wmq ese introduction
TRANSCRIPT
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 1/14
1
®
IBM Software Group
© IBM Corporation
End to end security for WebSphere MQ
An Introduction to WebSphere MQ Extended Security Edition
Carl Farkas
IBM SW TechWorks zWebSphere
Paris, France
IBM Software Group
2
Agenda
Problem statement
Introduction and product overview
Architecture review
Implementation details
Product administration
Conclusion
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 2/14
2
IBM Software Group
Robbing the bank - yesterday
IBM Software Group
Robbing the bank – today
Queues
Customer
Application
Customer
Application
Queues
QM QM
B a d G u y
Familiar Threats,Different Environment
Internet
Extranet
Intranet
001110010100001 001110010100001
0 1 1 1 0 0 1 1
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 3/14
3
IBM Software Group
Controlling access to data - Whatorganisations want
Authentication
Authorisation / Control
Integrity
Privacy
Audit trail
Centrally managed
Availability
IBM Software Group
6
What do we need for MQ?To provide end to end security for the MQ network
AAA
Authentication of users into the network
Authorisation of their access to queues / queue managers
Can’t access messages you are not authorised to
Keeping an Audit trail of which queues have been accessed and by whom
Protect message payloads
When messages are on queues or in transit
Do not allow message data to be tampered with
Know without a doubt, the sender of a message
Centrally managed
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 4/14
4
IBM Software Group
7
What WMQ Provides Today
Users are based on Operating System ID
Users are unique to machines and not across the enterprise
No passwords are used for authorisation
Not 100% secure
SSL channels
Protects messages in transit
Messages at rest are in the clear
Object Authority Manager (OAM) / RACF limits access to resources
OAM is on a per machine basis, hard to administer a large network
RACF applies to a single sysplex
IBM Software Group
WebSphere MQ - native
M QP UT
M Q GE T
M Q OP E N
M Q C ONN
QueueManager
OAM
OK?
y/n
Queues
MCA
MQI Stub
Customer Apps
MCA
Queues
SSL here
B a d G u y
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 5/14
5
IBM Software Group
9
What WMQ ESE Providesbeyond WMQ
Authentication
PKI approach to uniquely identify users
Users are stored in a LDAP repository and map onto certificates
Authorisation
Users can be granted or denied access to put and get to queues
Users can be granted access to client connect to the queue manager
Policies centrally managed
Auditing
User access to queues can be audited
The user, object name and success or failure of the access attempt are
logged
IBM Software Group
10
Other WMQ ESE Benefits Message protection
Users are based on certificates making them unique across enterprises
Sign messages
Tells us who the message came from
Ensures that the message hasn’t been tampered with
Can encrypt the message payload for end-to-end security
Messages protected on the queues
Addresses audit and other requirements of Sarbanes-Oxley
Central Administration
WMQ security policies, users, groups and audit levels are centrally managed
GUI or command line interfaces
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 6/14
6
IBM Software Group
11
WMQ ESE Architecture
IBM Software Group
12
Methods of interception WMQ ESE needs to intercept the application API calls to subject
them to security
The different interfaces are:
1. WMQ applications binding locally to a distributed queue manager
2. WMQ applications binding to a z/OS queue manager
3. WMQ Client and JMS applications client side interception4. WMQ Client and JMS applications server side interception
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 7/14
7
IBM Software Group
13
1. Distributed server interceptor model (API Exits)
M QP UT
M Q GE T
M Q OP E N
M Q C ONN
QueueManager
OAM
Code Exits
ACLs
Users
GSKit/
ACME
OK?
y/n
Queues
MCA
Customer Apps
MQ ESEServer
( pdmqd )MQ ESE
API
ExitsCertsLDAP Server
Policy Server Policy
Replica
??
MQI Stub
IBM Software Group
14
2. z/OS server interceptor model//CL00PUT JOB 1,MSGCLASS=H
//*
// EXEC PGM=OEMPUTX,REGION=0M,
// PARM=('-mVCT7 -N1. -X -clear -pm -s12 ')
//SYSIN DD *
-QCLASS00_NONE
-FILEDD:MSGIN
//STEPLIB DD DISP=SHR,DSN=PP.ACCMAN.V4R1.SDRQAUTH
// DD DSN=PUBVIC.V531.SCSQAUTH,DISP=SHR
// DD DSN=PUBVIC.V531.SCSQANLE,DISP=SHR
// DD DISP=SHR,DSN=PAICE.IP13.LOAD
//MSGIN DD DISP=SHR,DSN=CLASS00.TAMBI.MSGDATA(HELLO)
//SYSPRINT DD SYSOUT=*
Add TAMBI as the firstlibrary to load
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 8/14
8
IBM Software Group
15
3. (C or JMS) MQ Client SecurityExit – Client side
M C A
T AMBI i n t er c e p t or
WMQ
QueueManager
TAMBIInterceptor
WMQ Apps
WMQ
C/Java
Client
WMQClient Apps
MQI C / JMS
MQI
MQI
WMQ ClientWMQ Server
“R” = new permission bit to allow/deny connection
TAMBISecurity
Exit
IBM Software Group
16
4. (C or JMS) MQ Client SecurityExit – Server side
M
C A
T AMBI I n t er c e p t or
TAMBISecurity
Exit
WMQQueue
Manager
TAMBIInterceptor
WMQ Apps
WMQ
C/JavaClient
WMQClient cert
based
SSL Channel
WMQClient Apps
User Key/Cert
MQIC / JMS
SSL
MQI
MQI
WMQ ClientWMQ Server
“R” = new permission bit to allow/deny connection
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 9/14
9
IBM Software Group
17
WMQ ESE Administration
IBM Software Group
18
Interfaces for Administrators
Command line interface
Web Based GUI interface
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 10/14
10
IBM Software Group
19
Policy Server conceptsPDMQ
Queue
TAMBI.DEAD.QUEUE
IN.QUEUE
MYQM
Q-enc-strengthQ-sig-algorithm
Q-recipients
Qname-resolution
PKI-enc-strength
PKI-sig-algorithm
Error-handling-Q
Global
Per Queue Manager
Per Queue
OUT.QUEUE
IBM Software Group
20
Access Control Lists -(ACL) E Grant Put Permission
Application can place messages onto the queue
ACL checked on MQOPEN (in PUT mode)
D Grant Get Permission
Application can retrieve messages from the queue
ACL checked on MQOPEN (in GET mode)
R User is allowed to connect to the queue manager remotely
Using WBIBroker plug-in
User jon Trx
Group sales Trm[PDMQ]E
Group admin Trxmcd[PDMQ]DE
Any-other Tr
Unauthenticated T
ACL Entry
Type ID Permissions
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 11/14
11
IBM Software Group
21
POPs specify the security policy for a queue or queue manager:
The security for messages put to the queue
None – message is sent as normal
Integrity – Message is digitally signed by the sender
Encrypt – Message is signed and encrypted by the sender
The time of day that the object can be accessed
The audit level for the queue (none, permit, deny, error, admin)
Protected Object Policies – (POP)
IBM Software Group
22
Auditing Events recorded when specified auditable events occur at:
MQOPEN, MQPUT, MQPUT1, MQGET, MQCLOSE
Auditing Options allow different levels of detail to be logged:
permit: Records only successful accesses
deny: Records only denied requests for access
admin: Records OPEN, CLOSE, PUT, and GET operations on protected WMQqueues
error: Records any unsuccessful GET operations
Audit records stored as XML on distributed and SMF on z/OS
Audit Records Include:
- AM User ID, WMQ Message ID
- Sender PKI ID (if message signed)
- Date and Time
- Encryption and Signing algorithms
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 12/14
12
IBM Software Group
23
WMQ ESE Auditing<event rev="1.2">
<date>2005-11-07-23:25:25.296-05:00I-----</date>
<outcome status="0">0</outcome>
<originator blade="ivadminapi"><component rev="0.1">pdmq</component>
<action>0</action>
<location>dropzone</location>
</originator>
<accessor name="mq_pki_ldap">
<principal auth="IV_LDAP_V3.0" domain="Default"> jdement</principal>
</accessor>
<target resource="0"><object>/PDMQ/Queue/QM_dropzone/JEFF</object></target>
<data>
<data tag="action">MQOPEN</data>
<data tag="operation">E</data>
<data tag="result">access denied or azn check failed</data>
<data tag="qop">integrity</data>
<data tag="ProcessId">3456</data>
</data>
</event>
Queue
Use jon Trx
Group admin Trxmcd[PDMQ]DE
Any-other Tr
Unauthenticated T
IBM Software Group
24
Summary WMQ data needs to be protected at rest and in flight
No need to update or modify existing deployed WMQ applications.
ESE is transparent
Centralised administration of both access control to queues,
data protection and security audit policies
WMQ ESE provides end to end security for WMQ networks
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 13/14
13
IBM Software Group
25
IBM Software Group
26
Public Private Key Cryptography
8/3/2019 WMQ ESE Introduction
http://slidepdf.com/reader/full/wmq-ese-introduction 14/14
14
IBM Software Group
27
Cryptography explained – slide 1
AliceAlice
Hi BobHi Bob
AliceAliceHi BobHi Bob
AliceAlice
Alice
Alice
encrypt w/encrypt w/public keypublic key
E8*5%er
messagefor Bob
Bob
aN!3q*nB5+
encrypt w/encrypt w/symmetricsymmetric
keykey
Symmetrickey
b2cea738a209065
Di g e s t
Di g e s t
q!T4@xJ**G
q!T4@xJ**Gencrypt w/encrypt w/private keyprivate key
IBM Software Group
28
Cryptographyexplained – slide 2
b2cea738a209065DigestDigest
aN!3q*nB5+
E8*5%er
messagefor Bob
CA
Bob
BobBob
decrypt w/decrypt w/private keyprivate key
Hi BobHi Bob
AliceAlice
Yes, messagecame from
Alice
decrypt w/decrypt w/symmetricsymmetric
keykeyq!T4@xJ**G
Hi BobHi Bob
AliceAlice
Alice
q!T4@xJ**G
Hi BobHi BobAliceAlice
Alice
CA
=
☺
b2cea738a209065decrypt w/decrypt w/public keypublic key