Page 1
1
®
IBM Software Group
© IBM Corporation
End to end security for WebSphere MQ
An Introduction to WebSphere MQ Extended Security Edition
Carl Farkas
IBM SW TechWorks zWebSphere
Paris, France
[email protected]
IBM Software Group
2
Agenda
� Problem statement
� Introduction and product overview
� Architecture review
� Implementation details
� Product administration
� Conclusion
Page 2
2
IBM Software Group
Robbing the bank - yesterday
IBM Software Group
Robbing the bank – today
Queues
Customer
Application
Customer
Application
Queues
QM QM
B a d G u y
Familiar Threats,Different Environment
Internet
Extranet
Intranet
001110010100001 001110010100001
01110011
Page 3
3
IBM Software Group
Controlling access to data - What organisations want
� Authentication
� Authorisation / Control
� Integrity
� Privacy
� Audit trail
� Centrally managed
� Availability
IBM Software Group
6
What do we need for MQ?To provide end to end security for the MQ network
AAA
� Authentication of users into the network
� Authorisation of their access to queues / queue managers
� Can’t access messages you are not authorised to
� Keeping an Audit trail of which queues have been accessed and by whom
Protect message payloads
� When messages are on queues or in transit
� Do not allow message data to be tampered with
� Know without a doubt, the sender of a message
Centrally managed
Page 4
4
IBM Software Group
7
What WMQ Provides Today
� Users are based on Operating System ID
�Users are unique to machines and not across the enterprise
�No passwords are used for authorisation
�Not 100% secure
� SSL channels
�Protects messages in transit
�Messages at rest are in the clear
� Object Authority Manager (OAM) / RACF limits access to resources
�OAM is on a per machine basis, hard to administer a large network
�RACF applies to a single sysplex
IBM Software Group
WebSphere MQ - native
MQ
PU
T
MQ
GE
T
MQ
OPE
N
MQ
CO
NN
Queue Manager
OAM
OK?
y/n
Queues
MCA
MQI Stub
Customer Apps
MCA
Queues
SSL here
B a d G u y
Page 5
5
IBM Software Group
9
What WMQ ESE Provides beyond WMQ
� Authentication
�PKI approach to uniquely identify users
�Users are stored in a LDAP repository and map onto certificates
� Authorisation
�Users can be granted or denied access to put and get to queues
�Users can be granted access to client connect to the queue manager
�Policies centrally managed
� Auditing
�User access to queues can be audited
�The user, object name and success or failure of the access attempt are
logged
IBM Software Group
10
Other WMQ ESE Benefits� Message protection
� Users are based on certificates making them unique across enterprises
� Sign messages
� Tells us who the message came from
� Ensures that the message hasn’t been tampered with
� Can encrypt the message payload for end-to-end security
� Messages protected on the queues
� Addresses audit and other requirements of Sarbanes-Oxley
� Central Administration
� WMQ security policies, users, groups and audit levels are centrally managed
� GUI or command line interfaces
Page 6
6
IBM Software Group
11
WMQ ESE Architecture
IBM Software Group
12
Methods of interception� WMQ ESE needs to intercept the application API calls to subject
them to security
� The different interfaces are:
1. WMQ applications binding locally to a distributed queue manager
2. WMQ applications binding to a z/OS queue manager
3. WMQ Client and JMS applications client side interception
4. WMQ Client and JMS applications server side interception
Page 7
7
IBM Software Group
13
1. Distributed server interceptor model (API Exits)
MQ
PU
T
MQ
GE
T
MQ
OPE
N
MQ
CO
NN
Queue Manager
OAM
Code Exits
ACLs
Users
GSKit/
ACME
OK?
y/n
Queues
MCA
Customer Apps
MQ ESE Server(pdmqd)
MQ ESE
API
ExitsCertsLDAP Server
Policy ServerPolicy
Replica
??
MQI Stub
IBM Software Group
14
2. z/OS server interceptor model//CL00PUT JOB 1,MSGCLASS=H
//*
// EXEC PGM=OEMPUTX,REGION=0M,
// PARM=('-mVCT7 -N1. -X -clear -pm -s12 ')
//SYSIN DD *
-QCLASS00_NONE
-FILEDD:MSGIN
//STEPLIB DD DISP=SHR,DSN=PP.ACCMAN.V4R1.SDRQAUTH
// DD DSN=PUBVIC.V531.SCSQAUTH,DISP=SHR
// DD DSN=PUBVIC.V531.SCSQANLE,DISP=SHR
// DD DISP=SHR,DSN=PAICE.IP13.LOAD
//MSGIN DD DISP=SHR,DSN=CLASS00.TAMBI.MSGDATA(HELLO)
//SYSPRINT DD SYSOUT=*
Add TAMBI as the first library to load
Page 8
8
IBM Software Group
15
3. (C or JMS) MQ Client Security Exit – Client side
MC
A
TA
MB
I inte
rcepto
r
WMQ
Queue
Manager
TAMBI
Interceptor
WMQ Apps
WMQ
C/Java
Client
WMQ
Client Apps
MQI C / JMS
MQI
MQI
WMQ ClientWMQ Server
“R” = new permission bit to allow/deny connection
TAMBI Security
Exit
IBM Software Group
16
4. (C or JMS) MQ Client Security Exit – Server side
MC
A
TA
MB
I Inte
rcepto
r
TAMBI
Security
Exit
WMQ
Queue
Manager
TAMBI
Interceptor
WMQ Apps
WMQ
C/Java
Client
WMQ
Client cert
based
SSL Channel
WMQ
Client Apps
User
Key/Cert
MQIC / JMS
SSL
MQI
MQI
WMQ ClientWMQ Server
“R” = new permission bit to allow/deny connection
Page 9
9
IBM Software Group
17
WMQ ESE Administration
IBM Software Group
18
Interfaces for Administrators
� Command line interface
� Web Based GUI interface
Page 10
10
IBM Software Group
19
Policy Server conceptsPDMQ
Queue
TAMBI.DEAD.QUEUE
IN.QUEUE
MYQM
Q-enc-strength
Q-sig-algorithm
Q-recipients
Qname-resolution
PKI-enc-strength
PKI-sig-algorithm
Error-handling-Q
Global
Per Queue Manager
Per Queue
OUT.QUEUE
IBM Software Group
20
Access Control Lists -(ACL)� E � Grant Put Permission
� Application can place messages onto the queue
� ACL checked on MQOPEN (in PUT mode)
� D � Grant Get Permission
� Application can retrieve messages from the queue
� ACL checked on MQOPEN (in GET mode)
� R � User is allowed to connect to the queue manager remotely
Using WBI Broker plug-in
User jon Trx
Group sales Trm[PDMQ]E
Group admin Trxmcd[PDMQ]DE
Any-other Tr
Unauthenticated T
ACL Entry
Type ID Permissions
Page 11
11
IBM Software Group
21
� POPs specify the security policy for a queue or queue manager:
� The security for messages put to the queue
� None – message is sent as normal
� Integrity – Message is digitally signed by the sender
� Encrypt – Message is signed and encrypted by the sender
� The time of day that the object can be accessed
� The audit level for the queue (none, permit, deny, error, admin)
Protected Object Policies – (POP)
IBM Software Group
22
Auditing� Events recorded when specified auditable events occur at:
MQOPEN, MQPUT, MQPUT1, MQGET, MQCLOSE
� Auditing Options allow different levels of detail to be logged:
� permit: Records only successful accesses
� deny: Records only denied requests for access
� admin: Records OPEN, CLOSE, PUT, and GET operations on protected WMQ queues
� error: Records any unsuccessful GET operations
� Audit records stored as XML on distributed and SMF on z/OS
� Audit Records Include:
- AM User ID, WMQ Message ID
- Sender PKI ID (if message signed)
- Date and Time
- Encryption and Signing algorithms
Page 12
12
IBM Software Group
23
WMQ ESE Auditing<event rev="1.2">
<date>2005-11-07-23:25:25.296-05:00I-----</date>
<outcome status="0">0</outcome>
<originator blade="ivadminapi"><component rev="0.1">pdmq</component>
<action>0</action>
<location>dropzone</location>
</originator>
<accessor name="mq_pki_ldap">
<principal auth="IV_LDAP_V3.0" domain="Default">jdement</principal>
</accessor>
<target resource="0"><object>/PDMQ/Queue/QM_dropzone/JEFF</object></target>
<data>
<data tag="action">MQOPEN</data>
<data tag="operation">E</data>
<data tag="result">access denied or azn check failed</data>
<data tag="qop">integrity</data>
<data tag="ProcessId">3456</data>
</data>
</event>
Queue
Use jon Trx
Group admin Trxmcd[PDMQ]DE
Any-other Tr
Unauthenticated T
IBM Software Group
24
Summary� WMQ data needs to be protected at rest and in flight
� No need to update or modify existing deployed WMQ applications.
�ESE is transparent
� Centralised administration of both access control to queues,
data protection and security audit policies
� WMQ ESE provides end to end security for WMQ networks
Page 13
13
IBM Software Group
25
IBM Software Group
26
Public Private Key Cryptography
Page 14
14
IBM Software Group
27
Cryptography explained – slide 1
AliceAlice
Hi BobHi Bob
AliceAlice
Hi BobHi Bob
AliceAlice
Alice
Alice
encrypt w/encrypt w/public keypublic key
E8*5%er
messagefor Bob
Bob
aN!3q*nB5+
encrypt w/encrypt w/symmetricsymmetric
keykey
Symmetrickey
b2cea738a209065
Dig
est
Dig
est
q!T4@xJ**G
q!T4@xJ**Gencrypt w/encrypt w/private keyprivate key
IBM Software Group
28
Cryptography explained – slide 2
b2cea738a209065DigestDigest
aN!3q*nB5+
E8*5%er
messagefor Bob
CA
Bob
BobBob
decrypt w/decrypt w/private keyprivate key
Hi BobHi Bob
AliceAlice
Yes, message
came from
Alice
decrypt w/decrypt w/symmetricsymmetric
keykeyq!T4@xJ**G
Hi BobHi Bob
AliceAlice
Alice
q!T4@xJ**G
Hi BobHi Bob
AliceAlice
Alice
CA
=
☺
b2cea738a209065decrypt w/decrypt w/public keypublic key