This session will look at how security facilities are provided on WebSphere MQ for z/OS, including
a look at what security is available, how it is activated/deactivated, what types of resources can be
protected and an insight as to how WebSphere MQ for z/OS determines which userids it uses for
the checks it performs.
z/OS Connect provides the ability to front z/OS assets with a RESTful API. This session covers the support that MQ provides for z/OS Connect and how it can be used to provide a RESTful front end to existing queue based applications with no changes to the applications themselves.
This presentation also includes other late-breaking enhancements for MQ for z/OS.
Enterprise messaging and IBM MQ is a critical part of any system, this session shows you how MQ is rapidly evolving to meet your needs. Irrespective of your platform or environment, this session introduces many of the updates to MQ in 2019 and 2020, whether that's in administration, building fault tolerant, scalable messaging solutions, or securing your systems.
This presentation covers all of the new features available on MQ for z/OS 9.2. Including zHyperWrite, data set encryption, AMS enhancements, simplified migration, and more!
z/OS Connect provides the ability to front z/OS assets with a RESTful API. This session covers the support that MQ provides for z/OS Connect and how it can be used to provide a RESTful front end to existing queue based applications with no changes to the applications themselves.
This presentation also includes other late-breaking enhancements for MQ for z/OS.
Enterprise messaging and IBM MQ is a critical part of any system, this session shows you how MQ is rapidly evolving to meet your needs. Irrespective of your platform or environment, this session introduces many of the updates to MQ in 2019 and 2020, whether that's in administration, building fault tolerant, scalable messaging solutions, or securing your systems.
This presentation covers all of the new features available on MQ for z/OS 9.2. Including zHyperWrite, data set encryption, AMS enhancements, simplified migration, and more!
CICS is the power of mainframe. It has all the capabilities to handle online transactions. The ppt covers highly useful CICS concepts to refresh your CICS knowledge quickly.
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfMarna Walle
This is a critical presentation for those that are upgrading from z/OS 3.1 from z/OS V2.4/V2.5. Using this presentation, you can see the planning activities and technical upgrade actions.
Db2 for z/OS and FlashCopy - Practical use cases (June 2019 Edition)Florence Dubois
With the explosion of data volumes today, businesses are looking for ways to copy huge volumes of data very quickly – from seconds to minutes – with minimal disruption to the running of applications. In this presentation, you will hear about practical use cases for IBM FlashCopy technology in a Db2 for z/OS environment including non-disruptive data integrity checks, FlashCopy image copies allowing for instant restore, SHRLEVEL(CHANGE) consistent image copy backups, system-level backup and recovery. We will provide many hints and tips on how to set up your environment, share lessons learned from customer experience and address common pitfalls.
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...Matt Leming
Every MQ infrastructure team member has been asked this question, and most developers who have worked with MQ have asked it:
"Where is my message?" In this session, we look into the tools that MQ provides to find your messages.
We demonstrate how to analyze the MQ recovery log on distributed platforms to find out what happened to your persistent messages,
with the assistance of a new tool. We also look at how to trace the route messages take through your MQ infrastructure, and how to generate
and analyze activity reports showing the behavior of MQ applications.
IBM MQ Whats new - including 9.3 and 9.3.1Robert Parker
I presented at the IBM MQ French User Group in Paris on the topic of What's new in MQ. I covered both what was new in IBM MQ 9.3 LTS and what was new in the latest IBM MQ 9.3.1 CD release.
Z4R: Intro to Storage and DFSMS for z/OSTony Pearson
This session covers basic storage concepts for z/OS operating system with examples for Flash, Disk and Tape devices and how to use DFSMS policy-based management. Presented at IBM TechU in Johannesburg, South Africa September 2019
IBM MQ systems route billions of messages around the world each day. This presentation looks at the tools available in MQ for z/OS to allow you to understand where your messages are flowing, and things you can use if the messages aren't going where you expect.
High availability of a messaging system is essential. This is especially true for IBM MQ systems which are absolutely critical to the smooth running of many enterprises. IBM MQ Advanced made achieving high availability even easier with Replicated Data Queue Managers. Learn how this and other HA capabilities fits into a system that provides both high availability of the messaging system as a whole and every last piece of critical messaging data that you care about.
Security 101: IBM i Security Auditing and ReportingPrecisely
IBM i journals and logs are the trusted source of audit information accepted by IBM i security and audit professionals as they contain a trail of access attempts, command line activity, changes to sensitive data, changes to system objects and more. However, IBM i log files contain massive amounts of data - and they are difficult to setup, report and alert on.
View this webcast on-demand to learn more about key topics such as:
• Key IBM i logs
• Auditing and monitoring for security incidents
• Leveraging 3rd party solutions that analyze security data
• How Syncsort can help
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
CICS is the power of mainframe. It has all the capabilities to handle online transactions. The ppt covers highly useful CICS concepts to refresh your CICS knowledge quickly.
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfMarna Walle
This is a critical presentation for those that are upgrading from z/OS 3.1 from z/OS V2.4/V2.5. Using this presentation, you can see the planning activities and technical upgrade actions.
Db2 for z/OS and FlashCopy - Practical use cases (June 2019 Edition)Florence Dubois
With the explosion of data volumes today, businesses are looking for ways to copy huge volumes of data very quickly – from seconds to minutes – with minimal disruption to the running of applications. In this presentation, you will hear about practical use cases for IBM FlashCopy technology in a Db2 for z/OS environment including non-disruptive data integrity checks, FlashCopy image copies allowing for instant restore, SHRLEVEL(CHANGE) consistent image copy backups, system-level backup and recovery. We will provide many hints and tips on how to set up your environment, share lessons learned from customer experience and address common pitfalls.
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...Matt Leming
Every MQ infrastructure team member has been asked this question, and most developers who have worked with MQ have asked it:
"Where is my message?" In this session, we look into the tools that MQ provides to find your messages.
We demonstrate how to analyze the MQ recovery log on distributed platforms to find out what happened to your persistent messages,
with the assistance of a new tool. We also look at how to trace the route messages take through your MQ infrastructure, and how to generate
and analyze activity reports showing the behavior of MQ applications.
IBM MQ Whats new - including 9.3 and 9.3.1Robert Parker
I presented at the IBM MQ French User Group in Paris on the topic of What's new in MQ. I covered both what was new in IBM MQ 9.3 LTS and what was new in the latest IBM MQ 9.3.1 CD release.
Z4R: Intro to Storage and DFSMS for z/OSTony Pearson
This session covers basic storage concepts for z/OS operating system with examples for Flash, Disk and Tape devices and how to use DFSMS policy-based management. Presented at IBM TechU in Johannesburg, South Africa September 2019
IBM MQ systems route billions of messages around the world each day. This presentation looks at the tools available in MQ for z/OS to allow you to understand where your messages are flowing, and things you can use if the messages aren't going where you expect.
High availability of a messaging system is essential. This is especially true for IBM MQ systems which are absolutely critical to the smooth running of many enterprises. IBM MQ Advanced made achieving high availability even easier with Replicated Data Queue Managers. Learn how this and other HA capabilities fits into a system that provides both high availability of the messaging system as a whole and every last piece of critical messaging data that you care about.
Security 101: IBM i Security Auditing and ReportingPrecisely
IBM i journals and logs are the trusted source of audit information accepted by IBM i security and audit professionals as they contain a trail of access attempts, command line activity, changes to sensitive data, changes to system objects and more. However, IBM i log files contain massive amounts of data - and they are difficult to setup, report and alert on.
View this webcast on-demand to learn more about key topics such as:
• Key IBM i logs
• Auditing and monitoring for security incidents
• Leveraging 3rd party solutions that analyze security data
• How Syncsort can help
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
Secure Messages with IBM WebSphere MQ Advanced Message SecurityMorag Hughson
In some scenarios, securing access to a messaging infrastructure is not enough - teams must also secure access to message content. Come to this session to learn how to provide end-to-end message protection where message contents are secure from the point they are sent to the point they are received, including while at rest on queues. This session starts by describing the theory and capabilities of the product. Then CSX provides a real-world customer example in which it presents its experiences and recommendations for securing messages across distributed and z/OS platforms. Topics covered include an overview of message level security, when it is appropriate to deploy this level of protection, how the message protection is applied, how it can be administered, and the new features available in the latest version of IBM WebSphere MQ.
MQTC 2016 - IBM MQ Security: Overview & recapRobert Parker
Security features are important in any modern day application and MQ is no exception. In order to
ensure user data is protected to the user's requirements applications must supply a variety of
configurable security features. In this session we will be providing an introduction to all of IBM MQ's
security features and a high level overview of why you would use them.
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
Scylla includes multiple features that collectively provide a robust security model. Most recently we announced support for encryption-at-rest in Scylla Enterprise. This enables you to lock-down your data even in multi-tenant and hybrid deployments of Scylla. Join Tzach and Dejan for an overview of security in Scylla and to see how you can approach it holistically using the array of Scylla capabilities. He will review Scylla Security features, from basic to more advanced, including:
Reducing your attack surface
Authorization & Authentication
Role-Based Access Control
Encryption at Transit
Encryption at Rest, in 2019.1.1 and beyond
LDAP authentication is a common requirement for any enterprise software. It gives users consistent login procedures across multiple components of the IT infrastructure, while centralizing the control of access rights. Scylla Enterprise now supports authentication via LDAP. We will look into how to configure Scylla Enterprise for LDAP interaction and how to fine-tune access control through it.
CTU 2017 I173 - how to transform your messaging environment to a secure messa...Robert Parker
These presentation slides were presented at the Cloud Technical University 2017 in Madrid.
With today's focus on security, ensuring you utilize all of the options available to maximize your systems security is a high priority for
many businesses. In this session, we will work through a stepbystep case study that details how you can enhance the security of
your Queue Managers using the different features available in IBM MQ.
Monitoring and Reporting for IBM i Compliance and SecurityPrecisely
Today’s world of complex regulatory requirements and evolving security threats requires you to find simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time, produce clear and concise reports, and maintain an audit trail to satisfy security officers and auditors.
IBM i log files and journals are rich sources of system and database activity. However, they are in their own proprietary format, and they are not easy to manually analyze for security events.
Join this webinar to learn more about:
- Key IBM i log files and static data sources that must be monitored
- Automating real-time analysis of log files to identify threats to system and data security
- Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanEC-Council
Recent hacks to IaaS platforms revealed that we need to master the attack vectors used: Automation and API attack vector, insecure instances and management dashboard with wide capabilities. Those attack vectors are not unique to Cloud Computing but there are magnified due to the cloud characteristics. The fact is that IaaS instance lifecycle is accelerating, nowadays we can find servers that are installed, launched, process data and terminate – all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic.
In the presentation, Nir plans to introduce the open source tool called “Cloudefigo” and explain how it enables accelerated security lifecycle. Nir will demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the demo, Cloudefigo will leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server’s communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface.
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
Learn how to remove operational complexity from achieving secure – and easily auditable – user access to your AWS systems. Automate tightly controlled user access in highly dynamic AWS environments. Painlessly report exactly who accessed which resources, from where, and when – in near real-time – and save your teams thousands of hours in audit prep work.
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
Building and deploying modern systems in highly regulated cloud environments is challenging. Regulators impose requirements that are meant to be applied in a traditional on-premise environment, which requires unique design decisions in cloud native environments. In this session, we will explore the key lessons learned building a regulated cloud environment, automating deployments, securing networks, and configuring compliance services. Attendees will leave with an understanding of the key regulatory requirements, and the cloud native security controls for meeting those requirements.
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...Robert Parker
Presentation delivered at Interconnect 2017. Session ID 6893: Keep out the bad guys by securing your MQ messaging environment.
With today's focus on security, ensuring you utilize all of the options available to maximize your systems security is a high priority for many businesses. In this session, we will work through a step-by-step case study that details how you can enhance the security of your Queue Managers using the different features available in IBM MQ.
Similar to IBM WebSphere MQ for z/OS - Security (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
3. Abstract
T his session will look at how security facilities are
provided on WebSphere MQ for z/OS, including a look
at what security is available, how it is activated/
deactivated, what types of resources can be protected
and an insight as to how WebSphere MQ for z/OS
determines which userids it uses for the checks it
performs.
6. Security Overview
What are we trying to achieve?
●Identification:- Being able to Identify uniquely a user of a system or an
application that is running in the system.
●Authentication:- Being able to prove that a user or application is
genuinely who that person or what that application claims to be.
●Access Control:- Protects critical resources in a system by limiting
access only to authorised users and their applications. It prevents
unauthorised use of a resource or the use of a resource in an
unauthorised manner.
●Auditing:- Tracking who has done what to what and when
7. ●
Security Overview
●Confidentiality:- Protects sensitive information from unauthorised
disclosure.
●Data Integrity:- Detects whether there has been unauthorised
modification of data. There are two ways in which this can
occur,accidentally, through hardware or transmission errors, or by
deliberate attack.
●'Non-Repudiation':- The goal is usually to prove that a particular
message is associated with a particular individual.
8. WebSphere MQ for z/OS (non Queue Sharing
groups)
z/OS z/OS
IMS CICS IMS CICS
Batch
APPL
Batch
APPL
IMS
APPL
CICS
APPL
CICS
APPL
IMS
APPL
Queue
Manager A
Queue
Manager B
MOVE
R
MOVE
R
A1 A2
B2
B1
links to other MQ systems
9. WebSphere MQ for z/OS Queue Sharing Groups
QSG IMS
mover
mover
mover
SQM1
SQM2
SQM3
local
pagesets
local
pagesets
local
logs
local
logs
local
logs
local
pagesets
CICS
BATCH
mover
LQM1
local
logs
z/OS
local
pagesets
DB2
MQ
CF
SQ1
MQ
10. Security Overview
SAF to provide choice of External Security Manager
- RACF, ACF2, Top Secret, ...
- WebSphere MQ has a set of classes to hold profiles
- Profiles provide access control capabilities
Features depend upon profiles used
- z/OS control is more granular than other systems
Activate classes, and allow generic profiles
WebSphere MQ
WebSphere
MQ
PROFILES
WebSphere
MQ
PROFILES
External Security Manager
SAF
- SETROPTS CLASSACT(...)
- SETROPTS GENERIC(...)
12. Security Overview - continued...
WebSphere MQ mixed case RACF Classes
MXADMIN - Switch profiles, Command resource,
Context and Alternate User profiles
MXQUEUE - Queue profiles
MXPROC - Process profiles
MXNLIST - Namelist profiles
MXTOPIC - Topic profiles
Note: There are no MX... versions of the MQCONN and
MQCMDS classes
14. Controlling Security
RACF Classes
High Level Qualifiers
Shared Queue Manager Environment
Security Switches
- Switch profiles
- Options available under Queue Sharing Groups
Queue Sharing Group rules
15. Controlling Security - RACF Classes
What determines which classes are used?
ƒ Queue manager attribute
SCYCASE
This can be set to either
UPPER - the default on migration and on a new Qmgr, this
uses the MQ...versions of the classes (plus MXTOPIC)
MIXED - this uses the MX...versions of the classes
MQ... and MX... classes are mutually exclusive except for
MXTOPIC can be used whether SCYCASE(UPPER) or
SCYCASE(MIXED) is specified as there is no MQ...version !
16. Controlling Security - RACF Classes
What can be mixed case in an MX... class ?
ƒ the 'resourcename' part of a profile in one of the following
classes
MXADMIN
hlq.CONTEXT.resourcename
hlq.QUEUE.resourcename
MXPROC, MXNLIST and MXQUEUE
hlq.resourcename
MXTOPIC
hlq.SUBSCRIBE.resourcename
hlq.PUBLISH.resourcename
17. Controlling Security - RACF Classes
How do you change the classes you are using?
ƒ the Queue manager attribute
SCYCASE
This can be set to either
UPPER - the default on migration and on a new Qmgr, this
uses the MQ...versions of the classes (plus MXTOPIC)
MIXED - this uses the MX...versions of the classes
ƒ issue a REFRESH SECURITY command ( more later )
BUT first :-
Ensure you have all the RACF profiles defined that you need in
the appropriate classes
18. Controlling Security - High Level Qualifiers
Queue Manager qualified profiles
Queue Manager profiles use the queue manager name as the high
level qualifier for example:- qmgr.profile.name and their scope is
limited to the named Qmgr.
Queue Sharing Group qualified profiles
Queue sharing group profiles will use the queue sharing group id as
their high level qualifier instead of a queue manager name for
example: - qsg.profile.name and their scope is the named Queue
Sharing Group.
19. Controlling Security - Shared Queue Manager Environment
DB2
● Setting up Resources in DB2
● Connection to DB2
● Access to DB2 resources
●
Coupling Facility
● Setting up the Coupling Facility
● Access to the Coupling Facility
Queue Sharing Groups (QSG)
● Setting up QSG's
● Joining a QSG
20. Controlling Security - Switch Profiles
Granular control of security
checking
Subsystem security
hlq.NO.SUBSYS.SECURITY
Qmgr or QSG Security
hlq.NO.QMGR.CHECKS
hlq.NO.QSG.CHECKS
In QSG also have 'YES' switch
profiles
ssid.YES.type
These profiles are only used if you
have chosen to have both Qmgr and
QSG checking active and need to
override a Qsg level profile on a
given Qmgr.
The hlq on these profiles is always
'ssid' - in other words the qmgr ID
** You cannot set both QMGR & QSG to OFF together - if you try this you will get
both Qmgr and Qsg security activated **
21. Controlling Security - Switch Profiles
Connection Security
hlq.NO.CONNECT.CHECKS
MQ Command Security
hlq.NO.CMD.CHECKS
hlq.NO.CMD.RESC.CHECKS
MQ API Security
hlq.NO.QUEUE.CHECKS
hlq.NO.PROCESS.CHECKS
hlq.NO.NLIST.CHECKS
hlq.NO.CONTEXT.CHECKS
hlq.NO.ALTERNATE.USER.CHECKS
hlq.NO.TOPIC.CHECKS
All defined in the MQADMIN class or MXADMIN class
All switch profiles are uppercase regardless of class
22. Controlling Security - Security Switch options
QMGR
Local
QMGR?
Shared
QMGR?
Qmgr
only
QMGR
only?
QSG
only?
QMGR
& QSG?
Not QSG
● ssid only
Queue Sharing Group
● Up to three profiles looked for
● when checking for:
Subsystem security
Queue Manager security
QSG security
23. Controlling Security - Security Switch options
Qmgr
local shared
qmgr qmgr
ssid.NO.SUBSYS.SECURITY
qsg.NO.SUBSYS.SECURITY
ssid.YES.SUBSYS.SECURITY
not found
not found
found
found
set Subsys security
OFF on this qmgr
found not found
ssid.NO.SUBSYS.SECURITY
found not found
Set Subsys
security OFF
on this qmgr
set Subsys
security ON
on this qmgr
set Subsys
security OFF
on this qmgr
set subsys
security ON
on this qmgr
set Subsys security
ON
on this qmgr
1
2
3
24. Controlling Security - Security Switch options
Shared Queue Environment
subsys
ssid.NO.QMGR.CHECKS
qsg.NO.QMGR.CHECKS
set QMGR
security OFF
on this qmgr
ssid.YES.QMGR.CHECKS
not found
not found
found
found
found not found
set QMGR
security OFF
on this qmgr
set QMGR
security ON
on this qmgr
set QMGR
security ON
on this qmgr
ON 4
5
6
25. Controlling Security - Switch Options
Shared Queue Environment
subsys
ssid.NO.QSG.CHECKS
qsg.NO.QSG.CHECKS
set QSG security
OFF on this qmgr
ssid.YES.QSG.CHECKS
not found
not found
found
found
found not found
set QSG security
OFF on this qmgr
set QSG security
ON on this qmgr
set QSG security
ON on this qmgr
ON 7
8
9
26. Controlling Security - Queue Sharing Groups
Rules
default is check ssid profiles before qsg profiles
● ssid.YES switch profiles override qsg.NO switch profiles
● QMGR checks switch ON / QSG checks switch OFF means ONLY profiles with a
hlq of ssid will be used
● QSG checks switch ON / QMGR checks switch OFF means ONLY profiles with hlq
of qsg will be used
You cannot set security OFF by setting both QMGR & QSG checking OFF together -
it will default both ON
Once the QMGR and QSG switches have been determined then the remaining
switch profiles are checked following the QMGR/QSG rules
Once the Shared Queue Manager is up and running all security checks are
governed by the setting of the individual switch for that type of security and the
QMGR/QSG switch state
If both QMGR and QSG switches are ON then a hlq of ssid will be used first and if
not found then a hlq a qsg will be used on the security check
28. Access Control
Connection Security
Reslevel Security
API security
● covering profiles and userids checked
Link Level Security
29. Access Control - Connection security
Profiles are held in the MQCONN class
● One profile per adapter type
hlq.BATCH
hlq.CICS
hlq.IMS
hlq.CHIN
Connection type Userid used
Batch The TSO Userid
READ access required by adapter
Connection profiles are always uppercase
The Userid assigned to the batch job via the USER JCL parm
The Userid assigned to the started task by the STARTED class or
the started procedures table
CICS The CICS address space Userid
IMS The IMS region Userid
Channel Initiator The Channel Initiator address space Userid
30. Access Control - RESLEVEL Profile
Single profile per Queue Manager or Queue Sharing Group in
the MQADMIN class or MXADMIN class and looks like
hlq.RESLEVEL
Controls the number of userids used for access control on
MQ API Resource Security
Executing userids access to RESLEVEL profile determines
the number of userids - last for the life of that connection
The RESLEVEL profile is always uppercase
31. Access Control - MQ API Security
Access to Resources
This can be controlled by more than one profile and can
involve several security checks depending on the set up.
Profiles used for Resource security checking are held in
the following classes
MQPROC or MXPROC - Processes
MQNLIST or MXNLIST - Namelists
MQQUEUE or MXQUEUE - Queues
MQADMIN or MXADMIN - Context and Alternate Userids
MXTOPIC - Topics
32. Access control - MQ API Security
Processes and Namelists Security - are opened for inquiry only
MQPROC or MXPROC class - profiles look like
hlq.processname
READ access required by userid(s)
In the MXPROC class 'processname' can be mixed case
MQNLIST or MXNLIST class- profiles look like
hlq.namelistname
READ access required by userid(s)
In the MXNLIST class 'namelistname' can be mixed case
33. Access Control - MQ API Security
Queue Security
Profiles are held in the MQQUEUE or MXQUEUE class and
look like
hlq.resourcename
In the MXQUEUE class 'resourcename' can be mixed case
A profile can protect
a single Local queue on a local Qmgr
several Local queues of the same name on different
Shared qmgrs in a QSG
a single Shared queue in a QSG
a remote qmgr for fully qualified Remote Queues
except cluster queues !
34. Access Control - MQ API Security - Queues
Access required to the profile is dependent upon the
MQOPEN, MQPUT1, or MQSUB options
Option Access required
Inquire, browse READ
Set ALTER
All others (including all
UPDATE
context options)
DEFINE SUB command can cause a security check against a queue to
take place
Access granularity on z/OS is different to that on distributed
platforms, it is not as granular.
MQGET has the same access as MQPUT, so if you need to distinguish
between 'putters' and 'getters' you can use alias queues to do this.
35. Access Control - MQ API Security - Queues
Queues that may required additional consideration
Dynamic queues
MQOPEN for dynamic queues require access to multiple
profiles Model queue profile and Dynamic queue profile
MQCLOSE checking for permanent dynamic queues
Alias Queues
Alias queues that resolve to topics are different to Alias
queues that resolve to queues
Dead Letter Queues
System Queues
Remote Queues
Managed Queues
No security checks
36. Access Control - MQ API Security - Topics
Topic Security
Profiles are held in the MXTOPIC class and look like
hlq.SUBSCRIBE.resourcename
hlq.PUBLISH.resourcename
In the MXTOPIC class 'resourcename' can be mixed case
Checks take place
When an application Subscribes or Publishes to a Topic using an
MQSUB, MQOPEN or MQPUT1
When an application close removes a subscription using an
MQCLOSE
37. Access Control - MQ API Security - Topics
Access required to the profile is dependent upon the
MQSUB options:-
Option Access required
Resume READ
Create or Alter ALTER
Nearest parent Topic object resource that has security
associated with it that is checked
may involve more than one check, depends on the structure
of the topic tree
38. Access control - MQ API Security
MQADMIN or MXADMIN class - the profiles look like
hlq.CONTEXT.queuename
Controls access to MQMD context fields
Access required to profile is dependent upon which context
options are requested on the MQOPEN or MQPUT1 call
Determines if the MQSD context fields are used on MQSUB
In MXADMIN 'queuename' can be mixed case
hlq.ALTERNATE.USER.alternateuserid
Controls the use of an alternate userid
To use an alternate userid you need UPDATE access to
appropriate profile. You should have one profile per Queue
Manager or Qsg per alternate userid
In MXADMIN alternate userid profiles are always uppercase
39. Access Control - API Security - Userids
All API access control is userid based and Userids are
environment dependent
Batch - Job Userid
CICS - Address space userid, Transaction userid
IMS - Address space userid, 'Second' userid
Mover - Channel Userid, MCA Userid
IGQ - Intra-group Queuing Userid, Sending Queue Manager
Userid
All have the possibility of using an Alternate Userid too
the userid from the MQMD UserIdentifier field of the message
the userid from the MQSD AlternateUserid field on an MQSUB
request
RESLEVEL profile controls number of userids checked
40. How to read User ID Tables
1 check 2 checks
Profile name
ssid.ALTERNATE.USER.alternateuseri
ds
--
-
sid.CONTEXT.queuenam
e
ssid.resourcename ID1
ID1+ID2
ID1+ID2
ID1
--
-
Question to choose
1 check
Key:
NO YES
ID1
ID1
ID1
ID1+ID2
ID1+ID2
ID1+ALT
column
1
Alternate Userid specified on Open or Sub?
2 checks
2
RESLEVEL to
determine
number of
checks
RACF access level Level of checking
NONE Check two userids
READ Check one userid
UPDATE Check one userid
CONTROL No Check
ALTER No Check
Key details actual user
IDs 3
41. Access Control - Userids - Channel Security
Choice dependant on PUTAUT (DEF|CTX|ONLYMCA|ALTMCA)
MCA User ID(MCA)
The userid specified for the MCAUSER channel attribute at the receiver, if
blank , the channel initiator address space userid of the receiver or requester
side. Can also be set by CHLAUTH records.
Channel user ID (CHL)
Receiving channel using TCP/IP
Userid of the channel Initiator address space of the receiver or requester end if PUTAUT
parameter set to DEF or CTX.
Receiving channel using APPC(LU6.2)
Requester/server channels - started from the requester, userid of the Channel Initiator
address space of the receiver or requester end is used
Other channel types - the userid received from the communications system is used. If a
Userid received is blank , or no userid is received then a channel userid of blank is used.
42. Access Control - Userids - Channel Security
Channel user ID (CHL) cont.
● MCA Userid of the receiver or requester is used if PUTAUT set to
ONLYMCA or ALTMCA.
● SSL derived Userid if SSL is set on channel
Alternate User ID (ALT)
● The userid specified in the UserIdentifier field in the message
descriptor of the message
43. Userids - Client Channel Security
Choice dependant on PUTAUT
MCA User ID (MCA)
ƒ The userid specified for the MCAUSER channel attribute of the server-connection,
if blank, the user received from the client is used, if none
sent, the channel initiator address space userid is used. Can also be
set by CHLAUTH records.
ƒ The client will send the logged on user ID.
For 'old' clients user ID provided with MQ_USER_ID environment variable
For Java use MQEnvironment.userID
Channel user ID (CHL)
ƒ As for MCA channels
Alternate User ID (ALT)
ƒ The userid specified in the UserIdentifier field in the message
descriptor of the message
44. Access Control - Userids - IGQ security
IGQAUT (DEF|CTX|ONLYIGQ|ALTIGQ)
Intra-Group Queuing user ID (IGQ)
● The user ID determined by the IGQUSER attribute of the receiving queue
manager.
If this is set to blanks, the user ID of the receiving queue manager is used.
However because the receiving queue manager has authority to access all
queues defined to it, security checks are not performed from the receiving
queue manager's user ID.
Sending queue manager user ID (SND)
● The user ID of the queue manager within the queue- sharing group that put the
message on to the SYSTEM.QSG.TRANSMIT.QUEUE
Alternate User ID (ALT)
● The user ID specified in the UserIdentifier field in the message descriptor of the
message
45. MQ Command Security - Two Types
MQCMDS class - profiles look like
● hlq.verb.pkw
e.g.
● hlq.DEFINE.QLOCAL
● hlq.DEFINE.CHANNEL
Access required to profile is depends
upon the verb and is usually ALTER or
CONTROL
Controls who is allowed to issue each
individual command
Profiles always uppercase
MQSC and PCF
MQADMIN or MXADMIN class
- command resource profiles
look like
● hlq.type.resourcename
e.g.
● hlq.QUEUE.queuename
● hlq.CHANNEL.channelname
Access required to profile depends
upon the verb and is usually ALTER or
CONTROL
Controls which resources a user can
issue given commands against
'resourcename' can be mixed in
MXADMIN
MQSC and PCF
Together they allow very granular control over MQ commands
46. Access control - Command Security - Userids..
Command checking, Cmd Resource checking
ƒCSQINP1 & CSQINP2 - no checks
ƒSystem Command Queue - MQMD.UserIdentifier
ƒConsole - Console userid
ƒSDSF/TSO - TSO, address space userid
ƒCSQUTIL - address space userid
ƒCSQINPX - Channel Initiator address space userid
Access required to system queues
47. WebSphere MQ Security - Link Level Security -
Solutions
hhhhhhhh Hash
Function
Security Problems
Eavesdropping
Symmetric Key Cryptography
Plaintext
●Tampering
Hash Function
CRL checking
C.R.L.
Alice
Using WebSphere MQ
SSLCIPH(RC4_MD5_US)
SSLKEYR(QM1KEYRING)
SSLPEER('O=IBM')
SSLCAUTH(REQUIRED)
SSLCRLNL(LDAPNL)
A
Private
A
Public
Asymmetric Keys
Alice's Digital
Certificate
CA Sig
Digital Certificates
Impersonation
SSL
51. Administration - MQ Commands - DISPLAY
DISPLAY SECURITY ALL|INTERVAL|SWITCHES|TIMEOUT
Displays the current security settings active on your queue manager.
Includes a message which will show either:
CSQH001I !MQ19 CSQHINSQ Security using uppercase classes
or
CSQH001I !MQ19 CSQHINSQ Security using mixed case classes
Shows which security switches are ON/OFF:
CSQH024I !MQ19 CSQHIS1C TOPIC security switch set ON, profile
'MQ19.NO.TOPIC.CHECKS' not found
or
CSQH021I !MQ19 CSQHIS1C TOPIC security switch set OFF, profile
'MQ19.NO.TOPIC.CHECKS' found
52. Administration - MQ Commands - REFRESH
REFRESH SECURITY
(*|MQADMIN,MQQUEUE,MQPROC,MQNLIST,MXADMIN,MXQUEUE,
MXPROC,MXNLIST,MXTOPIC)
TYPE
(CLASSES|AUTHSERV|SSL|CONNAUTH)
Command qualifier
* default
TYPE
CLASSES - default on z/OS
AUTHSERV - default on non z/OS platforms
SSL - refreshes cached view of the SSL key repository, locations of
LDAP servers for Certificate Name Revocation and the key
repository
CONNAUTH - Refreshes the cached view of the configuration for
connection authentication.
53. Administration - MQ Commands - REFRESH
You can only issue a REFRESH command for a class that
matches the case that is currently set in the Queue manager
SCYCASE parameter
CSQH013E !MQ19 CSQHSREF case conflict for class 'classname'
If you change information in any of the RACF MQ Classes you
must issue the following
SETROPTS RACLIST(classname,classname,...) REFRESH
SETROPTS GENERIC(classname,classname,...) REFRESH
in addition to the MQ Refresh command to pick up the changes to
the RACF profiles
55. Administration - Security Messages
Security Messages are issued during
Qmgr Startup
Security Messages written at startup
Refresh Security
Security messages written during Refresh
Display Security
Shortened messages issued during Display to fit in with
panels
56. Administration - RESLEVEL Auditing
Reslevel Auditing
ZPARM parameter RESAUDIT(YES/NO)
Determines whether a RACF RACROUTE REQUEST=AUDIT
request is performed for each RESLEVEL inquiry that takes
place. This request produces General Audit records (event
number 27).
60. Miscellaneous - IMS Bridge - continued...
FACILITY class
IMSXCF.xcfgname.xcfmname
1WebSphere MQ/IMS connection security
ƒ IMSXCF.xcfgname.WebSphere MQ_member_name
ƒ WebSphere MQ userid requires READ access to this
profile
2 IMS level of authentication - application level
ƒ IMSXCF.xcfgname.IMS_member_name
ƒ Security processing dependent upon WebSphere MQ's
access to this profile
/SECURE OTMA
ƒ Controls userid processing done by IMS
WebSphere MQ system parameters
ƒ CSQ6SYSP ... OTMACON=(,,,Age,)
61. Miscellaneous - IMS Bridge - continued...
PassTickets
ƒ The PassTicket application name to validate against is specified on
the storage class definition (PASSTKTA of STGCLASS)
ƒ If no value is specified then no value passed to RACF
ƒ As storage class definition is QSGDISP(LOCAL) the value is taken
from the Qmgr so for Shared Queues each Qmgr can specify the
same or a different value
ƒ Application name can be anything acceptable to RACF - as per rules
of PTKTDATA class
62. Miscellaneous - CICS 3270 Bridge
WebSphere MQ CICS/TS
Userid/Password supplied to 3270 transaction
Password verified if present
Surrogate checking otherwise
BRIDGE
MONITOR
3270 TRAN
Unit of Work
TERMiNAL
CONTROL
CMDS
INQ/SET
TERMINAL
Bridge
Exit
Formatter
Browse
Reply
MQGET
START BREXIT( ... ) TRANSID( ... )
BRIDGE FACILITY