Introduction to WebSphere MQ Advanced Message Security (WMQ AMS)

Software Group Introduction to WebSphere MQ Advanced Message Security (WMQ AMS) Carl Farkas SW IOT TechWorks zWebSphere Application Integration Cons...
17 downloads 3 Views 712KB Size
Software Group

Introduction to WebSphere MQ Advanced Message Security (WMQ AMS)

Carl Farkas SW IOT TechWorks zWebSphere Application Integration Consultant IBM France D/2708 Paris, France Internet : farkas @ fr.ibm.com Notes : Carl Farkas/France/IBM @ IBMFR © 2010 IBM Corporation p1

Software Group

Agenda  What is MQ AMS?  Key features  Pre-requisites and runtime environment  Logical architecture  Components  Installation & configuration  Summary

© 2010 IBM Corporation

p2

1

Software Group

Why use message-level security?  MQ networks : difficult to prove security of messages –Against message injection / message modification / message viewing –Prevalence of sub-contractors –Increasing levels of partnerships

 More and more data subject to standards compliance –Credit card data protected by PCI –Confidential government data

© 2010 IBM Corporation

p3

Software Group

What is MQ AMS? WebSphere MQ Advanced Message Security V7.0.1  New product, announced in Oct 5, 2010 (5724-Z94 for Distributed, 5655-W50 for z/OS)  Replacement for WebSphere MQ Extended Security Edition.  It is a simple “add-on” product that enhances WebSphere MQ v6 or v7.  It leverages digital certificates (X.509) and Public Key Infrastructure (PKI) to protect MQ messages, end-to-end  Security policies are used to define the security level required.

A

MQ Msg

M A

Sending App

S b

M S

&@Ja^!

b

Receiving App

&@Ja^! MQ Msg 4

© 2010 IBM Corporation

p4

2

Software Group

AMS Key Features  Secures sensitive or high-value MQ messages – Privacy via message content encryption

 Detects and removes rogue or unauthorized messages before they are processed by receiving applications – Authentication via certificate above and beyond operating system – Authorization to queue above and beyond MQ OAM or SAF

 Verifies that messages are not modified in transit – Message Integrity via digital signature of message content

 Protects messages not only when they flow across the network but when they are at rest in queues.  Messages from existing MQ applications are transparently secured using interceptors – No application changes are necessary

 No pre-requisite products other than MQ

© 2010 IBM Corporation

p5

Software Group

Platforms supported  Windows (32 & 64-bit, XP Pro, Server 2003, Server 2008, Vista)  AIX for System p (v5.3, v6.1)  HP-UX Itanium & PA-RISC (11i v2 & v3)  Linux for System p (64-bit, RHEL v5 & v5, SLES v9, v10, v11)  Linux for System x (32 & 64-bit, RHEL v5 & v5, SLES v9, v10, v11)  Linux for System z (64-bit, RHEL v5 & v5, SLES v9, v10, v11)  Solaris for Intel X86 (64-bit, v10)  Solaris for Sun SPARC (64-bit, v9 & v10)  z/OS for System z (z/OS v1.8) (IBM SSL v1.8 is also required)

For complete details, see: http://www.ibm.com/software/integration/wmq/advanced-message-security/reqs/

© 2010 IBM Corporation

p6

3

Software Group

Environments supported 

MQ AMS functionality is implemented in “interceptors” – There are no long running processes or daemons (except in z/OS)

 

Existing MQ applications do not require changes Three interceptors are provided: 1. MQ Server interceptor for local (bindings mode) MQI API and Java applications.  Implemented as standard QM API exit on distributed, and “private” API exit on z/OS  Requires MQ v6.0.2.8 or 7.0.0.1 as well as GSKit 7.0.4.23 (minimum versions)  Note that MQ v7 is required for the AMS MQ Explorer plugin

2. MQ Client API interceptor for remote (client mode) MQ API applications.  MQ AMS interceptor imbedded in MQ client code  Requires MQ v6.0.2.8 or 7.0.1.1 as well as GSKit 7.0.4.23 (minimum versions)

3. MQ Java client interceptor for remote (client mode) MQ JMS and MQ classes for java applications (J2EE and J2SE).  MQ AMS interceptor imbedded in MQ java client code.  Requires MQ Java v7.0.1 as well as IBM Java 1.4..2 (minimum versions) © 2010 IBM Corporation

p7

Software Group

Interceptors Server  API Exit

Client  Library Replacement

Application MQ API

API Exit

Java  JMQI Intercept

Application

JMS or Java Appli

Replacement mqic lib

JMS or Java

Renamed MQIC

JMQI Intercept JMQI

QMGR

Channel Agent

Channel Agent

QMGR

QMGR

8 © 2010 IBM Corporation

p8

4

Software Group

Logical Architecture Design – Distributed Platforms

© 2010 IBM Corporation

p9

Software Group

Logical Architecture Design – z/OS Enforces policies

Performs signature & encryption

© 2010 IBM Corporation

p10

5

Software Group

Message protection policies  Created or updated or removed by command ‘setmqspl’  Or by MQ AMS plug-in for MQ Explorer (GUI)  Policies are stored in queue ‘SYSTEM.PROTECTION.POLICY.QUEUE’  Each protected queue can have only one policy  Two types of policies: – Message Integrity policy. – Message Privacy policy.

 Display policies with command ‘dspmqspl’  “Compromised messages” in queue ‘SYSTEM.PROTECTION.ERROR.QUEUE’

© 2010 IBM Corporation

p11

Software Group

Message integrity policies  There are two message signing algorithms: SHA1 and MD5  The list of authorized signers is optional – If no authorized signers are specified then any application can sign messages. – If authorized signers are specified then only messages signed by these applications can be retrieved. – Messages from other signers are sent to the error queue.

Syntax: setmqspl -m -p -s -a -a : Example: setmqspl -m MYQM -p MY.Q.INTEGRITY -s SHA1 -e NONE -a 'CN=cfarkas,O=ibm,C=FR'

© 2010 IBM Corporation

p12

6

Software Group

Message privacy policy  Encryption algorithms: RC2, DES, 3DES, AES128 and AES256.  Message privacy requires that encrypted messages are also signed.  The list of authorized signers is optional.  It is mandatory to specify at least one message recipient  Messages retrieved by unauthorized recipients cause messages to be sent to the SYSTEM.PROTECTION. ERROR.QUEUE.

Syntax: setmqspl -m -p -s -e -a -a -r < Message recipient DN1> -r < Message recipient DN2> Example: setmqspl -m MYQM -p MY.Q.PRIVACY -s SHA1 -e AES128 -a 'CN=carl,O=ibm,C=US' -r 'CN=ginger,O=catunion,C=JP' -r 'CN=saadb,OU=WBI,O=IBM,C=FR' © 2010 IBM Corporation

p13

Software Group

Keystores and X.509 certificates  Each MQ application producing or consuming protected messages requires access to a keystore that contains a personal X.509 (v2/v3) certificate and the associated private key.  The keystore and certificate is accessed by the MQ AMS interceptors.  Several types of keystore are supported: CMS, JKS and JCEKS.  The keystore must contain trusted certificates to validate message signers or to obtain the public keys of encrypted message recipients  Keystore can be the same as that used for MQ SSL  MQ provides the IBM Key Management (iKeyman, part of GSKit) to create and do simple management of local keystores  3rd party software is available from IBM (or others) to provide more robust, industrialisation of keystores. For the IBM Tivoli Key Lifecycle Manager Tivoli, see http://www.ibm.com/software/tivoli/products/key-lifecycle-mgr/

© 2010 IBM Corporation

p14

7

Software Group

MQ AMS configuration file  MQ AMS interceptors require a configuration file, eg. KEYSTORE.CONF, which contains: – Type of keystore: CMS, JKS, JCEKS – Location of the keystore. – Label of the personal certificate. – Passwords to access keystore and private keys (or .sth stash for CMS format)

 Interceptors locate the configuration file using one of the following methods: – Environment variable MQS_KEYSTORE_CONF=. – Checking default locations and file names.  Platform dependent. For example in UNIX: “$HOME/.mqs/keystore.conf”

© 2010 IBM Corporation

p15

Software Group

WebSphere MQ AMS – install/config example, 0

Alice Sending App

APP.Q

Bob

AMS_QM

Receiving App

For a good step-by-step guide, see the AMS InfoCenter at http://publib.boulder.ibm.com/infocenter/mqams/v7r0m1/index.jsp and search for “Quick start”

16

© 2010 IBM Corporation

p16

8

Software Group

WebSphere MQ AMS – install/config example, 1

Alice Sending App

Bob

APP.Q

Receiving App

AMS_QM

1.Install and configure AMS Interceptor

17

© 2010 IBM Corporation

p17

© 2010 IBM Corporation

p18

Software Group

AMS installation (Windows)

9

Software Group

AMS z/OS installation  SMP/E installation  Post-installation tasks –Update LPA for AMS modules –Authorized Program Facility (APF) required –Program Properties Table (PPT) update –Possible update to DIAG member for allocating in user storage key

 Create procedures for the two AMS tasks  Create profiles for STCs

© 2010 IBM Corporation

p19

Software Group

WebSphere MQ AMS – install/config example, 2

Alice Sending App

Bob

APP.Q

Receiving App

AMS_QM

Keystore

Keystore

Alice Priv Alice Pub

Bob Priv Bob Pub

Bob Pub

1. 2.

Install AMS Interceptor Create public / private key pairs; copy recipient’s public key to sender

20

© 2010 IBM Corporation

p20

10

Software Group

Certificate management  WebSphere MQ supplies iKeyman with GSKit  Line-mode commands also available (eg. gsk7capicmd)  On z/OS, RACF commands perform certificate management

© 2010 IBM Corporation

p21

Software Group

WebSphere MQ AMS – install/config example, 3

Alice Sending App

Bob

APP.Q

Receiving App

AMS_QM

Keystore

Keystore

Alice Priv Alice Pub

Bob Priv Bob Pub

Bob Pub

1. 2. 3.

Install AMS Interceptor Create public / private key pairs; copy recipient’s public key Configure AMS 22

© 2010 IBM Corporation

p22

11

Software Group

AMS configuration 1. Enable AMS system queues runmqsc LOCALQM < "C:\WMQ AMS\bin\defineqs.mqs“ DEFINE QLOCAL(SYSTEM.PROTECTION.POLICY.QUEUE) MAXDEPTH(999999999) MAXMSGL(4194304) DEFSOPT(SHARED) SHARE DEFPSIST(YES) DEFINE QLOCAL(SYSTEM.PROTECTION.ERROR.QUEUE) MAXDEPTH(999999999) MAXMSGL(4194304) DEFSOPT(SHARED) SHARE DEFPSIST(YES)

All valid MQSC commands were processed.

2. Activate AMS interceptors cfgmqs -enable -server LOCALQM DRQDT3052I The IBM WebSphere MQ Advanced Message Security server interceptor has been enabled successfully

3. Set up Environment variable to point to AMS key database configuration MQS_KEYSTORE_CONF=C:\AMSStuff\Carl\keystore.conf

4. Create the AMS key database configuration file, eg. C:\AMSStuff\Carl\keystore.conf cms.keystore=C:/AMSStuff/Carl/carlkey cms.certificate=Carl_Cert

© 2010 IBM Corporation

p23

Software Group

WebSphere MQ AMS – install/config example, 4 APP.Q: Privacy Recipient: Bob

Alice

Bob

APP.Q POLICY

Sending App

Receiving App

AMS_QM

Keystore

Keystore

Alice Priv Alice Pub

Bob Priv Bob Pub

Bob Pub

1. 2. 3. 4.

Install AMS Interceptor Create public / private key pairs Copy recipient's public key Define protection policy for the queue (setmqspl) 24

© 2010 IBM Corporation

p24

12

Software Group

Queue policy definition  Use either GUI or line-mode setmqspl -m LOCALQM -p SECRET.Q -s SHA1 -a "CN=carl,O=ibm,C=FR" -e RC2 –r “CN=Ginger,O=CatUnion,C=JP”

© 2010 IBM Corporation

p25

Software Group

MQAMS Process MQOPEN Lookup Policy MQ Application

Open Keystore MQPUT KDB

Lookup Recipient Sign / Encrypt MQPUT

26

© 2010 IBM Corporation

p26

13

Software Group

Error handling  AMS returns a Rc=2063 if the application tries to access (MQGET) a message for which it is not authorized c:\result>amqsgbr SECRET.Q LOCALQM Sample AMQSGBR0 (browse) start LOCALQM MQGET ended with reason code 2063 Sample AMQSGBR0 (browse) end

 The event is also logged in the \log\*.log file  For destructive MQGET requests, the message is also transferred to the SYSTEM.PROTECTION.ERROR.QUEUE. The original message remains there with a DLQ header for administrative handling.

© 2010 IBM Corporation

p27

Software Group

Encrypted message examples Encrypted message (via Q alias)

DLQ of encrypted message (via Q alias)

c:\result>amqsbcg SECRET.Q.ALIAS LOCALQM

c:\result>amqsbcg SYSTEM.PROTECTION.ERROR.QUEUE LOCALQM

AMQSBCG0 - starts here **********************

AMQSBCG0 - starts here **********************

MQOPEN - 'SECRET.Q.ALIAS'

MQOPEN - 'SYSTEM.PROTECTION.ERROR.QUEUE'

MQGET of message number 1 ****Message descriptor****

MQGET of message number 1 ****Message descriptor****

StrucId : 'MD ' Version : 2 Report : 0 MsgType : 8 Expiry : -1 Feedback : 0 Encoding : 546 CodedCharSetId : 437 Format : ' ' Priority : 0 Persistence : 0 MsgId : X'414D51204C4F43414C514D2020202020D403CF4C201A0402' CorrelId : X'000000000000000000000000000000000000000000000000' BackoutCount : 0 ReplyToQ : ' ReplyToQMgr : 'LOCALQM ** Identity Context : **** Message ****

StrucId : 'MD ' Version : 2 Report : 0 MsgType : 8 Expiry : -1 Feedback : 0 Encoding : 546 CodedCharSetId : 437 : **** Message **** length - 1398 bytes ' '

length - 1242 bytes 00000000: 00000010: 00000020: 00000030: 00000040: 00000050: 00000060: 00000070: 00000080: 00000090: 000000A0: 000000B0: 000000C0: 000000D0: 000000E0: 000000F0: 00000100: 00000110:

5044 0800 4D51 0000 0000 0000 0000 4886 0100 0B30 0603 0F30 0208 4886 C090 5C87 2AC3 31C8

4D51 0000 5354 0000 0000 0000 0000 F70D 3181 0906 5504 0D06 C1C7 F70D A27B 4F22 C929 C29D

0200 B501 5220 0000 0000 0000 0000 0107 D730 0355 0A13 0355 B970 0101 16BE 2A9F B5D8 7608

0200 0000 2020 0000 0000 0000 0000 03A0 81D4 0406 0843 0403 3999 0105 E9BD 0839 FB71 0891

6800 1100 0000 0000 0000 0000 3082 8204 0201 1302 6174 1306 57D6 0004 916C 6B9D 4D2B D6B8

0000 0000 0000 0000 0000 0000 046E 5F30 0030 4A50 556E 4769 300D 8180 8F50 C11C 8F39 744B

6800 0000 0000 0000 0000 0000 0609 8204 3D30 3111 696F 6E67 0609 649E C239 27B9 A8B2 8012

0000 0000 0000 0000 0000 0000 2A86 5B02 3131 300F 6E31 6572 2A86 822A 5B9E 53D3 381D A9DF

'PDMQ....h...h...' '................' 'MQSTR ........' '................' '................' '................' '........0é.n. ‘ 'Hå.....áé._0é.[.' '..1ü.0ü....0=011' '.0 ..U....JP1.0. '..U....CatUnion1' '.0...U....Ginger' '.....p9ÖW.0.. 'Hå........üÇd.é*' '.Éó{..Θ.ælÅP.9[.' '\çO"*ƒ.9k¥..'.S.' '*..)...qM+Å9¿.8.' '1..¥v..æ..tKÇ...'

00000000: 00000010: 00000020: 00000030: 00000040: 00000050: 00000060: 00000070: 00000080: 00000090: 000000A0: 000000B0: 000000C0: 000000D0: 000000E0: 000000F0: 00000100: 00000110: 00000120: 00000130: 00000140: 00000150: 00000160: 00000170:

444C 4554 0000 0000 4C51 2020 2020 B501 433A 7370 3131 0200 B501 5220 0000 0000 0000 0000 0107 D730 0355 0A13 0355 B970

4820 2E51 0000 0000 4D20 2020 2020 0000 5C57 7574 3135 0200 0000 2020 0000 0000 0000 0000 03A0 81D4 0406 0843 0403 3999

0100 0000 0000 0000 2020 2020 2020 2020 4D51 2E65 3136 6800 0600 0000 0000 0000 0000 3082 8204 0201 1302 6174 1306 57D6

0000 0000 0000 0000 2020 2020 2020 2020 5637 7865 3236 0000 0000 0000 0000 0000 0000 045E 4F30 0030 4A50 556E 4769 300D

0F08 0000 0000 0000 2020 2020 2020 2020 5C62 2020 3533 6800 0000 0000 0000 0000 0000 0609 8204 3D30 3111 696F 6E67 0609

0000 0000 0000 0000 2020 2020 2020 2020 696E 2020 3530 0000 0000 0000 0000 0000 0000 2A86 4B02 3131 300F 6E31 6572 2A86

5345 0000 0000 4C4F 2020 2020 2202 0B00 5C61 3230 5044 0800 4D51 0000 0000 0000 0000 4886 0100 0B30 0603 0F30 0208 4886

4352 0000 0000 4341 2020 2020 0000 0000 6D71 3130 4D51 0000 5354 0000 0000 0000 0000 F70D 3181 0906 5504 0D06 C1C7 F70D

'DLH ........SECR' 'ET.Q............' '................' '............LOCA' 'LQM ' ' ' ' "...' '.... ....' 'C:\WMQV7\bin\amq' 'sput.exe 2010' '111516265350PDMQ' '....h...h.......' '............MQST' 'R ............' '................' '................' '................' '....0é.^. *åHå..' '...áé.O0é.K...1ü' '.0ü....0=011.0 '.U....JP1.0...U.' '...CatUnion1.0..' '.U....Ginger....' '.p9ÖW.0.. *åHå..'

© 2010 IBM Corporation

p28

14

Software Group

Demo

© 2010 IBM Corporation

p29

Software Group

Known limitations today  Pub/Sub is not supported  Channel data conversion is not supported  Distribution lists are not supported  IMS Bridge not supported  CICS Bridge not supported  Java (JMS and Java “base” classes) only supported with MQv7  Note that AMS increases message length – New Message Size = 1280 + [old msg length] + (200 x [# of recipients])

 AMS usage will increase CPU requirements

© 2010 IBM Corporation

p30

15

Software Group

Summary WebSphere MQ Advanced Message Security V7.0.1  New member of the WebSphere MQ family  Protects message integrity and/or privacy  Supports MQ v6 and v7  Supports MQ Server, MQ Client and JMS  “Light weight” product - No pre-requisites, easy installation, easy configuration  Existing MQ applications do not require changes

© 2010 IBM Corporation

p31

© 2010 IBM Corporation

p32

Software Group

Backup

16

Software Group

Bibliography  WMQ AMS InfoCenter at http://publib.boulder.ibm.com/infocenter/mqams/v7r0m1/index.jsp  Program Directory for IBM WebSphere MQ Advanced Message Security for z/OS (GI13-0559)  Redbook in progress

© 2010 IBM Corporation

p33

Software Group

WebSphere MQ AMS : Integrity Message Format Original MQ Message

AMS Signed Message

Message Properties

Message Properties PDMQ Header PKCS #7 Envelope

Message Data Message Data Signature

34

© 2010 IBM Corporation

p34

17

Software Group

WebSphere MQ AMS : Privacy Message Format Original MQ Message

Message Properties

AMS Encrypted Message

Message Properties PDMQ Header PKCS #7 Envelope

Message Data

Key encrypted with certificate Data encrypted with key

Message Data Signature

35

© 2010 IBM Corporation

p35

Software Group

MQ AMS compared to MQ ESE  Support for WebSphere MQ v6 and v7 – Pub/Sub is not supported – Channel data conversion is not supported – Distribution lists are not supported

 IBM Tivoli software is not longer a pre-requisite  Full MQ java support (J2EE and J2SE) – MQ JMS 1.0.2 and 1.1 – MQ classes for java

 Support for asynchronous consumers (MQ V7)  Support for message properties (MQ V7)  Authentication and authorization is delegated to MQ – MQ SSL and Security exits – MQ OAM

 MQ AMS plug-in for MQ Explorer for policy administration  MQ AMS command-line tools for policy administration

© 2010 IBM Corporation

p36

18

Software Group

WMQ + ESE 6 Architecture MQ Svr App

MQ Java App

MQ Client App

API Intercept

JMS Intercept

Client Intercept

Key Store

P D M Q D

TAM Client

LDAP Client

Tivoli Library

TAM

OK?

Queue Manager

Object Authority Manager

DB2

LDAP

MCA

WAS (GUI Admin) TAM Server Machine

y/n

37

© 2010 IBM Corporation

p37

Software Group

WMQ + AMS v7.0.1 Architecture Changes MQ Svr App

MQ Java App

MQ Client App

API Intercept

JMS Intercept

Client Intercept

Key Store

P D M Q D

TAM Client

LDAP Client

Tivoli Library

TAM

MCA OK?

Object Authority Manager

38

Queue Manager

DB2

LDAP WAS (GUI Admin)

TAM Server Machine y/n

© 2010 IBM Corporation

p38

19

Software Group

Migration considerations  MQ AMS can coexist with MQ ESE.  Migration of MQ V6 to MQ V7 should be done after migration to MQ AMS.  Pre-migration: – Install MQ AMS. – Create MQ AMS system queues. – Configure MQ AMS policies mapped from TAM policies before migration. – MQ AMS policies can be created in toleration mode. Policies are applied if it is possible otherwise unprotected messages are accepted. – Prepare keystores and certificates for MQ AMS. – Create MQ AMS configuration files.

 On migration day: – Disable MQ ESE interceptors then enable MQ AMS interceptors (applications and queue manager restart are required).

 Post migration: – Un-configure MQ ESE interceptors. – Uninstall MQ ESE. – Migrate MQ v6.0 to v7.0.

© 2010 IBM Corporation

p39

20

Suggest Documents