Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
®
IBM Software Group
© IBM Corporation
End to end security for WebSphere MQ
An Introduction to WebSphere MQ Extended Security Edition
Carl Farkas
IBM SW TechWorks zWebSphere
Paris, France
IBM Software Group
2
Agenda
� Problem statement
� Introduction and product overview
� Architecture review
� Implementation details
� Product administration
� Conclusion
2
IBM Software Group
Robbing the bank - yesterday
IBM Software Group
Robbing the bank – today
Queues
Customer
Application
Customer
Application
Queues
QM QM
B a d G u y
Familiar Threats,Different Environment
Internet
Extranet
Intranet
001110010100001 001110010100001
01110011
3
IBM Software Group
Controlling access to data - What organisations want
� Authentication
� Authorisation / Control
� Integrity
� Privacy
� Audit trail
� Centrally managed
� Availability
IBM Software Group
6
What do we need for MQ?To provide end to end security for the MQ network
AAA
� Authentication of users into the network
� Authorisation of their access to queues / queue managers
� Can’t access messages you are not authorised to
� Keeping an Audit trail of which queues have been accessed and by whom
Protect message payloads
� When messages are on queues or in transit
� Do not allow message data to be tampered with
� Know without a doubt, the sender of a message
Centrally managed
4
IBM Software Group
7
What WMQ Provides Today
� Users are based on Operating System ID
�Users are unique to machines and not across the enterprise
�No passwords are used for authorisation
�Not 100% secure
� SSL channels
�Protects messages in transit
�Messages at rest are in the clear
� Object Authority Manager (OAM) / RACF limits access to resources
�OAM is on a per machine basis, hard to administer a large network
�RACF applies to a single sysplex
IBM Software Group
WebSphere MQ - native
MQ
PU
T
MQ
GE
T
MQ
OPE
N
MQ
CO
NN
Queue Manager
OAM
OK?
y/n
Queues
MCA
MQI Stub
Customer Apps
MCA
Queues
SSL here
B a d G u y
5
IBM Software Group
9
What WMQ ESE Provides beyond WMQ
� Authentication
�PKI approach to uniquely identify users
�Users are stored in a LDAP repository and map onto certificates
� Authorisation
�Users can be granted or denied access to put and get to queues
�Users can be granted access to client connect to the queue manager
�Policies centrally managed
� Auditing
�User access to queues can be audited
�The user, object name and success or failure of the access attempt are
logged
IBM Software Group
10
Other WMQ ESE Benefits� Message protection
� Users are based on certificates making them unique across enterprises
� Sign messages
� Tells us who the message came from
� Ensures that the message hasn’t been tampered with
� Can encrypt the message payload for end-to-end security
� Messages protected on the queues
� Addresses audit and other requirements of Sarbanes-Oxley
� Central Administration
� WMQ security policies, users, groups and audit levels are centrally managed
� GUI or command line interfaces
6
IBM Software Group
11
WMQ ESE Architecture
IBM Software Group
12
Methods of interception� WMQ ESE needs to intercept the application API calls to subject
them to security
� The different interfaces are:
1. WMQ applications binding locally to a distributed queue manager
2. WMQ applications binding to a z/OS queue manager
3. WMQ Client and JMS applications client side interception
4. WMQ Client and JMS applications server side interception
7
IBM Software Group
13
1. Distributed server interceptor model (API Exits)
MQ
PU
T
MQ
GE
T
MQ
OPE
N
MQ
CO
NN
Queue Manager
OAM
Code Exits
ACLs
Users
GSKit/
ACME
OK?
y/n
Queues
MCA
Customer Apps
MQ ESE Server(pdmqd)
MQ ESE
API
ExitsCertsLDAP Server
Policy ServerPolicy
Replica
??
MQI Stub
IBM Software Group
14
2. z/OS server interceptor model//CL00PUT JOB 1,MSGCLASS=H
//*
// EXEC PGM=OEMPUTX,REGION=0M,
// PARM=('-mVCT7 -N1. -X -clear -pm -s12 ')
//SYSIN DD *
-QCLASS00_NONE
-FILEDD:MSGIN
//STEPLIB DD DISP=SHR,DSN=PP.ACCMAN.V4R1.SDRQAUTH
// DD DSN=PUBVIC.V531.SCSQAUTH,DISP=SHR
// DD DSN=PUBVIC.V531.SCSQANLE,DISP=SHR
// DD DISP=SHR,DSN=PAICE.IP13.LOAD
//MSGIN DD DISP=SHR,DSN=CLASS00.TAMBI.MSGDATA(HELLO)
//SYSPRINT DD SYSOUT=*
Add TAMBI as the first library to load
8
IBM Software Group
15
3. (C or JMS) MQ Client Security Exit – Client side
MC
A
TA
MB
I inte
rcepto
r
WMQ
Queue
Manager
TAMBI
Interceptor
WMQ Apps
WMQ
C/Java
Client
WMQ
Client Apps
MQI C / JMS
MQI
MQI
WMQ ClientWMQ Server
“R” = new permission bit to allow/deny connection
TAMBI Security
Exit
IBM Software Group
16
4. (C or JMS) MQ Client Security Exit – Server side
MC
A
TA
MB
I Inte
rcepto
r
TAMBI
Security
Exit
WMQ
Queue
Manager
TAMBI
Interceptor
WMQ Apps
WMQ
C/Java
Client
WMQ
Client cert
based
SSL Channel
WMQ
Client Apps
User
Key/Cert
MQIC / JMS
SSL
MQI
MQI
WMQ ClientWMQ Server
“R” = new permission bit to allow/deny connection
9
IBM Software Group
17
WMQ ESE Administration
IBM Software Group
18
Interfaces for Administrators
� Command line interface
� Web Based GUI interface
10
IBM Software Group
19
Policy Server conceptsPDMQ
Queue
TAMBI.DEAD.QUEUE
IN.QUEUE
MYQM
Q-enc-strength
Q-sig-algorithm
Q-recipients
Qname-resolution
PKI-enc-strength
PKI-sig-algorithm
Error-handling-Q
Global
Per Queue Manager
Per Queue
OUT.QUEUE
IBM Software Group
20
Access Control Lists -(ACL)� E � Grant Put Permission
� Application can place messages onto the queue
� ACL checked on MQOPEN (in PUT mode)
� D � Grant Get Permission
� Application can retrieve messages from the queue
� ACL checked on MQOPEN (in GET mode)
� R � User is allowed to connect to the queue manager remotely
Using WBI Broker plug-in
User jon Trx
Group sales Trm[PDMQ]E
Group admin Trxmcd[PDMQ]DE
Any-other Tr
Unauthenticated T
ACL Entry
Type ID Permissions
11
IBM Software Group
21
� POPs specify the security policy for a queue or queue manager:
� The security for messages put to the queue
� None – message is sent as normal
� Integrity – Message is digitally signed by the sender
� Encrypt – Message is signed and encrypted by the sender
� The time of day that the object can be accessed
� The audit level for the queue (none, permit, deny, error, admin)
Protected Object Policies – (POP)
IBM Software Group
22
Auditing� Events recorded when specified auditable events occur at:
MQOPEN, MQPUT, MQPUT1, MQGET, MQCLOSE
� Auditing Options allow different levels of detail to be logged:
� permit: Records only successful accesses
� deny: Records only denied requests for access
� admin: Records OPEN, CLOSE, PUT, and GET operations on protected WMQ queues
� error: Records any unsuccessful GET operations
� Audit records stored as XML on distributed and SMF on z/OS
� Audit Records Include:
- AM User ID, WMQ Message ID
- Sender PKI ID (if message signed)
- Date and Time
- Encryption and Signing algorithms
12
IBM Software Group
23
WMQ ESE Auditing<event rev="1.2">
<date>2005-11-07-23:25:25.296-05:00I-----</date>
<outcome status="0">0</outcome>
<originator blade="ivadminapi"><component rev="0.1">pdmq</component>
<action>0</action>
<location>dropzone</location>
</originator>
<accessor name="mq_pki_ldap">
<principal auth="IV_LDAP_V3.0" domain="Default">jdement</principal>
</accessor>
<target resource="0"><object>/PDMQ/Queue/QM_dropzone/JEFF</object></target>
<data>
<data tag="action">MQOPEN</data>
<data tag="operation">E</data>
<data tag="result">access denied or azn check failed</data>
<data tag="qop">integrity</data>
<data tag="ProcessId">3456</data>
</data>
</event>
Queue
Use jon Trx
Group admin Trxmcd[PDMQ]DE
Any-other Tr
Unauthenticated T
IBM Software Group
24
Summary� WMQ data needs to be protected at rest and in flight
� No need to update or modify existing deployed WMQ applications.
�ESE is transparent
� Centralised administration of both access control to queues,
data protection and security audit policies
� WMQ ESE provides end to end security for WMQ networks
13
IBM Software Group
25
IBM Software Group
26
Public Private Key Cryptography
14
IBM Software Group
27
Cryptography explained – slide 1
AliceAlice
Hi BobHi Bob
AliceAlice
Hi BobHi Bob
AliceAlice
Alice
Alice
encrypt w/encrypt w/public keypublic key
E8*5%er
messagefor Bob
Bob
aN!3q*nB5+
encrypt w/encrypt w/symmetricsymmetric
keykey
Symmetrickey
b2cea738a209065
Dig
est
Dig
est
q!T4@xJ**G
q!T4@xJ**Gencrypt w/encrypt w/private keyprivate key
IBM Software Group
28
Cryptography explained – slide 2
b2cea738a209065DigestDigest
aN!3q*nB5+
E8*5%er
messagefor Bob
CA
Bob
BobBob
decrypt w/decrypt w/private keyprivate key
Hi BobHi Bob
AliceAlice
Yes, message
came from
Alice
decrypt w/decrypt w/symmetricsymmetric
keykeyq!T4@xJ**G
Hi BobHi Bob
AliceAlice
Alice
q!T4@xJ**G
Hi BobHi Bob
AliceAlice
Alice
CA
=
☺
b2cea738a209065decrypt w/decrypt w/public keypublic key