SlideShare a Scribd company logo

IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all)

T.Rob Wyatt
T.Rob Wyatt

This document summarizes the findings from research into security behaviors when using IBM MQ's password authentication (CONNAUTH) feature. It identifies five distinct behaviors exhibited by the interaction between CONNAUTH and CHLAUTH access control rules. The document provides recommendations for mandatory and avoid configurations when using CONNAUTH. It also warns that applying fix packs can cause failures or silently over-authorize users. The summary concludes by thanking two people for their contributions to testing and improving the tools and research presented.

Technology
1 of 28
Download to read offline
(and if you aren't careful may not work at all) T.Rob Wyatt, Senior Managing Consultant t.rob@ioptconsulting.com Follow on Twitter: @tdotrob MQ Blog: https://t-rob.net 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org
This deck is expected to change frequently over the course of the project. Please check back for the latest version. Although it will be posted on IMWUC and Slideshare, the authoritative source is https://t-rob.net/links This is v1.0, published on Dec 1, 2016 Known to-do’s as of Dec 1:  Re-test to eliminate any false results based on lack of backstop rule.  Re-test to eliminate results of possible MQ Explorer bug re: Compatibility Mode in early releases.  Write command-line tools to eliminate dependence on Explorer. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 2
 All tools for this project are maintained on GitHub. Please don’t be shy about sending pull requests. https://github.com/tdotrob/IBMMQ-passwd-auth  In consideration of corporate firewall blocking, the research and results matrix are posted in multiple formats on Google and for direct download. These are indexed from on my links page https://t-rob.net/links and will also change frequently.  Don’t let the fact that I provide consulting services stop you from contacting me informally to talk about this stuff. I am not participating in the community to promote my business. My business arose out of and exists to serve the MQ community, not the other way around. @tdotrob, LinkedIn, call 704-443-TROB(8762), or email: t.rob at IoPTConsulting dot com 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 3
Native MQ password authentication (CONNAUTH) introduced in IBM MQ v8.0 has gotten off to a rough start. As of Fix Pack 8.0.0.5, the interaction between CONNAUTH and CHLAUTH has exhibited 5 distinct behaviors. After applying Fix Packs some of these cause hard failures while others silently over-authorize client users, leaving the queue manager exposed. This webcast will present findings from our CONNAUTH/CHLAUTH security research as well as recommendations for MQ users and the audit community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 4
T.Rob Wyatt is an independent consultant who has been working with IBM MQ for over 20 years. Professionally he spends about half his time designing MQ architectures, clusters and HA solutions, and the other half focusing on security and figuring out how to break MQ. His latest project is mapping out MQ's security behaviors when using password authentication, which produced the findings presented in this webinar. T.Rob is a frequent speaker at IBM conferences and MQ Tech Conference, a prolific blogger, and was recognized as an IBM Champion in 2016 for his contributions to the MQ community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 5
 I’m going to make some claims about what are safe and unsafe practices regarding CONNAUTH configuration.  I’ll justify those with real-life examples.  There will be a Q&A at the end where any questions will be answered and I’ll defend any challenges to the claims. This is only a checkpoint and new information was coming to light right up to the webinar deadline. After the webinar, I’ll post this on my site and keep it up to date over time. CHECK BACK before distributing or re- presenting to make sure you have a current copy: https://t-rob.net/links 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 6
Based on my research, I consider the following to be mandatory configurations when using CONNAUTH.  ADOPTCTX(YES) in all cases.  ChlauthEarlyAdopt enabled in all cases.  Use a version of MQ at which Early Adopt is supported.  Define Morag’s “Backstop Rule” to establish a deny-by- default CHLAUTH policy.  Set PasswordProtection=always in the qm.ini Channels stanza.  Use TLS channels.  Use CHCKCLIENT(REQUIRED) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 7
At the opposite end of the scale are things to never do with CONNAUTH and CHLAUTH.  Don’t use permissive ADDRESSMAP rules.  Don’t use generic PEERMAP rules.  Don’t patch or upgrade without extensive testing.  Don’t disable CHLAUTH.  Don’t use a USERSRC(NOACCESS) mapping rule where a BLOCKUSER rule will work. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 8
Mandatory configurations 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 9
 With ADOPTCTX(NO) there is no meaningful connection between the ID authenticated by the password and that used for mapping and authorization.  With ADOPTCTX(NO) it is the client and not the MQ Admin who decides which ID the QMgr will act on.  ADOPTCTX(YES) is the only option that enforces the authenticated ID be used for OAM authorization.  Unfortunately, ADOPTCTX(YES) does NOT enforce that connection for CHLAUTH rules. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 10
As noted in the prior section, ADOPTCTX(YES) does NOT enforce that CHLAUTH rules operate against the password-authenticated ID.  IBM added ChlauthEarlyAdopt to enforce this behavior.  Requires the MQ Admin to explicitly alter the default configuration to obtain relief from a bug. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 11
 Implied by the previous slide.  Listed here in hopes that a mob of MQ Admins wielding pitchforks and torches will storm the castle and demand that the Knowledge Center track this and other Fix-Pack-specific features down to the Fix Pack level so that we can ascertain which provides the minimum level of support. (The KC entry for ChlAuthEarlyAdopt keeps disappearing and reappearing like the palace in Krull. It is currently on this page and has no mention of which MQ version first delivered it. It does say “To have the queue manager use this new behavior…” which makes no sense if you don’t know which Fix Pack delivered it since CONNAUTH was itself new in v8.0, the version for the page in question.) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 12
The (almost) secure-by-default CHLAUTH posture originally was to allow connections of non-admin users from all addresses. Since a new QMgr did not know about non-admin groups or users they could not sign on, even after defining new SVRCONN channels. The fact that CONNAUTH is set to IDPWOS by default breaks this assumption! Now when you define a new SVRCONN the other defaults allow anyone who can sign onto the MQ host (and if it uses AD, NIS+, LDAP, etc. that may be the entire corporate user database) to connect and nominate mqm as the MCAUSER. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 13
 QMgr by default points to IDPWOS AUTHINFO.  IDPWOS enables password validation by default, requires it for Admins.  ADOPTCTX(NO) by default allows the client to set a user ID other than the one they authenticate with their password.  MQ Admin defines SYSTEM.ADMIN.SVRCONN and a BLOCKUSER that omits *MQADMIN and suddenly ANYONE can become mqm.  D’oh! 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 14
MQ will encrypt your password when using a v8.0 or higher client and a v8.0 or higher QMgr, but…  Credentials are in the clear when using clients < v8.0 in all cases.  Credentials are in the clear even with clients at v8.0 and higher in compatibility mode! Your apps and users will still transmit their ID and password over the network willy-nilly, but at least the connection refusal will encourage them to disable compatibility mode. This also reduces (but not eliminate) variance in CHLAUTH behavior across versions and fixes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 15
11/30/2016Presented by IBM Middleware User Community https://imwuc.org 16
This way when your apps and users are transmitting their ID and password over the network willy-nilly in the clear, the MQ Admin can show steps taken to prevent sniffing them on the wire.  TLS encryption protects the credentials.  Anonymous clients support encryption without having to provision personal certs at each client.  Unfortunately, this removes the restriction on Compatibility Mode so the CHLAUTH behavior variance you must account for in your CHLAUTH design more than doubles. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 17
 With ADOPTCTX(YES), CHLAUTH rules cease to perform any mapping whatsoever. This requires a significantly different CHLAUTH security model versus when mapping is available.  The security models that are effective under mapping and under ADOPTCTX(YES) are antagonistic toward one another.  With CHCKCLIENT(OPTIONAL) the client gets to choose whether to authorize under CHLAUTH mapping, not the MQ Admin, and it is likely the CHLAUTH model fails to adequately secure at least one of these modes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 18
Avoid these like the plague 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 19
Because ADOPTCTX(YES) disables all mapping, rules that filter on addresses effectively whitelist all IDs that can authenticate with a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Example: You have a B2B gateway and before CONNAUTH you used ADDRESSMAP rules to designate some channels as internal-facing and some as external-facing. Applying that to a QMgr with CONNAUTH converts those rules so they now whitelist all password-validated IDs for all internal-facing and external-facing channels. They still restrict the channels to the IDs intended only now the attacker has the means to sign on to any account if they can obtain the password. Better get your asbestos raincoat on, the forecast calls for 80% chance of spearphishing attack. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 20
Because ADOPTCTX(YES) disables all mapping, rules that filter on generic certificate Distinguished Names effectively whitelist all IDs that can authenticate with a cert and a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Admittedly, this is MUCH better than permissive ADDRESSMAP rules, but if you have something like PEERMAP(“O=YourCompany”) it is still a much larger population of whitelisted ID than you probably intended. Note that even if you use a fully qualified DN, mapping is disabled and the ID that is authenticated need not have anything to do with the certificate presented. So if I’m a business partner whose cert you trust, I can still sign on as you if I know your password. Did we mention spearphishing attacks? 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 21
When I first undertook this research, I got a v8.0.0.0 virtual machine working with several accounts and CHLAUTH rules, then cloned it 5 more times, once for each Fix Pack. All of the resulting VMs worked except for v8.0.0.1. Although it had worked before the Fix Pack, after the maintenance and with no modifications to the MQ Explorer channels, stored IDs or passwords, it refused to authenticate under CONNAUTH. Hence the subtitle, “and if you aren't careful may not work at all” 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 22
 To commit to CONNAUTH is to commit to extensive regression testing after every maintenance or upgrade.  Due to the increased overhead, it may not be feasible for auditors and QSAs to enforce the 30/60/90 day security patch discipline called for by PCI and generally considered Best Practice.  If the 30/60/90 day deadlines are to be enforced, consider disabling CONNAUTH altogether.  Please consider contributing to the post-patch regression testing toolset being built on Github: https://github.com/tdotrob/IBMMQ-passwd-auth 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 23
 Because ADOPTCTX(NO) allows the client to nominate any ID to run under.  Because ADOPTCTX(YES) overrides the hard-coded MCAUASER.  Because SSLPEER doesn’t affect either of the above.  Because at this point you just ran out of security controls. I’d like to think this one didn’t need any justification. Please try not to disabuse me of that notion. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 24
 These rules sometimes operate against the MQCD user, sometimes against the MQCSP user, sometimes both.  When there is any variation at all in behavior, it is the client and not the MQ Admin who decides which ID is presented.  The exact behavior changes across versions and fixes, and by ChlauthEarlyAdopt settings.  Whichever ID is ultimately used can be overridden by an exit. BLOCKUSER rules are evaluated after all other rules. Their behavior has not been seen to vary. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 25
A Secure By Default CONNAUTH design would immediately on receipt of the connection request overlay the asserted User ID with the MQCSP User ID if present, then proceed with mapping and password validation as usual. There is no valid use case to implement MQ’s strongest-ever authentication and then fail to enforce that the authenticated ID be used for authorization. The use case that was given (migration) is better handled by forcing the password-authenticated user ID, and preserving mapping functionality so the MQ Admin (NOT the client!) can map the authenticated ID back to wasadmin or whatever it had been using before. With that in mind… 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 26
…if you can think of even ONE valid use case for ADOPTCTX(NO) tell me! Otherwise, please join me in telling, no begging, IBM to abandon backward compatibility in this case, make CONNAUTH enforce the authenticated ID, restore mapping functionality, and return MQ to a Secure-By-Default posture. If this is done I can use the improved controls to duplicate any functionality you currently use ADOPTCTX(NO) for and will do so, under contract, for free. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 27
More people deserve thanks than can be mentioned but a couple have gone the extra mile-and-a-half in support of this particular presentation… Josh McIver seems to find more security and other bugs than anyone else I know and has provided extensive documentation and verified many of the results. FJ Brandelik (you know him as fjbsaper) dove right into the code about 30 seconds after it hit Github and gave it a good test, bug fix, and upgrade. My eternal thanks to both of you for the assistance and high expectations for the project. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 28

Recommended

Running IBM MQ in the Cloud
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the Cloud
Robert Parker
 
IBM MQ High Availability 2019
IBM MQ High Availability 2019IBM MQ High Availability 2019
IBM MQ High Availability 2019
David Ware
 
Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ System
matthew1001
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changes
Morag Hughson
 
VMware Tanzu Kubernetes Connect
VMware Tanzu Kubernetes ConnectVMware Tanzu Kubernetes Connect
VMware Tanzu Kubernetes Connect
VMware Tanzu
 
IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2
David Ware
 
New Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQNew Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQ
Matt Leming
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
Matt Leming
 

Recommended

Running IBM MQ in the Cloud
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the Cloud
Robert Parker
 
IBM MQ High Availability 2019
IBM MQ High Availability 2019IBM MQ High Availability 2019
IBM MQ High Availability 2019
David Ware
 
Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ System
matthew1001
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changes
Morag Hughson
 
VMware Tanzu Kubernetes Connect
VMware Tanzu Kubernetes ConnectVMware Tanzu Kubernetes Connect
VMware Tanzu Kubernetes Connect
VMware Tanzu
 
IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2
David Ware
 
New Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQNew Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQ
Matt Leming
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OS
Matt Leming
 
Fault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mqFault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mq
David Ware
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentals
Biju Nair
 
IBM MQ in Containers - Think 2018
IBM MQ in Containers - Think 2018IBM MQ in Containers - Think 2018
IBM MQ in Containers - Think 2018
Robert Parker
 
VMware - HCX - Architecture and Design .pdf
VMware - HCX - Architecture and Design .pdfVMware - HCX - Architecture and Design .pdf
VMware - HCX - Architecture and Design .pdf
GiancarloSampaolesi
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPM
WASdev Community
 
IBM MQ Update, including 9.1.2 CD
IBM MQ Update, including 9.1.2 CDIBM MQ Update, including 9.1.2 CD
IBM MQ Update, including 9.1.2 CD
David Ware
 
IBM MQ Whats new - including 9.3 and 9.3.1
IBM MQ Whats new - including 9.3 and 9.3.1IBM MQ Whats new - including 9.3 and 9.3.1
IBM MQ Whats new - including 9.3 and 9.3.1
Robert Parker
 
What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1
Matt Leming
 
Deploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudDeploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the Cloud
Robert Parker
 
What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain.
What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain. What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain.
What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain.
Kellton Tech Solutions Ltd
 
Securing your IBM MQ environment.
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.
Robert Parker
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration
Trevor Dolby
 
MQ Guide France - IBM MQ and Containers
MQ Guide France - IBM MQ and ContainersMQ Guide France - IBM MQ and Containers
MQ Guide France - IBM MQ and Containers
Robert Parker
 
What's new in MQ 9.1.* on z/OS
What's new in MQ 9.1.* on z/OSWhat's new in MQ 9.1.* on z/OS
What's new in MQ 9.1.* on z/OS
Matt Leming
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStack
Victor Zhang
 
Consumer-Driven Contract Testing
Consumer-Driven Contract TestingConsumer-Driven Contract Testing
Consumer-Driven Contract Testing
Paulo Clavijo
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster Recovery
MarkTaylorIBM
 
IBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintIBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprint
Matt Roberts
 
IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)
Juarez Junior
 
Orchestration & provisioning
Orchestration & provisioningOrchestration & provisioning
Orchestration & provisioning
buildacloud
 
Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal Clouds
T.Rob Wyatt
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
T.Rob Wyatt
 

More Related Content

What's hot

Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPM
WASdev Community
 
Orchestration & provisioning
Orchestration & provisioningOrchestration & provisioning
Orchestration & provisioning
buildacloud
 

What's hot (20)

Fault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mqFault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mq
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentals
 
IBM MQ in Containers - Think 2018
IBM MQ in Containers - Think 2018IBM MQ in Containers - Think 2018
IBM MQ in Containers - Think 2018
 
VMware - HCX - Architecture and Design .pdf
VMware - HCX - Architecture and Design .pdfVMware - HCX - Architecture and Design .pdf
VMware - HCX - Architecture and Design .pdf
 
Planning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPMPlanning For Catastrophe with IBM WAS and IBM BPM
Planning For Catastrophe with IBM WAS and IBM BPM
 
IBM MQ Update, including 9.1.2 CD
IBM MQ Update, including 9.1.2 CDIBM MQ Update, including 9.1.2 CD
IBM MQ Update, including 9.1.2 CD
 
IBM MQ Whats new - including 9.3 and 9.3.1
IBM MQ Whats new - including 9.3 and 9.3.1IBM MQ Whats new - including 9.3 and 9.3.1
IBM MQ Whats new - including 9.3 and 9.3.1
 
What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1
 
Deploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudDeploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the Cloud
 
What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain.
What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain. What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain.
What’s Mule 4.3? How Does Anytime RTF Help? Our insights explain.
 
Securing your IBM MQ environment.
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.
 
414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration414: Build an agile CI/CD Pipeline for application integration
414: Build an agile CI/CD Pipeline for application integration
 
MQ Guide France - IBM MQ and Containers
MQ Guide France - IBM MQ and ContainersMQ Guide France - IBM MQ and Containers
MQ Guide France - IBM MQ and Containers
 
What's new in MQ 9.1.* on z/OS
What's new in MQ 9.1.* on z/OSWhat's new in MQ 9.1.* on z/OS
What's new in MQ 9.1.* on z/OS
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStack
 
Consumer-Driven Contract Testing
Consumer-Driven Contract TestingConsumer-Driven Contract Testing
Consumer-Driven Contract Testing
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster Recovery
 
IBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprintIBM MQ cloud architecture blueprint
IBM MQ cloud architecture blueprint
 
IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)
 
Orchestration & provisioning
Orchestration & provisioningOrchestration & provisioning
Orchestration & provisioning
 

Viewers also liked

Viewers also liked (7)

Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal Clouds
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
 
What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep Dive
 

Similar to IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all)

2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
Lucy Huh Kerner
 
f2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middlewaref2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middleware
ndonikristi98
 
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
Stefan Richter
 

Similar to IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all) (20)

Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
 
RabbitMQ Status Quo Critical Review
RabbitMQ Status Quo Critical ReviewRabbitMQ Status Quo Critical Review
RabbitMQ Status Quo Critical Review
 
Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017
 
Whats new in MQ V9.1
Whats new in MQ V9.1Whats new in MQ V9.1
Whats new in MQ V9.1
 
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKitOMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
 
MQTC 2016 - IBM MQ Security: Overview & recap
MQTC 2016 - IBM MQ Security: Overview & recapMQTC 2016 - IBM MQ Security: Overview & recap
MQTC 2016 - IBM MQ Security: Overview & recap
 
mqttvsrest_v4.pdf
mqttvsrest_v4.pdfmqttvsrest_v4.pdf
mqttvsrest_v4.pdf
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger Lab
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
 
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
 
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
 
IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017
 
f2f-overview12.ppt
f2f-overview12.pptf2f-overview12.ppt
f2f-overview12.ppt
 
f2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middlewaref2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middleware
 
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
 
Hack the 802.11 MAC
Hack the 802.11 MACHack the 802.11 MAC
Hack the 802.11 MAC
 
Iot hub agent
Iot hub agentIot hub agent
Iot hub agent
 
Roboconf Detailed Presentation
Roboconf Detailed PresentationRoboconf Detailed Presentation
Roboconf Detailed Presentation
 

Recently uploaded

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 

IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all)

  • 1. (and if you aren't careful may not work at all) T.Rob Wyatt, Senior Managing Consultant t.rob@ioptconsulting.com Follow on Twitter: @tdotrob MQ Blog: https://t-rob.net 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org
  • 2. This deck is expected to change frequently over the course of the project. Please check back for the latest version. Although it will be posted on IMWUC and Slideshare, the authoritative source is https://t-rob.net/links This is v1.0, published on Dec 1, 2016 Known to-do’s as of Dec 1:  Re-test to eliminate any false results based on lack of backstop rule.  Re-test to eliminate results of possible MQ Explorer bug re: Compatibility Mode in early releases.  Write command-line tools to eliminate dependence on Explorer. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 2
  • 3.  All tools for this project are maintained on GitHub. Please don’t be shy about sending pull requests. https://github.com/tdotrob/IBMMQ-passwd-auth  In consideration of corporate firewall blocking, the research and results matrix are posted in multiple formats on Google and for direct download. These are indexed from on my links page https://t-rob.net/links and will also change frequently.  Don’t let the fact that I provide consulting services stop you from contacting me informally to talk about this stuff. I am not participating in the community to promote my business. My business arose out of and exists to serve the MQ community, not the other way around. @tdotrob, LinkedIn, call 704-443-TROB(8762), or email: t.rob at IoPTConsulting dot com 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 3
  • 4. Native MQ password authentication (CONNAUTH) introduced in IBM MQ v8.0 has gotten off to a rough start. As of Fix Pack 8.0.0.5, the interaction between CONNAUTH and CHLAUTH has exhibited 5 distinct behaviors. After applying Fix Packs some of these cause hard failures while others silently over-authorize client users, leaving the queue manager exposed. This webcast will present findings from our CONNAUTH/CHLAUTH security research as well as recommendations for MQ users and the audit community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 4
  • 5. T.Rob Wyatt is an independent consultant who has been working with IBM MQ for over 20 years. Professionally he spends about half his time designing MQ architectures, clusters and HA solutions, and the other half focusing on security and figuring out how to break MQ. His latest project is mapping out MQ's security behaviors when using password authentication, which produced the findings presented in this webinar. T.Rob is a frequent speaker at IBM conferences and MQ Tech Conference, a prolific blogger, and was recognized as an IBM Champion in 2016 for his contributions to the MQ community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 5
  • 6.  I’m going to make some claims about what are safe and unsafe practices regarding CONNAUTH configuration.  I’ll justify those with real-life examples.  There will be a Q&A at the end where any questions will be answered and I’ll defend any challenges to the claims. This is only a checkpoint and new information was coming to light right up to the webinar deadline. After the webinar, I’ll post this on my site and keep it up to date over time. CHECK BACK before distributing or re- presenting to make sure you have a current copy: https://t-rob.net/links 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 6
  • 7. Based on my research, I consider the following to be mandatory configurations when using CONNAUTH.  ADOPTCTX(YES) in all cases.  ChlauthEarlyAdopt enabled in all cases.  Use a version of MQ at which Early Adopt is supported.  Define Morag’s “Backstop Rule” to establish a deny-by- default CHLAUTH policy.  Set PasswordProtection=always in the qm.ini Channels stanza.  Use TLS channels.  Use CHCKCLIENT(REQUIRED) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 7
  • 8. At the opposite end of the scale are things to never do with CONNAUTH and CHLAUTH.  Don’t use permissive ADDRESSMAP rules.  Don’t use generic PEERMAP rules.  Don’t patch or upgrade without extensive testing.  Don’t disable CHLAUTH.  Don’t use a USERSRC(NOACCESS) mapping rule where a BLOCKUSER rule will work. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 8
  • 9. Mandatory configurations 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 9
  • 10.  With ADOPTCTX(NO) there is no meaningful connection between the ID authenticated by the password and that used for mapping and authorization.  With ADOPTCTX(NO) it is the client and not the MQ Admin who decides which ID the QMgr will act on.  ADOPTCTX(YES) is the only option that enforces the authenticated ID be used for OAM authorization.  Unfortunately, ADOPTCTX(YES) does NOT enforce that connection for CHLAUTH rules. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 10
  • 11. As noted in the prior section, ADOPTCTX(YES) does NOT enforce that CHLAUTH rules operate against the password-authenticated ID.  IBM added ChlauthEarlyAdopt to enforce this behavior.  Requires the MQ Admin to explicitly alter the default configuration to obtain relief from a bug. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 11
  • 12.  Implied by the previous slide.  Listed here in hopes that a mob of MQ Admins wielding pitchforks and torches will storm the castle and demand that the Knowledge Center track this and other Fix-Pack-specific features down to the Fix Pack level so that we can ascertain which provides the minimum level of support. (The KC entry for ChlAuthEarlyAdopt keeps disappearing and reappearing like the palace in Krull. It is currently on this page and has no mention of which MQ version first delivered it. It does say “To have the queue manager use this new behavior…” which makes no sense if you don’t know which Fix Pack delivered it since CONNAUTH was itself new in v8.0, the version for the page in question.) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 12
  • 13. The (almost) secure-by-default CHLAUTH posture originally was to allow connections of non-admin users from all addresses. Since a new QMgr did not know about non-admin groups or users they could not sign on, even after defining new SVRCONN channels. The fact that CONNAUTH is set to IDPWOS by default breaks this assumption! Now when you define a new SVRCONN the other defaults allow anyone who can sign onto the MQ host (and if it uses AD, NIS+, LDAP, etc. that may be the entire corporate user database) to connect and nominate mqm as the MCAUSER. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 13
  • 14.  QMgr by default points to IDPWOS AUTHINFO.  IDPWOS enables password validation by default, requires it for Admins.  ADOPTCTX(NO) by default allows the client to set a user ID other than the one they authenticate with their password.  MQ Admin defines SYSTEM.ADMIN.SVRCONN and a BLOCKUSER that omits *MQADMIN and suddenly ANYONE can become mqm.  D’oh! 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 14
  • 15. MQ will encrypt your password when using a v8.0 or higher client and a v8.0 or higher QMgr, but…  Credentials are in the clear when using clients < v8.0 in all cases.  Credentials are in the clear even with clients at v8.0 and higher in compatibility mode! Your apps and users will still transmit their ID and password over the network willy-nilly, but at least the connection refusal will encourage them to disable compatibility mode. This also reduces (but not eliminate) variance in CHLAUTH behavior across versions and fixes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 15
  • 16. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 16
  • 17. This way when your apps and users are transmitting their ID and password over the network willy-nilly in the clear, the MQ Admin can show steps taken to prevent sniffing them on the wire.  TLS encryption protects the credentials.  Anonymous clients support encryption without having to provision personal certs at each client.  Unfortunately, this removes the restriction on Compatibility Mode so the CHLAUTH behavior variance you must account for in your CHLAUTH design more than doubles. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 17
  • 18.  With ADOPTCTX(YES), CHLAUTH rules cease to perform any mapping whatsoever. This requires a significantly different CHLAUTH security model versus when mapping is available.  The security models that are effective under mapping and under ADOPTCTX(YES) are antagonistic toward one another.  With CHCKCLIENT(OPTIONAL) the client gets to choose whether to authorize under CHLAUTH mapping, not the MQ Admin, and it is likely the CHLAUTH model fails to adequately secure at least one of these modes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 18
  • 19. Avoid these like the plague 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 19
  • 20. Because ADOPTCTX(YES) disables all mapping, rules that filter on addresses effectively whitelist all IDs that can authenticate with a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Example: You have a B2B gateway and before CONNAUTH you used ADDRESSMAP rules to designate some channels as internal-facing and some as external-facing. Applying that to a QMgr with CONNAUTH converts those rules so they now whitelist all password-validated IDs for all internal-facing and external-facing channels. They still restrict the channels to the IDs intended only now the attacker has the means to sign on to any account if they can obtain the password. Better get your asbestos raincoat on, the forecast calls for 80% chance of spearphishing attack. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 20
  • 21. Because ADOPTCTX(YES) disables all mapping, rules that filter on generic certificate Distinguished Names effectively whitelist all IDs that can authenticate with a cert and a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Admittedly, this is MUCH better than permissive ADDRESSMAP rules, but if you have something like PEERMAP(“O=YourCompany”) it is still a much larger population of whitelisted ID than you probably intended. Note that even if you use a fully qualified DN, mapping is disabled and the ID that is authenticated need not have anything to do with the certificate presented. So if I’m a business partner whose cert you trust, I can still sign on as you if I know your password. Did we mention spearphishing attacks? 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 21
  • 22. When I first undertook this research, I got a v8.0.0.0 virtual machine working with several accounts and CHLAUTH rules, then cloned it 5 more times, once for each Fix Pack. All of the resulting VMs worked except for v8.0.0.1. Although it had worked before the Fix Pack, after the maintenance and with no modifications to the MQ Explorer channels, stored IDs or passwords, it refused to authenticate under CONNAUTH. Hence the subtitle, “and if you aren't careful may not work at all” 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 22
  • 23.  To commit to CONNAUTH is to commit to extensive regression testing after every maintenance or upgrade.  Due to the increased overhead, it may not be feasible for auditors and QSAs to enforce the 30/60/90 day security patch discipline called for by PCI and generally considered Best Practice.  If the 30/60/90 day deadlines are to be enforced, consider disabling CONNAUTH altogether.  Please consider contributing to the post-patch regression testing toolset being built on Github: https://github.com/tdotrob/IBMMQ-passwd-auth 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 23
  • 24.  Because ADOPTCTX(NO) allows the client to nominate any ID to run under.  Because ADOPTCTX(YES) overrides the hard-coded MCAUASER.  Because SSLPEER doesn’t affect either of the above.  Because at this point you just ran out of security controls. I’d like to think this one didn’t need any justification. Please try not to disabuse me of that notion. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 24
  • 25.  These rules sometimes operate against the MQCD user, sometimes against the MQCSP user, sometimes both.  When there is any variation at all in behavior, it is the client and not the MQ Admin who decides which ID is presented.  The exact behavior changes across versions and fixes, and by ChlauthEarlyAdopt settings.  Whichever ID is ultimately used can be overridden by an exit. BLOCKUSER rules are evaluated after all other rules. Their behavior has not been seen to vary. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 25
  • 26. A Secure By Default CONNAUTH design would immediately on receipt of the connection request overlay the asserted User ID with the MQCSP User ID if present, then proceed with mapping and password validation as usual. There is no valid use case to implement MQ’s strongest-ever authentication and then fail to enforce that the authenticated ID be used for authorization. The use case that was given (migration) is better handled by forcing the password-authenticated user ID, and preserving mapping functionality so the MQ Admin (NOT the client!) can map the authenticated ID back to wasadmin or whatever it had been using before. With that in mind… 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 26
  • 27. …if you can think of even ONE valid use case for ADOPTCTX(NO) tell me! Otherwise, please join me in telling, no begging, IBM to abandon backward compatibility in this case, make CONNAUTH enforce the authenticated ID, restore mapping functionality, and return MQ to a Secure-By-Default posture. If this is done I can use the improved controls to duplicate any functionality you currently use ADOPTCTX(NO) for and will do so, under contract, for free. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 27
  • 28. More people deserve thanks than can be mentioned but a couple have gone the extra mile-and-a-half in support of this particular presentation… Josh McIver seems to find more security and other bugs than anyone else I know and has provided extensive documentation and verified many of the results. FJ Brandelik (you know him as fjbsaper) dove right into the code about 30 seconds after it hit Github and gave it a good test, bug fix, and upgrade. My eternal thanks to both of you for the assistance and high expectations for the project. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 28