Secure Messages with IBM WebSphere MQ Advanced Message Security

7,921 views

Published on

In some scenarios, securing access to a messaging infrastructure is not enough - teams must also secure access to message content. Come to this session to learn how to provide end-to-end message protection where message contents are secure from the point they are sent to the point they are received, including while at rest on queues. This session starts by describing the theory and capabilities of the product. Then CSX provides a real-world customer example in which it presents its experiences and recommendations for securing messages across distributed and z/OS platforms. Topics covered include an overview of message level security, when it is appropriate to deploy this level of protection, how the message protection is applied, how it can be administered, and the new features available in the latest version of IBM WebSphere MQ.

Published in: Software, Technology

Secure Messages with IBM WebSphere MQ Advanced Message Security

  1. 1. © 2014 IBM Corporation Secure Messages with IBM WebSphere MQ Advanced Message Security Morag Hughson (IBM) Carol Benders (CSX) Carl Conrad (CSX)
  2. 2. Agenda Introductions • Morag Hughson • Carol Benders • Carl Conrad Technical Introduction To IBM® WebSphere® MQ Advanced Message Security CSX AMS Architecture CSX AMS Implementation CSX AMS Testing Lessons Learned Q&A
  3. 3. © 2014 IBM Corporation Technical Introduction To WebSphere MQ Advanced Message Security (AMS) Morag Hughson hughson@uk.ibm.com
  4. 4. Why use message-level security? Base WebSphere MQ networks • Authentication and authorization is scoped to the connection • SSL/TLS channels provide additional connection-scoped security • Channel context setting provides some per-message authorization – But based on unauthenticated MQMD.UserID WebSphere MQ AMS complements WebSphere MQ's connection-level security • Provides authentication, authorization and accountability scoped at the message level Increasing impact of regulatory compliance • Payment Card Industry Data Security Standard (PCI-DSS) • Health Insurance Portability & Accountability Act (HIPAA) • European Union Privacy Directive • FIPS, Suite-B, FISMA Provide additional security for Command & Control traffic Any time many identities are aggregated over a single connection
  5. 5. N O T E S Message Level Protection – Notes • Advanced Message Security is a feature of WebSphere MQ that provides Application Level Security, also known as Message Level Protection. • Message Level Protection provides assurance that messages have not been altered in transit. For example, when issuing payment information messages, ensure the payment amount does not change before reaching the receiver. • Message Level Protection provides assurance that messages originated from the expected source . For example, when processing control messages, validate the sender. • Message Level Protection provides assurance that messages can only be viewed by intended recipient(s). For example, when sending confidential information.
  6. 6. AMS Key Features Secures sensitive or high-value WebSphere MQ messages • Privacy via message content encryption • It leverages digital certificates (X.509) and Public Key encryption to protect WebSphere MQ messages Detects and removes rogue or unauthorized messages before they are processed by receiving applications • Authentication via certificate above and beyond operating system Verifies that messages are not modified between sender and receiver • Message Integrity via digital signature of message content Protects messages not only when they flow across the network but when they are at rest in queues Messages from existing WebSphere MQ applications are transparently secured using “interceptors” • No application changes are necessary No pre-requisite products other than WebSphere MQ Successor to WebSphere MQ Extended Security Edition (ESE)
  7. 7. 8 MQIC No changes required to existing applications Server/Client Interceptors JMS QMGRQMGR QMGR Channel Agent Channel Agent Application Application JMS Application Replacement mqic lib Renamed MQIC JMS JMQI JMQI Intercept MQ API (mqm lib) API Exit 7.1 Clients Use API Exits Pre 7.1 ClientServer API Exit Library Replacement JMQI Intercept 7.5 Interception is built-in 7.5 Interception is built-in
  8. 8. N O T E S Interceptors - Environments supported • MQ AMS functionality is implemented in “interceptors” •There are no long running processes or daemons (except in z/OS®) •Existing MQ applications do not require changes • These interceptors have evolved over the last few releases. • Before MQ V7.1 •Three interceptors are provided: 1.MQ Server interceptor for local (bindings mode) MQI API and Java™ applications - Implemented as standard API exit on distributed, and “private” API exit on z/OS 2.MQ Client API interceptor for remote (client mode) MQ API applications – Implemented as a library replacement 3.MQ Java client interceptor for remote (client mode) MQ JMS and MQ classes for java applications (J2EE and J2SE). – With WebSphere MQ V7.1 MQI clients gain the ability to use API exits, so the MQ Client API interceptor becomes the same API exit as the MQ Server interceptor. – With WebSphere MQ V7.5, AMS is no longer a separate product and becomes a feature of WebSphere MQ with the interceptor code becoming embedded in the product. No need to configure API exits anymore.
  9. 9. Interceptors (z/OS) Pre-V8.0 (two started tasks) • Main Task: ssidAMSM – Runs API interceptor – Enforces policies • Data Services task: ssidAMSD – Performs signature and encryption – Calls System SSL PKCS#7 Services (uses SAF keyrings) WebSphere MQ V8 • Single task: ssidAMSM • Started/stopped with QMgr • “Private” API Exit code is now embedded in the product QMGR (ssidMSTR) Application MQ API “Private” API Exit 8.0 Interception is built-in AMS main (ssidAMSM) AMS Data Services (ssidAMSD)
  10. 10. N O T E S Interceptors (z/OS) - Notes • On z/OS before MQ V8, the MQ Server interceptor for local (bindings mode) is implemented as a “private” API exit on z/OS. • In V8, similar to the change made on Distributed in V7.5, AMS is pulled into the base WebSphere MQ product. It’s documentation is also pulled into the WebSphere MQ Information Center. • This provides a better integration with the queue manager including tie-in of the start/stop of the AMS address space with start-up and shut-down of the queue manager. Calling the AMS address space to do the encryption/decryption work is more efficient and due to no longer using the vendor API call intercept method (the “private” API exit), it is less likely to conflict with other OEM products. • The previous two separate AMS address spaces, ssidAMSM (main) and ssidAMSD (data services) are now combined into a single address space, ssidAMSM. Any authorities that were previously required by ssidAMSD are now needed on ssidAMSM instead. ssidAMSM now consumes the encryption CPU. The utility that is used on z/OS to setup policies is renamed from DRQUTIL to CSQ0UTIL. • There are no changes to the keyring names, and the hardened version of the policies which are stored as messages on the SYSTEM.PROTECTION.POLICY.QUEUE have the same shape, so existing policies just work. • AMS is still priced separately as OTC and has a separately installed FMID which is an enablement module for AMS.
  11. 11. Message protection policies Two types of policies: • Message Integrity policy • Message Privacy policy Created or updated or removed by command ‘setmqspl’ • or by AMS plug-in for WebSphere MQ Explorer (GUI) • Defining message integrity policies • Defining message privacy policies Policies are stored in queue ‘SYSTEM.PROTECTION.POLICY.QUEUE’ Display policies with command ‘dspmqspl’ • or by AMS plug-in for WebSphere MQ Explorer (GUI) Each protected queue can have only one policy • For distributed queuing, protect the queue locally (source QM) as well as the remote (target QM) “Compromised messages” in queue ‘SYSTEM.PROTECTION.ERROR.QUEUE’ Message Data Message Data PDMQ Header PKCS #7 Envelope Signature Message PropertiesMessage Properties << qmgr >> Q. PROTECTED POLICIES ERROR
  12. 12. N O T E S Advanced Message Security – Notes • Advanced Message Security (AMS) provides message protection policies to allow message content to be signed and encrypted. The application is unaware of the service and so the application programmer need not worry about coding it into his application, however, before the message is even placed on the queue it can be encrypted, thus ensuring that it's contents are never exposed. The message is encrypted while is resides on the queue, while it is transported across the network - the channels are unaware that the content is encrypted since they are content agnostic anyway - and is still encrypted when it is placed on the target queue. At the point where the receiving application gets the message off the queue the application level security service decrypts the data and presents it to the application. • Configuration of these policies is done using the setmqspl (set MQ security policy) command, or via equivalent function in the MQ Explorer GUI. Once defined these policies are stored in a special queue called the SYSTEM.PROTECTION.POLICY.QUEUE. The policies can also be displayed, using the dspmqspl command, or again, via the MQ Explorer GUI.
  13. 13. Message integrity policy definition Signature algorithms: • MD5, SHA1, SHA256*, SHA384* or SHA512* The list of authorized signers is optional • If no authorized signers are specified then any application can sign messages. • If authorized signers are specified then only messages signed by these applications can be retrieved. • Messages from other signers are sent to the error queue On z/OS, same setmqspl program and parms used as SYSIN DD for PGM=DRQUTIL (CSQ0UTIL in V8) Can also define policies via the MQ Explorer GUI. Syntax: setmqspl -m <queue_manager> -p <protected_queue_name> -s <SHA1 | MD5> -a <Authorized signer DN1> -a <Authorized signer DN2> : Example: setmqspl -m MYQM -p MY.Q.INTEGRITY -s SHA1 -e NONE -a 'CN=hughson,O=ibm,C=FR' * Note: SHA-2 algorithms available in v7.0.1.2 and higher
  14. 14. AMS DRQUTIL/CSQ0UTIL commands on z/OS //CFAMSAD JOB 'Make MQ AMS queues',CLASS=A,MSGLEVEL=(1,1), // NOTIFY=&SYSUID /*JOBPARM SYSAFF=ZT01 //****************************************************************** //* Administer MQ Advanced Message Service (AMS) * //****************************************************************** // SET DIR='/u/hughson' // SET FN='drqdserv.envars' //* //DRQUTIL EXEC PGM=DRQUTIL, // PARM='ENVAR("_CEE_ENVFILE=&DIR./&FN") /' //STEPLIB DD DSN=WMQ.AMS.V7R1.SDRQLOAD,DISP=SHR // DD DSN=WMQ.V7R0M1.SCSQANLE,DISP=SHR // DD DSN=WMQ.V7R0M1.SCSQAUTH,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * setmqspl -m QZ09 -p TO.SECRET.FROMZ -s SHA1 -e RC2 -r "CN=hughson,O=ibm,C=GB" /* // Point to parameters Execute AMS admin commands _DRQSERV_QMGR=QZ09 _DRQSERV_MSG_LOGGING=stderr_logging _DRQSERV_MSG_LEVEL=*.i _DRQSERV_MSG_FOLDING=no _DRQ_INIT_THREADS=20 _DRQ_MAX_THREADS=100 NLSPATH=/usr/lpp/mqmese/V7R0M1/lib/nls/msg /%L/…£LANG=En_US.IBM-1047 TZ=EST5EDT drqdserv.envars
  15. 15. Message privacy policy definition Encryption algorithms: • RC2, DES, 3DES, AES128 and AES256 • Encrypted messages are always signed The list of authorized signers is optional It is mandatory to specify at least one message recipient Retrieved messages which do not meet AMS policy sent to the SYSTEM.PROTECTION. ERROR.QUEUE • Eg: Policy contains authorized signer list and sender is not on it Syntax: setmqspl -m <queue_manager> -p <protected_queue_name> -s <SHA1 | MD5> -e <encryption algorithm> -a <Authorized signer DN1> -a <Authorized signer DN2> -r < Message recipient DN1> -r < Message recipient DN2> Example: setmqspl -m MYQM -p MY.Q.PRIVACY -s SHA1 -e AES128 -a 'CN=hughson,O=ibm,C=GB' -r 'CN=ginger,O=ibm,C=JP' -r 'CN=saadb,OU=WBI,O=ibm,C=FR'
  16. 16. Integrity message format MQ Message AMS Signed Message Message Data PDMQ Header PKCS #7 Envelope Signature Message PropertiesMessage Properties Message Data
  17. 17. Privacy message format Message Data PDMQ Header PKCS #7 Envelope Message PropertiesMessage Properties Key encrypted with certificate Data encrypted with key MQ Message AMS Signed Message Message Data Signature
  18. 18. Logical Architecture Design
  19. 19. WebSphere MQ AMS configuration file WebSphere MQ AMS interceptors require a configuration file, eg. KEYSTORE.CONF, which contains: • Type of keystore: CMS, JKS, JCEKS • Location of the keystore. • Label of the personal certificate. • Passwords to access keystore and private keys (or .sth stash for CMS format) Interceptors locate the configuration file using one of the following methods: • Environment variable MQS_KEYSTORE_CONF=<path to conf file>. • Checking default locations and file names. – Platform dependent. For example in UNIX®: “$HOME/.mqs/keystore.conf” Location : ProducerKeystore Label: MyDN KEYSTORE . CONF
  20. 20. Keystores and X.509 certificates An application protected by AMS needs:- • On distributed - a keystore – Types: CMS, JKS and JCEKS • On z/OS - a SAF keyring – Named “drq.ams.keyring” The keystore contains • A personal X.509 certificate and associated private key • trusted certificates – to validate message signers – to obtain the public keys of encrypted message recipients Create using:- • iKeyman GUI • Command line – runmqakm • SAF commands, e.g. RACDCERT in RACF® • 3rd party key management software Alice's Digital Certificate CA Sig A Private A Public YourDN Trusted Cert Public Keys MyDN Personal Cert Private keys Producer Keystore
  21. 21. N O T E S Keystores and X.509 certificates • Each MQ application producing or consuming protected messages requires access to a keystore that contains a personal X.509 (v2/v3) certificate and the associated private key. • The keystore and certificate is accessed by the MQ AMS interceptors. • The keystore must contain trusted certificates to validate message signers or to obtain the public keys of encrypted message recipients • Keystore can be the same as that used for MQ SSL • Several types of keystore are supported (Distributed): CMS, JKS and JCEKS. • On Distributed MQ, the IBM Key Management (iKeyman, part of GSKit) is provided to create and do simple management of local keystores • On z/OS, standard SAF product (eg. RACF) used to create certificates which are SAF-managed and must be on a keyring named “drq.ams.keyring” • 3rd party software is available from IBM (or others) to provide more robust, industrialisation of keystore maintenance. For the IBM Tivoli® Key Lifecycle Manager, see: http://www.ibm.com/software/tivoli/products/key-lifecycle-mgr/
  22. 22. CSXCSX 2525252525252525
  23. 23. • East coast railroad headquartered in Jacksonville FL • Ranked #19 “Best Places to Work” Computer World • 31,000 employees • 21,000 route miles in 23 states • 4,000 locomotives • 100,000 owned or leased freight cars • 1,200 trains per day • 20,000 carloads per day Who is CSX?Who is CSX?Who is CSX? 2626262626262626
  24. 24. 2727272727272727 “The messages passing between our HR and Medical applications must be encrypted.” Why? •To protect personal information (i.e. SSN, medical information) What? •WebSphere MQ Messages Where? •PeopleTools Application (Linux®) •WebSphere MQ QMGR (Linux) •WebSphere MQ QMGR (z/OS) •WebSphere Message Broker (Linux) •WebSphere Application Server (Linux) ** Object names in this presentation do not represent real objects on our system Business Requirement
  25. 25. 2828282828282828 • Linux WebSphere MQClient v7.1.0.8 • PeopleTools Application (Non-IBM Java) • .bindings (SSL) • Java Keystore (.jks) • Certificates exchanged between PS and QMGR • Linux WebSphere MQ HA QMGR v7.5.0.2 • PSOFT.Q (QR) • MEDICAL.Q (QL) • QMGR Keystore • Certificates exchanged between PS and QMGR • Server Connection Channel (SSL) • z/OS WebSphere MQ QMGR v7.1.0 (w/ RACF) • PSOFT.Q (QL) • MEDICAL.Q (QR) • z/OS WebSphere Message Broker v7.0.0 • Message Flow • Linux WebSphere Application Server Cluster v7.0.0.29 • Medical Application • JMS WAS definitions (Activation Specs and Queues) Architecture – Pre AMS
  26. 26. 2929292929292929 Architecture – Pre AMS
  27. 27. 3030303030303030 Architecture – With AMS AMS 7.0
  28. 28. 3131313131313131 • Linux MQClient PeopleTools Application • PeopleTools Application (Non-IBM Java) • .bindings (SSL) • Java Keystore (.jks) • Certificates exchanged between PS and QMGR • Linux WebSphere MQ HA QMGR v7.5.0.2 • PSOFT.Q (QR) • MEDICAL.Q (QL) • Server Conn Channel +SSL • QMGR Keystore • Certificates exchanged between PS and QMGR • WebSphere Advanced Message Security v7.5.0.2 • AMS Keystore • AMS keystore.conf • Certificates exchanged between XMQ1AMS (Linux AMS) and ZMQ1BRK (z/OS Broker) • Define Policies for PSOFT.Q and MEDICAL.Q Continued… Architecture – AMS
  29. 29. 3232323232323232 • z/OS WebSphere MQ QMGR v7.1.0 (w/ RACF) • PSOFT.Q (QL) • MEDICAL.Q (QR) • z/OS WebSphere Advanced Message Security v7.0.1 • RACF Keyring – drq.ams.keyring • AMS Keyring • Import Certificates from • ZMQ1BRK / XMQ1AMS / MEDICAL • Define Policies for PSOFT.Q and MEDICAL.Q • z/OS WebSphere Message Broker v7.0.0 • Message Flow • Broker Keyring • Exchange Certificates in Broker Keyring between • ZMQ1BRK / XMQ1AMS / MEDICAL Continued Architecture – AMS
  30. 30. 3333333333333333 • Linux WebSphere Application Server Cluster v7.0.0.29 • Medical Application • JMS WAS definitions (Activation Specs and Queues) • WebSphere MQ AMS V7.0.1.1 • AMS and SSL jar files • /opt/ibm/WebSphere/MQAMS/bin/cfgmqs -enable –java • Java Keystore (.jks) • Keystore.conf • Certificates exchanged between • MEDICAL and ZMQ1BRK Architecture – AMS
  31. 31. 3434343434343434 Architecture – With AMS - Breakdown AMS 7.0
  32. 32. 3535353535353535 Linux PeopleTools App – First Attempt
  33. 33. 3636363636363636 Linux PeopleTools App – First Attempt - Did Not Work This did not work because PeopleTools uses non-IBM Java • The AMS interceptor does not support non-IBM Java
  34. 34. 3737373737373737 Linux PeopleTools App – 2nd Attempt – MCA Interceptor
  35. 35. 3838383838383838 Architecture – With AMS - Breakdown AMS 7.0
  36. 36. 3939393939393939 Linux PeopleTools Application
  37. 37. 4040404040404040 Tasks to enable AMS 1.Make sure you have SSL enabled on your SVRCONN Channel 2.Must use pre 7.5 MQClient (or 7.5.0.4 fix) **AMS is not installed on this non-IBM Java Client The AMS MCA Interceptor on the HA QMGR is acting as a surrogate for the Client application to encrypt the messages Linux PeopleTools Application / MQClient
  38. 38. 4141414141414141 Platform: •Linux RHEL 6 Software: •PeopleTools 8.5.3 (non IBM java) •WebSphere MQ Client V7.0.1.8 (** Must be Pre 7.5 Client (or 7.5.0.4) to use MCA Interceptor) Notes: •Because PeopleTools is a non-IBM java application we could not use AMS on the client •We opted to use the AMS MCA interceptor option •If you are using the AMS MCA interceptor option, you must have SSL turned on for the SVRCONN channel. •In addition, you will need to use a version of MQ Client that does not come packaged with AMS (or a version where AMS can be turned off): • Pre 7.5 MQClient (or) • MQClient 7.5.0.4 (with parameter to set AMS off) Linux PeopleTools Application / MQClient Details
  39. 39. 4242424242424242 Architecture – With AMS - Breakdown AMS 7.0
  40. 40. 4343434343434343 Linux HA QMGR
  41. 41. 4444444444444444 Tasks to enable AMS 1.Install AMS 2.Create the AMS keystore 3.Create the AMS keystore.conf 4.Create / Import / Export Digital Certificates 5.Add MCA interceptor definitions to the keystore.conf 6.Create Policies Linux HA QMGR
  42. 42. 4545454545454545 Platform: •Linux RHEL 6 Software: •WebSphere MQ 7.5.0.2 •WebSphere MQ AMS V7.5.0.2 Configuration: •Channels • Sender (XMQ1.TO.ZMQ1) • Receiver (ZMQ1.TO.XMQ1) • Server Conn (XMQ1.XMQ1.PSOFT.CL) *** SSL must be turned on *** •Queues • PSOFT.Q (QR) • MEDICAL.Q (QL) •Keystore (AMS / XMQ1) *** Not the same keystore that is used for the SVRCONN SSL *** • XMQ1AMS personal cert • ZMQ1BRK cert (imported from z/OS) •Policies: • PSOFT.Q • MEDICAL.Q Linux HA QMGR Details
  43. 43. 4646464646464646 • Keystore.conf contents: cms.keystore=/$MQHOME/.ssl/key cms.certificate.channel.XQM1.XQM1.PSOFT.CL=XMQ1AMS Sample Commands: • Create keystore runmqakm -keydb -create -db key.kdb -pw <password>l -type kdb –stash • Create QMGR (XMQ1AMS) personal cert runmqakm -cert -create -dn "CN=XMQ1AMS,OU=XMQ1AMSDEV,O=<COMPANY>,C=<COUNTRY>" -label XMQ1AMS -db key.kdb -size <KEYSIZE> -ca false -expire 365 • Import XMQ1BRK cert runmqakm -cert -add -db key.kdb -label XMQ1BRK -file XMQ1BRK.cer -trust enable • Export QMGR (XMQ1) personal cert runmqakm -cert -extract -label XMQ1AMS -db key.kdb -target XMQ1AMS.cert -format ascii • List certs runmqakm -cert -list -db key.kdb (list cert labels) runmqakm –cert –details –db key.kdb –label XMQ1AMS (details for specific label) Linux HA QMGR Details
  44. 44. 4747474747474747 • Policy Commands setmqspl -m XMQ1 –p PSOFT.Q -s <DIGITAL SIGNATURE ALG> -e <DIGITAL ENC ALG> -a “CN=XMQ1AMS,OU=XMQ1AMSDEV,O=<COMPANY>,C=<COUNTRY>” -r “CN=ZMQ1BRK,OU=DEV_ZMQ1BRK,O=<COMPANY>,C=<COUNTRY>” setmqspl -m XMQ1 –p MEDICAL.Q -s <DIGITAL SIGNATURE ALG> -e <DIGITAL ENC ALG> - a “CN=ZMQ1BRK,OU=DEV_ZMQ1BRK,O=<COMPANY>,C=<COUNTRY>” -r “CN=MEDICAL,OU=DEV_MEDICAL,O=<COMPANY>,C=<COUNTRY>” setmqspl -m XMQ1 –p PSOFT.Q –remove Note: • Because the PeopleTools application uses non-IBM Java, we opted to use the MCA interceptor feature of AMS. • There are 2 separate keystores: 1.QMGR keystore: • Stores the certificates for the QMGR and the PeopleTools Client • Provides the SVRCONN channel SSL 2.The AMS keystore: • Stores the certificates for AMS and the Broker • Provides the AMS encryption (between XMQ1AMS and ZMQ1BRK (z/OS)) Linux HA QMGR Details
  45. 45. 4848484848484848 Architecture – With AMS - Breakdown AMS 7.0
  46. 46. 4949494949494949 z/OS WebSphere MQ QMGR and Broker
  47. 47. 5050505050505050 Tasks to enable AMS 1.Define AMS started tasks 2.Define RACF AMS Keyrings 3.Create / Import / Export Digital Certificates 4.Define System.Protection queues 5.Define Queue Policies z/OS WebSphere MQ QMGR and Broker
  48. 48. 5151515151515151 Platform: •z/OS 1.13 Software: •WebSphere MQ V7.1 •WebSphere MQ AMS V7.0 •WebSphere Broker V7.0 Started Tasks: •ZMQ1MSTR QMGR Master •ZMQ1CHIN QMGR Channel Initiator •ZMQ1BRK Broker and EGs •ZMQ1AMSD AMS Data Services Task •ZMQ1AMSM AMS Main Task Configuration: •Channels Sender (ZMQ1.TO.XMQ1) Receiver (XMQ1.TO.ZMQ1) z/OS WebSphere MQ QMGR and Broker Details
  49. 49. 5252525252525252 Configuration: • Queues • PSOFT.Q (QL) • MEDICAL.Q (QR) • SYSTEM.PROTECTION.ERROR.QUEUE • SYSTEM.PROTECTION.POLICY.QUEUE • SYSTEM.PROTECTION.SYNC.QUEUE • RACF • ZMQ1BRK cert OWNER=ZMQ1BRK • XMQ1AMS cert OWNER=SITE • MEDICAL cert OWNER=SITE • Keyring Name: drq.ams.keyring • ZMQ1BRK keyring • ZMQ1BRK cert OWNER=ZMQ1BRK USAGE: PERSONAL • XMQ1AMS cert OWNER=SITE USAGE: SITE • MEDICAL cert OWNER=SITE USAGE: SITE • ZMQ1AMS keyring • ZMQ1BRK cert OWNER=ZMQ1BRK USAGE: SITE • XMQ1AMS cert OWNER=SITE USAGE: SITE • MEDICAL cert OWNER=SITE USAGE: SITE z/OS WebSphere MQ QMGR and Broker Details
  50. 50. 5353535353535353 Configuration •Policies • PSOFT.Q • MEDICAL.Q Command Examples: •Policies setmqspl -m ZMQ1 -p MEDICAL.Q -s <DIGITAL SIGNATURE ALG> -e < DIGITAL ENCRYPTION ALG > -a "CN=ZMQ1BRK,OU=ZMQ1BRKDEV,O=<COMPANY>,C=<COUNTRY>" -r "CN=MEDICAL,OU=MEDICALDEV,O=<COMPANY>,C=<COUNTRY>" dspmqspl -m ZMQ1 -p MEDICAL.Q setmqspl -m ZMQ1 -p MEDICAL.Q -remove z/OS WebSphere MQ QMGR and Broker Details
  51. 51. 5454545454545454 Command Examples: •RACF cert and keyring commands: RACDCERT ID(ZMQ1BRK) + GENCERT SUBJECTSDN(CN('ZMQ1BRK') OU('ZMQ1BRKDEV') O(‘<COMPANY>') + L(‘<LOCATION>') C(‘COUNTRY')) + WITHLABEL('ZMQ1BRK') + NOTAFTER(DATE(2015-03-25)) + KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) RACDCERT ID(ZMQ1BRK) ALTER (LABEL('ZMQ1BRK')) TRUST RACDCERT ADD(‘MQ.AMS.XMQ1AMS.CERT') + SITE WITHLABEL(‘XMQ1AMS') RACDCERT ADD(‘MQ.AMS.MEDICAL.CERT') + SITE WITHLABEL(‘MEDICAL') RACDCERT ID(ZMQ1BRK) ADDRING(drq.ams.keyring) RACDCERT ID(ZMQ1BRK) CONNECT(ID(ZMQ1BRK) LABEL('ZMQ1BRK') + RING(drq.ams.keyring) DEFAULT USAGE(PERSONAL)) z/OS WebSphere MQ QMGR and Broker Details
  52. 52. 5555555555555555 Command Examples: •RACF cert and keyring commands: RACDCERT ID(ZMQ1BRK) CONNECT(SITE LABEL(‘MEDICAL') + RING(drq.ams.keyring) USAGE(SITE)) RACDCERT ID(ZMQ1BRK) CONNECT(SITE LABEL(‘XMQ1AMS') + RING(drq.ams.keyring) USAGE(SITE)) RACDCERT ID(ZMQ1AMS) CONNECT(ID(ZMQ1BRK) LABEL('ZMQ1BRK') + RING(drq.ams.keyring) USAGE(SITE)) •Refresh RACF and AMS SETROPTS RACLIST(DIGTRING) REFRESH SETROPTS RACLIST(DIGTCERT) REFRESH /F ZMQ1AMSD,REFRESH (refresh AMS address space) /F ZMQ1AMSM,REFRESH (refresh AMS address space) z/OS WebSphere MQ QMGR and Broker Details
  53. 53. 5656565656565656 Architecture – With AMS - Breakdown AMS 7.0
  54. 54. 5757575757575757 Linux WebSphere Application Server Cluster (Medical App) AMS 7.0
  55. 55. 5858585858585858 Tasks to enable AMS 1.Install AMS 2.Create Java Keystore 3.Create Keystore.conf 4.Enable AMS Java Command 5.Update WAS Keystore.conf variable 6.Copy ESE and Security Policy files to WAS 7.Create / Import / Export Digital Certificates Linux WebSphere Application Server Cluster
  56. 56. 5959595959595959 Platform: •Linux RHEL 6 Software: •Websphere Application Server ND V7.0.0.29 •WebSphere MQ AMS V7.0.1.1 Configuration: •WAS JVM Arguments • MQS_KEYSTORE.CONF ** set to WAS keystore.conf path • Copy ESE jar files (for Pre 7.5 AMS) • com.ibm.mq.ese.jar • (to) $WASPATH/installedConnectors/wmq.jmsra.rar •Copy IBM SDK Polcy files • local_policy.jar • US_export_policy.jar • (to) $WASPATH/java/jre/lib/security •Enable AMS Java Command • $AMS_PATH/bin/cfgmqs -enable –java •Java keystore (.jks) • MEDICAL personal cert • ZMQ1BRK (Broker from z/OS) Imported cert Linux WebSphere Application Server Cluster Details
  57. 57. 6060606060606060 Sample Commands: •Create the Java keystore • keytool -genkey -keyalg <KEYALG> -alias MEDICAL -keystore key.jks -storepass PASS1 -validity 365 - keysize <KEY_SIZE> -dname " CN=MEDICAL,OU=MEDICALDEV,O=<COMPANY>,C=<COUNTRY>" – keypass PASS1 •Import Broker (XMQ1BRK) cert • keytool -import -alias XMQ1BRK -file broker.cer -keystore key.jks -storepass PASS1 •Export Personal (MEDICAL) cert • keytool -export -rfc -alias MEDICAL –file medical.cer -keystore key.jks -storepass PASS1 •List certs • keytool –list –keystore key.jks –storepass PASS1 • keytool –list –v –keystore key.jks –storepass PASS1 (-v for detail) Keystore.conf contents: jks.keystore = $KEYSTOREPATH/key *** No Suffix on keystore file **** jks.certificate = MEDICAL jks.encrypted = no jks.keystore_pass =PASS1 jks.key_pass =PASS1 jks.provider = IBMJCE Linux WebSphere Application Server Cluster - Details
  58. 58. 6161616161616161 • AMS does not support non-IBM Java • To use the MCA interceptor, you must use a version of the MQClient (pre 7.5) that does not include AMS (or get the 7.5.0.4 fix) • For the MCA interceptor, SSL (non-AMS) must be set on the client / server channel to keep messages encrypted (until MCA interceptor takes over) • Be aware of syntax differences between the keytool and runmqakm commands • Consider establishing standards when creating the Policies - All DN parameter options may not be acceptable on all platforms (e.g. SP vs ST) • Policies and certificates must match exactly (parameter order matters) • Issues with conversion of the message data from EBCIDIC to ASCII after the “MQGET” • Make sure you use MQGMO_CONVERT in the application • Do not rely in channels CONVERT(YES) • Know where problem/error information is logged Lessons Learned
  59. 59. 6262626262626262 • Surrogate access is useful for verifying your z/OS certs - submit batch jobs as ZMQ1BRK to browse messages • “sudo su – “ access is useful for verifying your Linux application certs - sudo su – application-id • You can test with your own personal certs using utilities like amqsputc on Linux and batch MQ programs on z/OS (or File Manager for MQ) • Write a java program to test your java keystores. amqsputc does not work with a .jks keystore • Note: JmsProducer or JmsConsumer samples could also be used. • AMS does not stop access to the queue, you still need to secure your queue using object level security • When you set your policy on the AliasQ, you can still view the QL • Turning on encryption will increase the size of your message • Each time you add a Receiver to your policy, it increases the size of the message • AMS requires different skill sets; MQ; RACF; Java Certs; Distributed platforms Certs • Make friends with your colleagues in other departments! Lessons Learned
  60. 60. 6363636363636363 WMQ AMS Info Center: http://pic.dhe.ibm.com/infocenter/mqams/v7r0m1/index.jsp?topic=%2Fco m.ibm.mqese.doc%2FMQESEic_homepage.htm WMQ AMS Product Page: http://www-03.ibm.com/software/products/en/wmq-ams/ Secure Messaging Scenarios with WebSphere MQ: http://www.redbooks.ibm.com/abstracts/sg248069.html Additional Information
  61. 61. Thank You
  62. 62. Legal Disclaimer • © IBM Corporation 2014. All Rights Reserved. • The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. • References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. • All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. • IBM, the IBM logo, WebSphere, z/OS, RACF and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both. • Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. • UNIX is a registered trademark of The Open Group in the United States and other countries. • Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

×