This presentation was originally presented at IBM TechCon 2020. In it we go through the various options in IBM MQ to protect both connections and message data using encryption focussing on the TLS and AMS features.
Secure Your Messages with IBM MQ Advanced Message SecurityMorag Hughson
In some scenarios, securing access to your messaging infrastructure is not enough. You must also secure access to message content. This session will cover how to provide end-to-end message protection where message contents are secure from the point they are sent to the point they are received, including while at rest in queues. Topics covered include: an overview of message level security, when it is appropriate to deploy this level of protection, how the message protection is applied,how it can be administered, and the new features available in the latest version of IBM MQ.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. This presentation is made as an assignment during our university course.
IBM MQ: Using Publish/Subscribe in an MQ NetworkDavid Ware
The publish/subscribe model can be used across a network of MQ queue managers, whether in a manually configured topology or in an MQ cluster. This session looks in-depth at designing such systems, covering a wide range of requirements from availability to scalability, and explaining how they can be addressed. A basic understanding of publish/subscribe in MQ would be beneficial for attendees.
For an introduction to MQ publish/subscribe, first see this presentation: http://www.slideshare.net/DavidWare1/ame-2271-mq-publish-subscribe-pdf
Secure Your Messages with IBM MQ Advanced Message SecurityMorag Hughson
In some scenarios, securing access to your messaging infrastructure is not enough. You must also secure access to message content. This session will cover how to provide end-to-end message protection where message contents are secure from the point they are sent to the point they are received, including while at rest in queues. Topics covered include: an overview of message level security, when it is appropriate to deploy this level of protection, how the message protection is applied,how it can be administered, and the new features available in the latest version of IBM MQ.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. This presentation is made as an assignment during our university course.
IBM MQ: Using Publish/Subscribe in an MQ NetworkDavid Ware
The publish/subscribe model can be used across a network of MQ queue managers, whether in a manually configured topology or in an MQ cluster. This session looks in-depth at designing such systems, covering a wide range of requirements from availability to scalability, and explaining how they can be addressed. A basic understanding of publish/subscribe in MQ would be beneficial for attendees.
For an introduction to MQ publish/subscribe, first see this presentation: http://www.slideshare.net/DavidWare1/ame-2271-mq-publish-subscribe-pdf
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
WebSphere MQ includes a alternative of APIs and supports the Java™ Message Service (JMS) API. WebSphere MQ is that the market-leading messaging integration middleware product. Originally introduced in 1993 (under the IBM MQSeries® name), WebSphere MQ provides associate degree an, reliable, scalable, secure, and superior transport mechanism to handle businesses property necessities.
This presentation is created for Applied Data Communication lecture of Computer Systems Engineering master programme at Tallinn University of Technology
SSH n'est pas un shell Unix comme Bourne shell et shell C
SSH est un protocole qui permet de se connecter de façon sécurisée à un système Mac, Linux ou Windows.
Utilise le cryptage (Secure Shell).
Sécuriser une connexion
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
SSH is a protocol for secure remote access to a machine over untrusted networks.
SSH is a replacement for telnet, rsh, rlogin and can replace ftp.
Uses Encryption.
SSH is not a shell like Unix Bourne shell and C shell (wildcard expansion and command interpreter)
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
WebSphere MQ includes a alternative of APIs and supports the Java™ Message Service (JMS) API. WebSphere MQ is that the market-leading messaging integration middleware product. Originally introduced in 1993 (under the IBM MQSeries® name), WebSphere MQ provides associate degree an, reliable, scalable, secure, and superior transport mechanism to handle businesses property necessities.
This presentation is created for Applied Data Communication lecture of Computer Systems Engineering master programme at Tallinn University of Technology
SSH n'est pas un shell Unix comme Bourne shell et shell C
SSH est un protocole qui permet de se connecter de façon sécurisée à un système Mac, Linux ou Windows.
Utilise le cryptage (Secure Shell).
Sécuriser une connexion
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
SSH is a protocol for secure remote access to a machine over untrusted networks.
SSH is a replacement for telnet, rsh, rlogin and can replace ftp.
Uses Encryption.
SSH is not a shell like Unix Bourne shell and C shell (wildcard expansion and command interpreter)
IBM MQ security deep dive including AMS MQTC 2017Robert Parker
This presentation was delivered at the MQTC conference in Ohio in September 2017. It covers two security features in detail: AMS and Channel Authentication.
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Tony Pearson
This session covers Pervasive Encryption on the IBM Z mainframe platform, Crypto features and concepts, and how to get started with Data Set level encryption. Presented at IBM TechU in Johannesburg, South Africa September 2019 as part of the z/OS Fast Start for Rookies track.
Making networks secure with multi-layer encryptionADVA
Stephan Lehmann's NetNordic session discussed the most effective encryption methods for safeguarding external network connections against unauthorized access. He debated how the latest technology for encryption at multiple layers can provide a comprehensive state-of-the-art security infrastructure for all connectivity applications, and explored how new solutions are ensuring that data is encrypted without impacting network performance.
Machine to Machine Communication with Microsoft Azure IoT Edge & HiveMQHiveMQ
Edge computing is becoming an important part of an IoT architecture. Microsoft’s IoT Edge runtime can manage different containers at the edge, including HiveMQ.
In this webinar, IoT and MQTT experts show the steps for deploying the HiveMQ broker on Microsoft Azure IoT Edge and then how to use HiveMQ to send MQTT messages to the cloud.
About the Speakers.
Christoph Schäbel -practical MQTT expert with multiple years of experience in the field. HiveMQ Core Developer. Has a background in scalable and reliable distributed systems and robotics.
Kresimir Galic - independent contractor with strong software engineering experience. Certified Azure Solutions Architect and a technical blogger.
To watch a webinar: https://www.hivemq.com/webinars/machine-to-machine-communication-with-microsoft-azure-iot-edge-and-hivemq/
Understanding Wireguard, TLS and Workload IdentityChristian Posta
Zero Trust Networking has become a standard marketing buzzword but the underlying principles are critical for modern microservice-style architectures. Authentication, authorizations, policy, etc. can be difficult to implement between services and do so in a maintainable way. Google invented their own transparent encryption and authorization protocol called "ALTS" back in 2007 to serve the application layer of Google's Borg workload scheduler, but we don't see others using it outside Google.
In this webinar we look at existing technology like TLS and newcomer Wireguard and see how these technologies come together to provide a secure foundation for workload identity and modern service-to-service networking.
Secure Messages with IBM WebSphere MQ Advanced Message SecurityMorag Hughson
In some scenarios, securing access to a messaging infrastructure is not enough - teams must also secure access to message content. Come to this session to learn how to provide end-to-end message protection where message contents are secure from the point they are sent to the point they are received, including while at rest on queues. This session starts by describing the theory and capabilities of the product. Then CSX provides a real-world customer example in which it presents its experiences and recommendations for securing messages across distributed and z/OS platforms. Topics covered include an overview of message level security, when it is appropriate to deploy this level of protection, how the message protection is applied, how it can be administered, and the new features available in the latest version of IBM WebSphere MQ.
Advancing IoT Communication Security with TLS and DTLS v1.3Hannes Tschofenig
Missing communication security is a common vulnerability in Internet of Things deployments. Addressing this vulnerability is, in theory, relatively easy: with TLS and DTLS, two widely used security protocols are available. They are used to secure web and smart phone apps.
In this talk Hannes Tschofenig explains how the TLS/DTLS 1.3 protocols work and how they differ from previous versions. Hannes also speaks about the performance improvements and how they help in IoT deployments.
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
ConnectGuard™ Cloud is the industry's first virtualized encryption technology. It safeguards data in multi- and hybrid-cloud environments and enables service providers to move away from IPSec-focused appliance-based solutions that are costly and inflexible. Based on ADVA's award-winning Ensemble Connector with its zero touch provisioning capabilities, ConnectGuard™ Cloud supports the roll out of secure cloud connectivity to thousands of endpoints within minutes.
The Industrial IoT depends on connectivity and information exchange. Much of the business value derives from the ability to have independent systems share information in order to derive knowledge, make "smart decisions", and offer behavior and functionality never before possible.
Many industrial systems were designed with a focus on reliability and safety at a time were implicit trust of all components and communication was the norm. Restricting physical access is currently the only practical method for protecting this existing critical infrastructure. This includes the electrical power grid, process control, transportation, or manufacturing systems. This is changing with increased connectivity to the Internet and personal computers as well as awareness of malicious insider threats. Many industrial systems are being (or want to be) connected to external networks using standard technologies like Ethernet and the Internet Protocol Suite (TCP/UDP/IP). These technologies make systems more functional and efficient, unfortunately they also open the critical infrastructure to cyber attacks.
New IIoT Systems are being designed with security as a key concern. New systems can leverage a solid set of security technologies and building blocks for Authentication, Cryptography, Integrity, etc. However these security technologies must be used correctly and in ways that do not disrupt the performance or access to the legitimate applications/devices, yet limit legitimate access to just the needed information (to minimize the insider threats) and denies access to all others. Adding to this difficulties the new systems need to co-exist and (securely) exchange information with the already-deployed legacy systems which were built without such security elements.
Secure DDS (a recent standard from the OMG) is a "secure connectivity middleware" technology that can be used to address these three needs: (1) Build modern secure IIoT systems, (2) Secure legacy Industrial systems being connected on the Internet, and (3) Securely bridge between new and legacy systems. Secure DDS extends the proven Data-Distribution Service (DDS) and Real-Time Publish-Subscribe Protocol (DDS-RTPS) standards with enterprise-grade authentication, encryption and fine-grained security controls while maintaining the peer-to-peer, robustness and scalability features (including secure multicast) that have made DDS a clear choice for critical infrastructure systems.
This presentation introduces the DDS Security specification and provide describe several use-cases that exemplify how these standards are deployed in real-world applications.
Similar to M08 protecting your message data in IBM MQ with encryption (20)
Simplifying IBM MQ Security in your MQ estateRobert Parker
Presented at the IBM Community webinar. Watch the recording here: https://ibm.webcasts.com/starthere.jsp?ei=1640754&tp_key=ae9f8ed0d4
This presentation focused on how to tackle IBM MQ Security, breaking it into smaller features in order to implement it in smaller chunks for easier to understand implementations.
IBM MQ Whats new - including 9.3 and 9.3.1Robert Parker
I presented at the IBM MQ French User Group in Paris on the topic of What's new in MQ. I covered both what was new in IBM MQ 9.3 LTS and what was new in the latest IBM MQ 9.3.1 CD release.
531: Controlling access to your IBM MQ systemRobert Parker
This presentation was originally presented at IBM TechCon 2021. In it we go through the various options in IBM MQ to secure your queue manager and control applications and users from accessing your vital configuration and data.
Presented at MQ Technical Conference 2018
More businesses are discovering the benefit of the cloud and moving parts or the whole of their infrastructure onto cloud platforms. In this session we will be looking at how you can utilize IBM MQ in the cloud including considerations you must make before moving your MQ infrastructure into the cloud. We will also look at what resources are available for you to use as a starting point for moving IBM MQ in the cloud.
Presented at MQ Technical Conference 2018
Several businesses are now moving to implement new or existing infrastructures in containers rather than traditional on-prem or virtual machine environments. In this session we will talk about the benefits of containers and show how IBM MQ can be ran in a container. Providing an example and sample of how you can get started running IBM MQ in a container.
Presented at MQ Technical Conference - 24th September 2018
Security features are important in any modern day application and MQ is no exception. In order to ensure user data is protected to the user's requirements applications must supply a variety of configurable security features. In this session we will be providing an introduction to all of IBM MQ's security features and a high level overview of why you would use them.
This presentation was delivered at the MQTC 2017 conference in Ohio. It covers different concepts and features of MQ you need to consider when moving your IBM MQ infrastructure into the cloud.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
In this presentation we will be talking about protecting valuable message data when it is in your MQ infrastructure. We will look at where and how you can protect message data during its lifetime and the benefits/disadvantages of each.
We will look at both MQ and third-party technologies as MQ provides flexible options for how you can protect your data.
In the introduction section we will cover a few key topics and concepts for protecting data
In data at rest section we will discuss options for protecting data at rest
Once message data is created there are two main places that it can reside. At rest on your systems disk or memory and in transit while flowing between two destinations. There are different risks associated with leaving message data unprotected in each of these places.
For example leaving the message data unprotected at rest poses the risk that if an attacker gains access to your system either physically or virtually they could steal your message data or change it. For certain types of message data, policies or regulation may require the message data to be protected at rest. For example: PCI, HIPAA, etc
Leaving message data in transit unprotected could result in man in the middle attacks where the traffic is intercepted to either steal the data or modify it in transit..
Generally protecting data is costly and so protecting all data that flows through your network on lives on disks can create an unacceptable performance degradation.
As such sometimes it is ideal to protect only a subset of data in your network. But what data do you need to protect?
Some data has to be protected due to regulations around it, for example credit card data, health care data, other personal data
Some data you may want to protect because it’s leak or edit may cause damage to your company, for example if your company is working on a secret project to gain an edge in a market, having that information leaked so competitors can move into that area before you could cause issues.
Of course when protecting data there is a number of different ways we can protect data.
When protecting data at rest or in transit there are two forms of protection we can apply.
Integrity protection can provide 2 main protections:
Ensuring that the message data was not changed since it was created.
Ensuring that the message data has arrived from the expected person.
It is generally quicker than encryption and useful if the data is not secret and so could be viewed but absolutely cannot be changed or come from an invalid source.
Encryption protection ensures that only intended recipients can read the contents of the message data
Both require a pre-exchange of information in order to provide the protection. Commonly referred to as the keys.
Even though encryption is a broad topic we can subdivide it one more time to the two major forms of encryption that are used.
Symmetric Key
Single secret key
Relatively fast
Poses key distribution challenges when faced with large numbers of senders/receivers
The key has to be known by the sender and receiver
Asymmetric Keys
Private & Public key pairing
Message encrypted with one key can only be decrypted by the other one
Slower than symmetric key cryptography
Asymmetric Keys can be used to solve the key distribution challenges associated with symmetric keys
In some places to provide encryption protection BOTH are used together.
Integrity protection is commonly provide using asymmetric encryption.
A one way hash function will be used to create a hash of the plaintext being sent, this hash is then signed with the private key of the sender.
The plaintext and signed hash are sent to the recipient who decrypts the signed hash, rehashes the plaintext they got and compares the two.
If the hashes match then it came from the owner of the public key (the sender) and was not altered in transit.
In this section we will be focusing on what options there are for protecting data that is at rest on your system.
One option is to encrypt the entire disk. This will ensure that messages sat on a queue or disk are protected in the event that the disk is stolen.
As long as the disk encryption software is invisible to applications then it may work with IBM MQ. For example, Data Set encryption on Z is invisible to applications and encrypts/decrypts data depending on a system policy.
If the method of disk encryption requires the software to provide a key or interact with an API in order to gain access to data then it will not work with IBM MQ.
A benefit to disk encryption is that any message data on the physical disk could not be read if the disk was physically stolen. However disk encryption does not prevent data being stolen if an attacker gains access to the system and does not prevent administrators or other users from accessing the data as long as they are on the system when they do it.
It also adds a performance impact because every disk call requires a encrypt or decrypt operation before the data is provided to application, this includes configuration reading, logging and all messages regardless of content.
Data Set encryption is a feature of z/OS where encryption is provided on specific data sets invisibly to applications. When an application asks to read/write from a protected dataset the data set encryption policy will intercept the read/write in order to add or remove encryption protection as defined in the policy.
Support for this has been added in 9.1.4 for active logs and page sets as well as BSDS CSQINP and Archive logs.
Another option is to protect just the message data. This has benefits over disk encryption as it means that costly encrypt and decrypt operations are not performed on every IO write. Additionally if message data is protected on disk then even if an attacker gains access to the system they will not be able to read the message data unless they have the key.
This system also works because it will be invisible to MQ. We do not parse message data so if the data is encrypted or plain text will not matter. However it also offloads the responsibility to the application to perform the encrypt/decrypt and so requires applications changes or integrations of a third party application into your applications in order to work. As well as integrating libraries you also have to exchange secret data ahead of time (e.g. the symmetric keys used to encrypt the data).
By also pushing the encryption/decryption to the applications you also need to ensure that applications system will have the capacity to perform the cryptographic operations.
But what if you can’t make a change to your application? Or you don’t want another third party app/library? Or you can’t put encryption operations on your client applications? MQ has a solution…
IBM MQ Advanced Message Security (or AMS) is MQ’s answer to message data protection.
It provides all the benefits as discussed in the previous slides with some improvements in the areas identified as disadvantages.
Unfortunately it does not come without it’s own disadvantages, namely that it still requires an exchange of secret information (this time certificates) and an advanced license. Additionally although it does not require changes to the applications it does require additionally MQ objects to be defined on AMS Queue Managers.
The basis for configuring AMS on queue managers is to define a policy object for each queue that will handle messages that need to be protected. The Policy object needs to be defined on the first and last queue that the message will be in your MQ system.
Each policy object details the minimum level of protection that should be placed on a queue object, for example if the first policy says the messages are to be protected with AES128 then the last policy must allow AES128. If it is set to AES256 it will cause an error.
Policies support two different types of protection. Encryption and Integrity. For encryption protection you must also supply who the intended recipients are. For Integrity protection you must supply who is allowed to have signed the message.
The default protection in AMS is that client applications will handle the protection/deprotection of message data.
However if you do not want the client applications to perform AMS operations you can opt to move the protection to the Queue Manager.
A downside to this is that in the first jump from App to Queue Manager the message data will not be protected. As such other protection should be applied for the message while it is in transit.
Added in 9.1.3 for z/OS queue managers the capability to add or remove AMS protection on a queue manager to queue manager boundary was added. This is useful for times when there is a difference in requirement on a organisational boundary.
Distributed queue managers do not have this functionality but there is a statement of direction saying we will add it in the future.
The control for this is on channel objects the SSLPROT property can be configured to remove or apply AMS protection as necessary.
To implement AMS in client applications no changes to the application is required.
Instead activation an application for AMS is performed by supplying a environment variable pointing to a configuration file. This file contains details of the key store and certificate to use for AMS.
When an IBM MQ application sees that a queue has a policy defined on it, it will look for the key store configuration file automatically in order to perform AMS operations.
AMS protection works by combining Asymmetric encryption and symmetric encryption.
First we will generate a symmetric key and encrypt the message data with that key. We also add a PDMQ header to the message so we know this message contains protected data.
The protected message data is added to a PKCS#7 envelope and attached to the message.
We also protect the symmetric key we used to encrypt the message with the public keys of all intended recipients. These protected keys are then also attached to the PKCS#7 envelope.
The whole message is then sent to the queue.
When an application wants to get the message it will use it’s private key to retrieve the symmetric key and then use the symmetric key to retrieve the message data.
By default the same set of operations as discussed before are performed on every message.
This means in the case that 6 messages are sent we have to perform 18 cryptographic operations to protect the messages and a further 12 to decrypt the messages. This can be costly for performance but there is a way we can improve the performance using key reuse.
By setting key reuse to a number greater than 1 we will reuse the same symmetric key. For the first message the process is the same but then we remember the symmetric key for the next 4 messages.
With a remembered symmetric key we can cut the number of cryptographic operations as we can reuse the symmetric key to quickly encrypt/decrypt message data.
For the same 6 messages the number of cryptographic operations drop from 30 to 18.
If you set key reuse to large numbers then you get a better performance improvement at the loss of security. With message data being protected by the same key if that key is cracked then an attacker could use that key to read the messages.
In this section we will talk about what options there are for protecting data in transit
If you have protected your message data and it is protected throughout it’s lifetime then as it traverses through your network it will retain that protection.
This will meet your protection in transit but may cause some issues around detecting when a message was tampered with. For example, if a message does get tampered with during it’s traversal from Client A to B then you will only pick that up at Client B. If it had to go through 100 nodes to get there then which one tampered with it?
Additionally, protected message data will not protect the whole message? Message headers or properties could still be tampered with or a message could be rerouted by a man in the middle attack.
The more common approach for protecting data in transit is to use TLS.
IBM MQ has supported TLS for a number of versions and continues to add new features and improvements to our TLS enhancement even to this day.
With TLS you can secure your data both to ensure that it is not edited in transit and that prying eyes cannot view it. If data is edited in transit then MQ will detect this and reject the tampered data. This is a benefit over just using protected data as you will be able to see exactly which hop is open to data tampering.
Additionally MQ supports using TLS as an authentication method so you can ensure that clients connecting to you are valid clients and additionally that your clients are connecting to expected servers (not a man in the middle).
The downside to TLS is that it does require certificate management and the exchanging of certificates to work. This is a common pitfall for customers as it is not a single action. Certificates expire and when they do it can cause outages, renewing certificates also requires downtime in order for queue managers or applications to use the new certificates.
IBM MQ supports TLS 1.2 and TLS 1.3 CipherSpec by default, older CipherSpecs can be enabled but are disabled by default due to being weak.
Each queue manager and client must have a key store that contains certificates. What certificates need to go in depends on what purpose the queue manager or client is performing. If a queue manager is acting as a server it must have both the certificate and private key for that certificate available to it. If it is a client application or queue manager acting as a client then it must trust the queue manager it is connecting to by containing the certificate of the queue manager in it’s trust store.
On Distributed IBM MQ uses the CMS format key store which combines both trust store and key store. On Z and IBM I we use the platform key store (RACF).
Once the certificates have been exchanged to enable TLS communication a channel object must be edited to supply a CipherSpec in the SSLCIPH value of the channel. If you are using a specific CipherSpec this same one must be set on the other channel. Now when the channels start they will use TLS communications.
Setting a specific CipherSpec was the standard way of enabling TLS on IBM MQ up until 9.1.2. However this is not the industry standard of how TLS communications should work. The normal way of operating is that the TLS client and TLS server communicate a list of CipherSpecs they support and then the TLS handshake process choses one from the list that both support and is the highest priority.
In 9.1.2 and 9.1.4 we added Alias CipherSpecs which begin to operate IBM MQ in the industry standard. By setting an Alias CipherSpec like ANY_TLS12_OR_HIGHER you tell the channel to use any CipherSpec that is in TLS 1.2 or above.
If you need granular control over which CipherSpec needs to be used you can still set the client side to use a specific CipherSpec and leave the server side as a broader alias CipherSpec. However you should not do this the other way as it likely will not work.
A benefit of using a alias CipherSpec on your server channels is that if the client decides to move up to a different CipherSpec for whatever reason then the only change that needs to be made is on the client side. You no longer have to co-ordinate with the server to make the change there as well.
In this case we moved from TLS 1.2 to a specific TLS 1.3 CipherSpec.
Of course if you don’t want Granular control then you can set Clients to a matching Alias CipherSpec and then let MQ figure it out.
As stated before though, don’t set the Client to an Alias CipherSpec and the server to a specific CipherSpec. This will not work as any users of .NET will tell you.
By configuring the clients to connect with their own certificate you can have the server authenticate that it trusts the client trying to connect.
With IBM MQ as well you can enforce that clients connecting must supply a valid, trusted certificate using the SSLCAUTH setting.
Additionally you can further filter to make sure that the certificate received either on the client side or server side matches a particular Distinguished name to ensure you have connected to where you expect. On the Server side you can also use Channel Authentication rules to filter further on the issuer.
Finally, while the default for Distributed MQ is to store certificates and private keys in a file on the system disk you can also configure IBM MQ to securely store these private keys in PKCS#11 devices instead.
If you don’t want to configure IBM MQ Queue Managers to be available on the outside network or only want particular routes to be secured then using a secure gateway or MQIPT may be a solution as well.
You can configure MQIPT or secure gateway to be invisible to MQ and automatically convert communications into TLS secured communications.
Additionally if you want to secure your firewall so that only HTTPS traffic can enter then you can use MQIPT to convert MQ traffic into HTTP or HTTPS traffic and then later convert it back invisibly to MQ.
SOAP is also supported
Finally as of 9.1.5 MQIPT supports PKCS#11 as a place you can store your certificates and private keys. However this is a MQ Advanced feature and requires a license as such.
No Notes
In conclusion deciding on whether you need to protect your message at rest and in transit or just one of those is up to you. We looked at each in turn and the advantages and disadvantages of each solution.