DOCSLIB.ORG

Secure Messaging Scenarios with Websphere MQ

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secure Messaging Scenarios with Websphere MQ IBM® WebSphere® Front cover Secure Messaging Scenarios with WebSphere MQ Using strong authentication Using granular authorization Implementing revocation checking T.Rob Wyatt Glenn Baddeley Neil Casey Long Nguyen Jørgen H. Pedersen Morten Sætra ibm.com/redbooks International Technical Support Organization Secure Messaging Scenarios with WebSphere MQ November 2012 SG24-8069-00 Note: Before using this information and the product it supports, read the information in “Notices” on page xi. First Edition (November 2012) This edition applies to WebSphere MQ Version 7.5. © Copyright International Business Machines Corporation 2012. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xi Trademarks . xii Preface . xiii The team who wrote this book . xiii Now you can become a published author, too! . .xv Comments welcome. .xv Stay connected to IBM Redbooks . xvi Chapter 1. Introduction. 1 1.1 Why read this book . 2 1.2 Currency . 3 1.3 Scope . 3 Chapter 2. What is security . 5 2.1 Defining requirements . 6 2.2 Security as a system . 7 2.3 The security lifecycle. 8 2.3.1 Provisioning access . 8 2.3.2 Revoking access. 8 2.3.3 Monitoring and accountability . 9 2.3.4 Ongoing maintenance. 9 2.3.5 Recovery. 10 2.4 Summary. 11 Chapter 3. Authentication and authorization . 13 3.1 Relationship between authentication and authorization . 14 3.2 Authentication in WebSphere MQ. 14 3.2.1 Connection authentication . 14 3.2.2 Message-level authentication . 16 3.3 Authorization in WebSphere MQ. 16 3.3.1 Connection-level authorization . 16 3.3.2 Message-level authorization . 19 Chapter 4. Connection-level security . 21 4.1 Architecture . 22 4.2 Authentication . 22 4.2.1 Assertion . 22 4.2.2 Origin . 23 4.2.3 Certificate . 23 4.3 Identity resolution . 23 4.4 Binding authentication to authorization . 24 4.5 Default CHLAUTH rules . 24 4.6 Provisioning access . 25 4.7 Upgrade and migration . 26 4.8 Access control lists . 26 4.9 Authorizing topics . 27 4.10 Authorizations that grant administrative access . 28 4.10.1 Granting +crt authority . 28 © Copyright IBM Corp. 2012. All rights reserved. iii 4.10.2 Granting +set authority on the queue manager . 28 4.10.3 Granting +setid or +setall on queues . 29 4.11 Common mistakes . 29 4.11.1 Unprotected channels . 30 4.11.2 Granting access to principals . 30 4.11.3 Administrative users with mqm as a secondary group . 31 4.11.4 Unquoted asterisks in setmqaut commands . 32 4.11.5 Using generic authorizations. 33 4.11.6 Granting access to the nobody group . 34 Chapter 5. Message-level security. 35 5.1 Architecture . 36 5.2 Policies . 36 5.3 Use cases . 37 5.3.1 Business-to-business (B2B) . 37 5.3.2 End-to-end encryption. 38 5.3.3 Data aggregation . 38 5.3.4 Command and control flows . 39 Chapter 6. WebSphere MQ security controls . 41 6.1 Overview . 42 6.2 Operating system and file system resources . 42 6.2.1 File system as the root of trust in the server . 42 6.2.2 Restrict file system access . 43 6.2.3 Restrict access to mqm home directory and tools . 44 6.2.4 Limit access to the mqm user ID. 44 6.2.5 mqm group membership . ..
Load more

Recommended publications
  • MQ Jan 2005.P65
    67 January 2005 In this issue 3 Generating and executing commands in batch for MQ on z/OS 10 Integrating COBOL applications with Microsoft BizTalk Server 2004 – part 2 19 Display tool for WebSphere MQ objects on Unix 31 Introduction to, and usage of, the WebSphere MQ JMS Admin tool 39 How to migrate Plug-In node from WMQI to WBIMB 50 MQ news © Xephon Inc 2005 MQ Update Published by Subscriptions and back-issues Xephon Inc A year’s subscription to MQ Update, PO Box 550547 comprising twelve monthly issues, costs Dallas, Texas 75355 $380.00 in the USA and Canada; £255.00 in the USA UK; £261.00 in Europe; £267.00 in Australasia and Japan; and £265.50 elsewhere. In all cases Phone: 214-340-5690 the price includes postage. Individual issues, Fax: 214-341-7081 starting with the July 2000 issue, are available Editor separately to subscribers for $33.75 (£22.50) Trevor Eddolls each including postage. E-mail: [email protected] Contributions Publisher When Xephon is given copyright, articles Colin Smith published in MQ Update are paid for at the rate E-mail: [email protected] of $160 (£100 outside North America) per 1000 words and $80 (£50) per 100 lines of code Disclaimer for the first 200 lines of original material. The Readers are cautioned that, although the remaining code is paid for at the rate of $32 (£20) information in this journal is presented in good per 100 lines. To find out more about faith, neither Xephon nor the organizations or contributing an article, without any obligation, individuals that supplied information in this please download a copy of our Notes for journal give any warranty or make any Contributors from www.xephon.com/nfc.
    [Show full text]
  • Universal Messaging with IBM MQ V8 IBM Redbooks Solution Guide
    ® Universal Messaging with IBM MQ V8 IBM Redbooks Solution Guide By implementing messaging technologies, businesses can use a consistent approach to connectivity, decoupling the business application from the complex tasks of handling failures, error recovery, transaction integrity, security, and scalability. IBM® MQ® provides the universal messaging backbone for service-oriented architecture (SOA) connectivity (Figure 1). It connects virtually any commercial IT system, with support for more than 80 platforms. Figure 1. Overview of the IBM MQ solution IBM MQ includes a choice of APIs and supports the Java™ Message Service (JMS) API. IBM MQ is the market-leading messaging integration middleware product. Originally introduced in 1993 (under the IBM MQSeries® name), IBM MQ provides an available, reliable, scalable, secure, and high-performance transport mechanism to address businesses connectivity requirements. Universal Messaging with IBM MQ V8 1 Did you know? IBM MQ has the following credentials and industry recognition: It is the most widely deployed messaging backbone, with over 10,000 customers using the IBM messaging backbone: o Over 90% of Fortune 50 companies and of Fortune 10 companies use the IBM messaging backbone. o Over 80% of Global 25 companies and 70% of Global 10 companies use the IBM messaging backbone. It is entrusted with tens of billions of messages each day: o A government client sends 675 million messages per day. o A banking client handles over 213 million messages per day on IBM z/OS® alone. It is relied upon as the mission-critical backbone: o A financial markets client handles USD 1 trillion worth of traffic per day on one IBM MQ network.
    [Show full text]
  • MQ for Administrators
    MQ for Administrators Arthur Rodriguez [email protected] TxMQ Inc. Capitalware's MQ Technical Conference v2.0.1.5 MQ for Administrators The session builds on the basic introduction to MQ, with a focus on Administrative best practices, system architecture considerations, naming conventions, basic and advanced tools (command line & the explorer, scripting and automation, backup and recovery and basic troubleshooting techniques). • Agenda • Scope of MQ Administration • Assumptions • Architecture • Target Audience • Installation & Maintenance • Role of the MQ Administrator • Availability, Recovery and • What MQ Admins do Restart • Quick Review of MQ ? • Administrative Tasks • What is MQ ? • Tools • MQ System Components • Troubleshooting Techniques • Conclusion Capitalware's MQ Technical Conference v2.0.1.5 MQ for Administrators Assumptions Basic understanding of MQ and Message Queueing in an enterprise computing environment Background in Linux, Unix or Windows systems administration Target Audience Anyone responsible for or interested in MQ systems administration MQ Admins may come from various backgrounds, network engineers, Linux, Unix, and Windows admins, or MQ developers. Goal Provide a high level overview of the roles and responsibilities of the MQ Administrator. Tips of preforming some regular MQ Administrator activities and overall scope of the MQ Administrator role in an enterprise computing environment. Provide some best practices Capitalware's MQ Technical Conference v2.0.1.5 Role of the MQ Administrator Capitalware's MQ Technical Conference v2.0.1.5 Role of the MQ Administrator To support business functions, IT operations and application development by assuring the availability, reliability, accessibility, and performance of MQ systems and services. MQ Administrators are responsible to ensure not only that MQ systems and services are fully operational, but that they are being utilized effectively and efficiently.
    [Show full text]
  • 17059: Are Z/OS & Distributed MQ Platforms Like Oil and Water?
    17059: Are z/OS & distributed MQ platforms like oil and water? Mark Taylor Lyn Elkins [email protected] [email protected] IBM Hursley IBM ATS Insert Custom Session QR if Desired. Introduction • One objective of MQ is isolating apps from needing to understand platforms ‒ There is a common API that can be expressed in many languages • Another objective is to have (reasonably) common operational model ‒ Much of admin is the same on all platforms • But it’s not all the same ‒ One dichotomy has always been whether to be natural to MQ-ness or behave like other things on the platform ‒ Some features don’t make sense on some platforms For example, .Net interface is only on Windows ‒ Some features have not been implemented everywhere for other reasons • So there are differences, and that is what this presentation will cover • Will base this on V8 Code Streams • There are essentially two implementations of MQ from Hursley lab ‒ z/OS ‒ Distributed (Windows, Unix, Linux, i) ‒ There are some further subspecies variants like VSE or NSS • Within Distributed implementation, there are some platform unique features ‒ But we won’t discuss those here ‒ Most platform-unique code abstracts OS facilities like locking or NLS or threads • In the early days, some code was written for one and then “ported” ‒ In particular, the channel code ‒ Meant double-fixing, and re-porting for each release • Internal architecture (eg tasks, threads) very different ‒ But we won't discuss much of that. Understanding externals is more important • Since V7.0, some code is
    [Show full text]
  • MP1K: IBM MQ for Z/OS Version 9 Performance Report
    MP1K: IBM MQ for z/OS version 9.0 Performance Report June 2016 IBM MQ Performance IBM UK Laboratories Hursley Park Winchester Hampshire SO21 2JN Take Note! Before using this report, please be sure to read the paragraphs on “disclaimers”, “warranty and liability exclusion”, “errors and omissions” and other general information paragraphs in the “Notices” section below. First edition, June 2016. This edition applies to IBM MQ for z/OS version 9.0 (and to all subsequent releases and modifications until otherwise indicated in new editions). © Copyright International Business Machines Corporation 2016. All rights reserved. Note to U.S. Government Users Documentation related to restricted rights. Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule contract with IBM Corp. Notices DISCLAIMERS The performance data contained in this report were measured in a controlled environment. Results obtained in other environments may vary significantly. You should not assume that the information contained in this report has been submitted to any formal testing by IBM. Any use of this information and implementation of any of the techniques are the responsibility of the licensed user. Much depends on the ability of the licensed user to evaluate the data and to project the results into their own operational environment. WARRANTY AND LIABILITY EXCLUSION The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUD- ING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
    [Show full text]
  • Product Documentation for Integrating with Appdynamics APM Fix Pack 9 November 2020
    IBM Z Application Performance Management Connect 6.1 Product Documentation for integrating with AppDynamics APM Fix pack 9 November 2020 IBM Contents Integrating with AppDynamics APM.......................................................................5 Introducing components........................................................................................7 Z APM Connect Base....................................................................................................................................7 Z APM Connect Distributed Gateway.......................................................................................................... 8 Z APM Connect CICS TS Data Producer...................................................................................................... 8 Z APM Connect IMS Data Producer............................................................................................................. 9 Z APM Connect Interceptor......................................................................................................................... 9 Z APM Connect request monitoring exits..................................................................................................10 IBM MQ Monitoring Subsystem component............................................................................................. 11 Installing and configuring.................................................................................... 13 Prerequisites and system preparation.....................................................................................................
    [Show full text]
  • Running and Supporting MQ Light Applications
    Running and Supporting MQ Light Applications Matthew Whitehead IBM MQ Development [email protected] Copyright © IBM 2016 Capitalware's MQ Technical Conference v2.0.1.6 Agenda • What is MQ Light? • The MQ Light API • Running MQ Light apps in Bluemix • IBM MQ support for MQ Light • Demos Copyright © IBM 2016 Capitalware's MQ Technical Conference v2.0.1.6 IBM Messaging Deliver Messaging Enable Developers to Backbone for Enterprise build more scalable, responsive applications Focus on traditional MQ values, rock-solid Focus on app use cases, enterprise-class service, breadth of languages, ease-of-operation, breadth ease-of-deployment, micro of platform coverage, services, integration with availability, z/OS developer frameworks exploitation Copyright © IBM 2016 Capitalware's MQ Technical Conference v2.0.1.6 What is MQ Light? 1. A new messaging API 2. A messaging runtime for on-premise development 3. A PaaS messaging runtime for admin-free cloud deployment (the MessageHub Service in Bluemix) More on all of these throughout the slides... Copyright © IBM 2016 Capitalware's MQ Technical Conference v2.0.1.6 MQ Light : Software and Cloud Messaging that application developers will love to use, helping them make responsive applications that scale easily 3 ways to run an MQ Light application: Bluemix Message Hub service (MQ Light service now deprecated) MQ Light software download IBM MQ 8.0.0.4 Open APIs crafted to feel natural in a growing range of popular languages Tooling that makes modular app development easy Copyright © IBM 2016 Capitalware's
    [Show full text]
  • Introduction to MQ
    Introduction to MQ Sam Goulden IBM MQ L3 Service MQ Technical Conference v2.0.1.8 Agenda ¡ Messaging What is messaging and why use it? What does MQ give you? ¡ Fundamentals of IBM MQ Messaging models Key components Messaging applications MQ Environments Security Reliability and availability Administration MQ Advanced MQ Technical Conference v2.0.1.8 What is messaging? ¡ It connects your applications! From the simplest pairs of applications… ...to the most complex ¡ and breaks the tight coupling… business processes. MQ Technical Conference v2.0.1.8 Why use it? ¡ Extended reach ¡ Reliability ¡ Scalability ¡ Flexibility ¡ Provides for simplification of application development Ubiquity Easy to change and scale Focus on the business logic ¡ Important regardless of the initial scale of deployment MQ Technical Conference v2.0.1.8 Direct communication between applications Request an action App B App A Wait for a response ¡ Issues with this ‘synchronous’ approach Both applications A and B must always be available for A to continue A cannot do anything whilst B is processing A’s request What is B fails whilst A is waiting for it to complete? What is B needs to handle a high workload of different priority requests? MQ Technical Conference v2.0.1.8 As systems become more Maximum number of Fragility of tight coupling tightly coupled, their connections goes up with reliance on each other the square of increases the number of systems The cost of a failure of a Scaling systems process increases independently to respond to requirements becomes
    [Show full text]
  • Interview Questions Answers . ORG Interviewer and Interviewee Guide
    3/25/2015 MQ Series Interview Questions and Answers Interview Questions Answers . ORG Interviewer And Interviewee Guide Home About Us Contact Us Directory Forum SEARCH MQ Series Questions And Answers All Categories >> Mainframes >> MQ Series >> MQ series job test questions and answers guide. The one who provides the best answers with a perfect presentation is the one who wins the job hunting race. Learn MQ Series and get preparation for the new job ► Question and Answers ► Download eBook Google Cloud Hadoop ► Download Software Rabbit MessageQ CATEGORIES Problems? Linux OS Mainframes Anytime Anywhere Access CICS CLIST (Command List) IBM ADABAS IBM AS400 Honor 4X Dual Sim Phone IBM Assembler IBM COBOL400 hihonor.in/products/mobile/honor4x IBM COOLPLEX Only Rs.10499 with great features High review IBM DB400 score. Order now! IBM MainFrame IBM MVS IBM Natural MQ Series guide updated at 12 Jan 15 in Category Mainframes and visited 571 Times IBM OS 2 IBM OS390 ► MQ Series ► PDF ► Queue ► To PDF Java IBM QMF IBM QSAM IBM REXX Download PDF IBM RPG400 DOWNL OA D MQ S E RIE S QUE S TIONS E B OOK IBM Sysplex IDMS IMS DB Submit Your Question MQ Series Questions and Answers: JCL MQ Series 1 :: What is Dead Letter Queue? VSAM Management ­ When a queue is not delivered to their correct destinations, then it is called as Dead Letter queue Marketing ­ When the destination queue is full, the dead­letter queue occurs. It is identified by Medical SYSTEM.DEAD.LETTER.QUEUE. ­ A dead­letter queue is defined for distributed queuing, on each queue manager Microsoft
    [Show full text]
  • Application Programming with MQ Verbs (Z/OS and Distributed) 17903
    Application Programming with MQ Verbs (z/OS & Distributed) 17903, Dolphin, Oceanic 3, Tues Aug 11th 2015, 3:15 - 4:15pm Mayur Raja IBM Hursley Park, Winchester, UK [email protected] Legal Disclaimer The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
    [Show full text]
  • CICS TS for Z/OS: Using CICS Service Flow Runtime Chapter 1
    CICS Transaction Server for z/OS 5.5 Using CICS Service Flow Runtime IBM Note Before using this information and the product it supports, read the information in “Notices” on page 187. This edition applies to the IBM® CICS® Transaction Server for z/OS® Version 5 Release 5 (product number 5655-Y04) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 1974, 2020. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this PDF.....................................................................................................vii Chapter 1. Product overview..................................................................................1 The runtime environment and BTS..............................................................................................................2 The service flow project tools......................................................................................................................4 Benefits of CICS Service Flow Runtime and service flow project tools..................................................... 5 Server adapters............................................................................................................................................5 Front End Programming Interface (FEPI) server adapter..................................................................... 6 Link3270 server adapter.......................................................................................................................
    [Show full text]
  • Websphere MQ V6 Fundamentals
    Front cover WebSphere MQ V6 Fundamentals Overview of message queuing and WebSphere MQ V6.0 Broad technical introduction to the Websphere MQ product Hands-on guide to the first steps of building a WebSphere MQ infrastructure Saida Davies Peter Broadhurst ibm.com/redbooks International Technical Support Organization WebSphere MQ V6 Fundamentals November 2005 SG24-7128-00 Note: Before using this information and the product it supports, read the information in “Notices” on page xv. First Edition (November 2005) This IBM Redbook edition is an update to the Redpaper MQSeries Primer, REDP-0021. This edition applies to Version 6, Release 0, Modification 0, of IBM WebSphere MQ (product number 5724-H72). © Copyright International Business Machines Corporation 2005. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xv Trademarks . xvi Preface . xvii The team that wrote this redbook. xvii Become a published author . xix Comments welcome. xx Summary of changes . xxi November 2005 . xxi Chapter 1. Overview . 1 Chapter 2. Concepts of message queuing . 5 2.1 Core concepts . 6 2.1.1 Middleware . 6 2.1.2 Messages . 7 2.1.3 Queues . 7 2.1.4 Point-to-point messaging . 9 2.1.5 Publish/subscribe messaging . 10 2.2 Simplification . 12 2.2.1 Development focuses on business logic . 12 2.2.2 Application maintenance and portability . 13 2.3 Scalability and performance . 14 2.4 Reliability and data integrity . 16 2.4.1 Exactly once delivery . 16 2.4.2 Units of work .
    [Show full text]