect messages
ď§ In a command prompt:
⢠Queue Manager
⢠Queue to protect
⢠Signing algorithm
⢠Authorised signer
⢠Encryption algorithm
⢠Authorised recipient
!*54%
@âp
setmqspl -m CTU -p CLIENT.DATA.Q -s SHA512 -a
"CN=CLIENT1,O=CLIENTORG,C=UK" -e AES256 -r
"CN=CLIENT2,O=CLIENTORG,C=UK"
59. Š 2016 IBM Corporation 59
Configuration
Example 1: Application changes
!*54%
@âp
Aliceâs
Sending/Receiving
App
AliceCertificate
MQS_KEYSTORE_CONF=/âŚ/Keystore.conf
(Or create Keystore.conf in home directory)
No Changes Necessary!
Keystore.conf
cms.keystore=/âŚ/Keystore
cms.certificate=AliceCertificate
Keystore
60. For Additional Information
ďŹ IBM Digital Experience Solutions
http://www-01.ibm.com/software/collaboration/digitalexperience
ďŹ WebSphere Portal and IBM Web Content Manager Information
Center Wiki
http://www-10.lotus.com/ldd/portalwiki.nsf/
ďŹ IBM Digital Experience Demonstrations:
http://www.youtube.com/user/IBMXWebX
⢠IBM Digital Experience Developer
http://developer.ibm.com/digexp
ďŹ IBM Software Business Solutions Catalog
https://greenhouse.lotus.com/catalog/
61. Where can I get more information about IBM MQ?
IBM Messaging developerWorks
developer.ibm.com/messaging
IBM Messaging Youtube
https://www.youtube.com/IBMmessagingMedia
LinkedIn
Ibm.biz/ibmmessaging
Twitter
@IBMMessaging
IBM MQ Facebook
Facebook.com/IBM-MQ-8304628654/
62. Rob Parker
Thank you very much.
IBM
IBM MQ Ecosystem
parrobe@uk.ibm.com
Š 2016 IBM Corporation 62
63. Š 2016 IBM Corporation 63
Your feedback is valuable
Please complete your session or lab evaluation!
Session number I173
Provide your evaluations by:
Evaluation forms:
Fill out a form at the end of each session
Paper forms are located in each of the
session or lab rooms
Complete the session survey on Event
Connect Portal:
ibmeventconnect.com/madrid2016
Select Sessions, then Session Finder, and
complete the survey
- Or -
64. Notes and Disclaimers
64
Copyright Š 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM)
has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or
typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS
IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY
DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA,
BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are
warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved.
Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such
products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are
neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific
situation.
It is the customerâs responsibility to insure its own compliance with legal requirements and to obtain advice of competent
legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the
customerâs business and any actions the customer may need to take to comply with such laws. IBM does not provide legal
advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
65. Notes and Disclaimers
65
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this publication
and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions
on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the
quality of any third-party products, or the ability of any such third-party products to interoperate with IBMâs products. IBM
EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM
patents, copyrights, trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com, AsperaÂŽ, Bluemix, Blueworks Live, CICS, Clearcase, CognosÂŽ, DOORSÂŽ, EmptorisÂŽ,
Enterprise Document Management Systemâ˘, FASPÂŽ, FileNetÂŽ, Global Business Services ÂŽ, Global Technology
Services ÂŽ, IBM ExperienceOneâ˘, IBM SmartCloudÂŽ, IBM Social BusinessÂŽ, Information on Demand, ILOG, MaximoÂŽ,
MQIntegratorÂŽ, MQSeriesÂŽ, NetcoolÂŽ, OMEGAMON, OpenPower, PureAnalyticsâ˘, PureApplicationÂŽ, pureClusterâ˘,
PureCoverageÂŽ, PureDataÂŽ, PureExperienceÂŽ, PureFlexÂŽ, pureQueryÂŽ, pureScaleÂŽ, PureSystemsÂŽ, QRadarÂŽ,
RationalÂŽ, RhapsodyÂŽ, Smarter CommerceÂŽ, SoDA, SPSS, Sterling CommerceÂŽ, StoredIQ, TealeafÂŽ, TivoliÂŽ,
TrusteerÂŽ, UnicaÂŽ, urban{code}ÂŽ, Watson, WebSphereÂŽ, WorklightÂŽ, X-ForceÂŽ and System zÂŽ Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names
might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and
trademark information" at: www.ibm.com/legal/copytrade.shtml.