Presenting the basics of SSL/TLS , usage of SSL protocol to secure the IBM MQ channels. Secure Communications between two Queue Managers and various test cases , between an application and Queue Manager , Errors , Certificate Renewal ..
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
1. How to Secure Network Communication?
2. SSL(Secure Socket Layer)
3. Digital Certificate
Signature(Signed and Unsigned)
Digest(SHA-256, MD5)
4. Keys
Private, Public, and Session Key
5. Types of Encryption
Symmetric and Asymmetric
6. One-way and Two-way SSL
7. Keystore and Truststore
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
1. How to Secure Network Communication?
2. SSL(Secure Socket Layer)
3. Digital Certificate
Signature(Signed and Unsigned)
Digest(SHA-256, MD5)
4. Keys
Private, Public, and Session Key
5. Types of Encryption
Symmetric and Asymmetric
6. One-way and Two-way SSL
7. Keystore and Truststore
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
In this talk, Oded Hareven, Co-Founder & CEO of Akeyless.io, discusses the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. He explores how secrets management is now a MUST for DevOps and security teams of all enterprises and why the right tool needs to be cloud-agnostic, cloud-native, integrable with any DevOps pipelines, and infinitely scalable.
High availability of a messaging system is essential. This is especially true for IBM MQ systems which are absolutely critical to the smooth running of many enterprises. IBM MQ Advanced made achieving high availability even easier with Replicated Data Queue Managers. Learn how this and other HA capabilities fits into a system that provides both high availability of the messaging system as a whole and every last piece of critical messaging data that you care about.
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
White paper - Full SSL automation with OneClickSSLGlobalSign
SSL Automation from application to installation
GlobalSign has designed, developed and patented OneClickSSL™, a revolutionary technology that simplifies the process from SSL application to installation with levels of automation previously considered impossible – eliminating support fees and minimizing time spent supporting customers.
Learn how the OneClickSSL technology works, the deployment options and use cases and how to generate new revenues with OneClickSSL.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
In this talk, Oded Hareven, Co-Founder & CEO of Akeyless.io, discusses the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. He explores how secrets management is now a MUST for DevOps and security teams of all enterprises and why the right tool needs to be cloud-agnostic, cloud-native, integrable with any DevOps pipelines, and infinitely scalable.
High availability of a messaging system is essential. This is especially true for IBM MQ systems which are absolutely critical to the smooth running of many enterprises. IBM MQ Advanced made achieving high availability even easier with Replicated Data Queue Managers. Learn how this and other HA capabilities fits into a system that provides both high availability of the messaging system as a whole and every last piece of critical messaging data that you care about.
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
White paper - Full SSL automation with OneClickSSLGlobalSign
SSL Automation from application to installation
GlobalSign has designed, developed and patented OneClickSSL™, a revolutionary technology that simplifies the process from SSL application to installation with levels of automation previously considered impossible – eliminating support fees and minimizing time spent supporting customers.
Learn how the OneClickSSL technology works, the deployment options and use cases and how to generate new revenues with OneClickSSL.
IBM MQ V8 Security: Latest Features Deep-DiveMorag Hughson
More than ever, security issues are on the top of everyone's list of priorities. Find out about the approach taken by IBM MQ. This session will cover the security features in the latest release of IBM MQ.
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
On Friday 2008-01-16 I made a presentation for my work partners at Arx ICT about Security and its usage in Java.
The presentation starts by giving a very briefed and comprehensive introduction to General Security Concepts (Theory).
The presentation contains many common code snippets. These code snippets are very useful, they will help you in most security aware programs.
Stands for "Secure Sockets Layer." SSL is a secure protocol developed for sending information securely over the Internet. Many websites use SSL for secure areas of their sites, such as user account pages and online checkout. Usually, when you are asked to "log in" on a website, the resulting page is secured by SSL.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
3. Security Fundamentals
What is Cryptography
– Cryptography is the science of writing in secret
code and is an ancient art .
How it used to be years ago?
– Substitution ciphers ( CAESAR CIPHER )
– Transposition ciphers
5. Security Fundamentals
The purpose of cryptography
“ Five Primary Functions “
Privacy/confidentiality: Ensuring that no one can read the message except the intended
receiver.
Authentication: The process of proving one's identity.
Integrity: Assuring the receiver that the received message has not been altered in any
way from the original.
Non-repudiation: A mechanism to prove that the sender really sent this message.
Key exchange: The method by which crypto keys are shared between sender and
receiver.
6. Security Fundamentals
Cryptology
Cryptography Crypt analysis
Asymmetric Key (Public Key Cryptography) Symmetric Key ( Single key used for E & D )
means ‘not equal or similar’
RSA – E , D , key Exchange , Digital Signatures
Diffie-Hellman – Key Exchange
Digital Signature Algorithm (DSA) – Key Exchange
ElGamal
Elliptic Curve Cryptography (ECC)
PKI (Public Key Infrastructure)
Block Cipher (blocks of data
can be E & D at a time.
Stream
Cipher
Bit-wise E &D
DES (IBM's )
3DES
AES
7. Security Fundamentals
PKI (Public Key Infrastructure)
A public key infrastructure (PKI) is a system for the creation, storage, and distribution of
digital certificates which are used to verify that a particular public key belongs to a certain
entity. The PKI creates digital certificates which map public keys to entities, securely
stores these certificates in a central repository and revokes them if needed.
A PKI consists of:
A certificate authority (CA) that stores, issues and signs the digital certificates.
A registration authority which verifies the identity of entities requesting their digital
certificates to be stored at the CA.
A central directory—i.e., a secure location in which to store and index keys
A certificate management system managing things like the access to stored certificates
or the delivery of the certificates to be issued.
A certificate policy.
“ PKI is itself often used as a synonym for a CA implementation.”
10. Security Fundamentals
Hashing
Integrity is provided by hashing the messages. A hash is very much like a fingerprint and the hash
algorithm is constructed so that the smallest change in the source produces a completely different and
unpredictable hash value. When the message arrives at its destination, the hash provides some
assurance that the message has not been tampered with. The integrity function is not optional. When
SSL is enabled for a WebSphere MQ channel, all messages on that channel are hashed and verified.
11. Security Fundamentals
Why SSL / TLS ?
“The internet is insecure by default...Internet channels are not secure......”
“SSL creates an encrypted connection between systems” allowing for private
information to be transmitted without the problems of eavesdropping, data
tampering, and message forgery.
SSL is a protocol and is capable of securing any transmission over TCP.
14. MQ Security
GSKit – Global Security Kit
What is it ?
IBM Global Security Kit is a common component that is used by a number of IBM products
for its cryptographic and SSL/TLS capabalities.
IBM Global Security Kit is a library and set of command line tools that provides SSL along
with base cryptographic functions .
GSKit is a component and not a stand-alone product.
GSKit supports two installation methods :
– Global installation & local installation.
On a global installation, a single GSKit instance is shared by mutiple products. In this
configuration ,gskit libraries and executables are placed in a common loation outside of the
product's installation directory.
On a local installation , each product has its own , private version of GSKit.
Continued...
15. MQ Security
MQ Global Security Kit
In WebSphere MQ Version 7.0.1, if you select SSL and TLS support during installation, GSKit
Version 7.0 is installed and run by default.
GSKit V8.0 is now integrated with WebSphere MQ version 7.1 and 7.5 ..
If you want to use SHA2 hashing , and in turn TLS 1.2 you will have to install GSKit v8.0.
If you want to use the above point features in MQ 7.0.1 , install the GSKit8 in the system .
GSKit 8 can only be installed when Fix pack 4 or above is the MQ 7.0.1.(>=4).
The location of gskit8 at the system level is usually /usr/opt/ibm.
Can list the GSKit8 packages with lslpp -l or rpm -qa.
GSKit which comes with the MQ itself , its version can be checked with mq control command.
dspmqver -p64
17. MQ Security
GSKit v8
If you have a certificate with the wrong label name in a key store, you can correct
the
label name.
It is easy with GSKitv8.
“ runmqckm/runmqakm provide a '-cert -rename' option “
If you need to manage SSL or TLS certificates in a way that is FIPS-compliant,
use the Runmqakm command.
Command to do the same –
runmqckm -cert -rename -db key.kdb -label <incorrectlabelname> -new_label
ibmwebspheremqnewqmname.
If using GSKitv7, you will need to export, delete, import - with new label name.
For more information on label renaming with GSKit v7 please refer .
18. MQ Security
Terminology
Keystore & Trust store
A encrypted and password protected database to store certificates & private keys.
Many formats are there for keystore.( Most common are CMS & JKS ) .
Keystore contains :
Certificate Signing Requests ( CSR )
Personal Certificates ( CA Signed or self signed )
Private keys associated with a Personal Certificate
Signer certificates (provided by the CA or extracted from self – signed )
19. MQ Security
Terminology
GSKit stores public and private keys and certificates of a queue manager and in specific
cases the signer certificate of the client in a key database. A key database consists of a file
with a .kdb extension and up to three other files with .sth, .rdb, and .crl extensions.
Command to create a key database : go to the queue managers ssl directory & then
gsk8capicmd -keydb -create -db <filename>.kdb -pw 1234 -type cms -expire 1000 -stash
20. MQ Security
Trust store
Two different,but related meanings :
As a file, a specialized keystore used for storing Signer Certificates.
As a function,the portion of the keystore file that contains Signer Certificates.
It also holds the certificate but this store is created at the application side.
The Java™ Secure Socket Extension (JSSE) is a framework and provides the Java
implementation of the Secure Sockets Layer (SSL) protocol. JSSE uses SSL and the
Transport Layer Security (TLS) protocol to enable clients and servers to conduct secure
communications over TCP/IP.
For more information please refer
21. MQ Security
Certificate Signing Request
A request for a personal certificate generated and formatted as CSR.
The CSR is transmitted to a Certificate Authority.
The CSR does not contain the private key . This key remains with the keystore.
Personal Certificate
An X.509 certificate asserting the identity of a server , a URL or a person.
Contains the Public key and is associated with a private key through the keystore.
Either Self signed or issued by a certificate authority.
Multiple formats for certificates :
ARM , DER , PEM , PKCS12
Certificate formats containing a private key should be password protected.
22. MQ Security
Public Certificate
The certificate issued by a CA ( containing Public but not private key) in response to a CSR.
A subset (Signer-portion) of a self signed Personal certificate containing only the public key.
This certificate is exchanged during the SSL Handshake.
Private key
The private ( secret ) part of a Public/Private key pair.
Created when a CSR is generated and stored in the keystore from which the CSR originated.
Associated with a public certificate when the certificate is “ Received “ from the CA.
23. MQ Security
Connecting two queue managers using SSL or TLS :
Important points :
Obtain and manage your digital certificates ( next slides ).
During the SSL or TLS handshake, the SSL or TLS client always obtains
and validates a digital certificate from the server. With the WebSphere MQ
implementation, the SSL or TLS server always requests a certificate from the
client.
SSL client refers to the connection initiating the handshake.
The SSL or TLS server always validates the client certificate if one is sent. If the client
does not send a certificate, authentication fails only if the end of the channel that is
acting as the SSL or TLS server is defined with either the SSLCAUTH parameter set to
REQUIRED or an SSLPEER parameter value set.
If the SSLCAUTH parameter of the server side of the channel is set to OPTIONAL , then
the server doesn't require the client certificate and hence the authentication doesn't fails.
24. MQ Security
Connecting two queue managers using SSL or TLS :
Using self-signed certificates for mutual authentication of two queue managers.
Two queue managers, QM1 and QM2, which need to communicate securely.
Mutual authentication to be carried out between QM1 and QM2.
Test your secure communication using self-signed certificates.
Resultant Configuration looks like
The key repository for QM1 contains the certificate for QM1 and the public certificate from QM2.
The key repository for QM2 contains the certificate for QM2 and the public certificate from QM1.
25. MQ Security
Using self-signed certificates for mutual authentication of two queue managers
Steps :
Prepare the key repository on each queue manager.
Create a self-signed certificate for each queue manager.
Extract a copy of each certificate.(to get the public part of the certificate)
Transfer the public part of the QM1 certificate to the QM2 system and vice versa
using a utility such as FTP.
Add the partner certificate to the key repository for each queue manager.
On QM1, define a sender channel and associated transmission queue, by issuing
commands like the following example.
Continued...
26. MQ Security
Using self-signed certificates for mutual authentication of two queue managers
On QM2, define a receiver channel, by issuing a command like the following
example
Both the channels should use the same cipher spec value specified in the SSLCIPH parameter.
For more information please refer
27. MQ Security
Using CA-signed certificates for mutual authentication of two queue managers
Two queue managers called QMA and QMB, which need to communicate securely.
Require mutual authentication to be carried out between QMA and QMB.
Resulting configuration looks like :
The key repository for QMA contains QMA's certificate and the CA certificate.
The key repository for QMB contains QMB's certificate and the CA certificate.
In this example both QMA's certificate and QMB's certificate were issued by the same CA.
If QMA's certificate and QMB's certificate were issued by different CAs then the key repositories for
QMA and QMB must contain both CA certificates.
Continued...
28. MQ Security
Using CA-signed certificates for mutual authentication of two queue managers
Steps :
Prepare the key repository on each queue manager
Request a CA-signed certificate for each queue manager. You might use different CAs
for the two queue managers. --- Creation of CSR
Add the Certificate Authority certificate ( Root CA certificate ) to the key repository
for each queue Manager .If the Queue managers are using different Certificate
Authorities then the CA certificate for each Certificate Authority must be added to
both key repositories.
Receive the CA-signed certificate (personal certificate)to the key repository for each qmgr.
On QMA, define a sender channel.
Continued...
29. MQ Security
Using CA-signed certificates for mutual authentication of two queue managers
On QMB, define a receiver channel
Both the channels should use the same cipher spec value specified in the SSLCIPH parameter.
For more information please refer
30. MQ Security
Connecting two queue managers using one-way authentication
QM1 connects using one-way authentication to QM2.
Resulting configuration looks like this:
With SSLCAUTH ( optional ) at the receiver channel , the SSL Server (QM2) will not not
validate the SSL Client ( QM1) personal certificate and hence the authentication will not fail.
For more information , please refer
31. MQ Security
Connecting a client to a queue manager anonymously
C1 connects anonymously to QM1 over a SSL enabled SVRCONN channel.
Resulting configuration looks like this:
ALTER CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
For more information , please refer
32. MQ Security
General Errors :
Errors that can cause an SSL connection from a Java/JMS client to a queue manager to fail.
Using non-FIPS cipher with FIPS enabled on client.
Cipher suite not set on client or server.
Cipher Mismatch.
Missing client personal certificate.
Missing server personal certificate.
Missing server signer on client.
Missing client signer on server.
SSLPEER set on server does not match certificate.
SSLPEER set on client does not match certificate.
Using a non-FIPS cipher with FIPS enabled on the queue manager.
Can not find or open queue manager key database.
Can not find or use queue manager key database password stash file.
For more information please refer
33. MQ Security
General Errors :
Common reasons why an SSL secured WebSphere MQ channel will fail to start
In each case the SSLCIPH attribute has been correctly specified on each side of the channel
definition, but attempts to start the channel cause it to enter RETRYING state:
Missing certificates (personal or signer) on the server (RCVR) side of the SSL
channel.
Expired certificates on the server (RCVR) side of the SSL channel.
Missing certificates on the client (SDR) side of the SSL channel which are required to trust
the certificate provided by the server.
Missing personal certificate on the SSL client (SDR), when SSLCAUTH(REQUIRED) is
specified on the channel.
For more information please refer
34. MQ Security
Renewing Digital Certificates used by WebSphere MQ
Planning Process :
Is the certificate being renewed a self-signed, or CA signed certificate?
If it is a CA signed certificate, will it be signed by the same CA? ...same certificate
chain?
Can I create a second certificate in the existing keystore?
Will down-time be required?
35. MQ Security
Renewing Digital Certificates used by WebSphere MQ
Process for Self – signed
The certificate must be recreated, and the expiring certificate replaced.
Actually creating a new certificate and replacing the original, rather than renewing an
existing certificate.
Since self-signed certificates are not based on signed certificate requests, the renewal
process to regenerate a “CSR” does not apply.
Continued..
36. MQ Security
Renewing Digital Certificates used by Web Sphere MQ
Process for CA -Signed
It's important to know if your certificate will be signed by the same CA and
certificate chain.
This is an important question because the answer will determine whether or not you
need to send the CA's signer certificate to your remote partners. If your certificate
will not change in any way other than the expiry date, and you will be sending it to the
same certificate authority by way of their renewal process, it is likely that the signer
certificates will not change, therefore, your remote partners will not need to take any
action during your renewal process.
37. MQ Security
Renewing Digital Certificates used by WebSphere MQ
Downtime required or not ?
Down time is not required when renewing your digital certificate as long as you plan
accordingly.
Ensure that all signer certificates have been appropriately distributed and installed
into all of your remote partner's key stores.
Any changes in the key store files do not take effect on the Queue Manager until
REFRESH SECURITY TYPE(SSL) is run
or
Queue Manager is restarted
For more information please refer
38. MQ Security
Renewing Digital Certificates used by WebSphere MQ
Downtime required or not ?
Down time is not required when renewing your digital certificate as long as you plan
accordingly.
Ensure that all signer certificates have been appropriately distributed and installed
into all of your remote partner's key stores.
Any changes in the key store files do not take effect on the Queue Manager until
REFRESH SECURITY TYPE(SSL) is run
or
Queue Manager is restarted
For more information please refer
39. MQ Security
Cipher Spec
While planning for a Cipher Spec to be used at the channels SSLCIPH value , please look
for the product version specific documentation.
For Example :
link
If a application is communicating with a queue manager over a SSL/TLS enabled
SVRCONN channel , also look for a CIPHER SUITE value corresponding to a cipherspec.
( Again MQ version specific ) . Sample link
C QMGR
SVRCONN
Cipher Suite Cipher Spec
At the server end of an MQI channel, the name of a CipherSpec can be specified as the value of the
SSLCIPH parameter on a DEFINE CHANNEL CHLTYPE(SVRCONN) command. At the client
end of an MQI channel, a WebSphere MQ classes for Java application can set the sslCipherSuite field
in the MQEnvironment class.
40. MQ Security
A Note about FIPS (Standard Governing Cipher Specs )
The Federal Information Processing Standards (FIPS) specify, specific ciphersuites
that are acceptable for use in US government installations. Many non-government
shops also use FIPS as a baseline for their own secure configurations. To assist in
configuring FIPS-compliant networks, the queue manager has an attribute called
SSLFIPS that can be set to YES or NO. When set to YES, SSL channels are restricted
to use only FIPS approved encryption algorithms.
41. MQ Security
Note :
The location of the key repository of a queue manager is specified in the queue
manager's Key Repository attribute. SSLKEYR
Default value of this attribute will be the queue manager's ssl directorykey.....
If you have created the keystore file or keydata base with some other name , suppose qmkey .kdb,
then change the SSLKEYR attribute value with the same keystore name by altering the QMGR.
Extension of the keystore “ .kdb “ should not be included in the SSLKEYR attribute.
Otherwise during the SSL Handshake , it may throw an error “ Key repository cannot be found “.
42. MQ Security
Available Tools
IBM Global Security Kit (GSKit)
– Multiple Software versions
– Command Line
MQ version 7.0.1
Available Command line tool gsk7cmd,gsk7capicmd
MQ version 7.0.1 ( Fix Pack >=4 ) &
GSKit 8 installed
Available Command line tool gsk8cmd,gsk8capicmd
MQ version 7.1 , 7.5 , 8.0
Available Command line tool runmqakm,runmqckm
Open Source
– Command Line
openssl