CTU 2017 I173 - how to transform your messaging environment to a secure messaging environment

IBM Cloud Technical University 201625 – 28 October 2016|Madrid, Spain

I173How to Transform Your Messaging Environment to a SecureMessaging EnvironmentRob Parker, MQ Ecosystem

2

• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Please Note:

© 2016 IBM Corporation 3

Agenda• Aims of this presentation

Step by step of each security feature in MQ Will take an unsecured Queue Manager and

secure it At the end we will have a secured Queue

Manager

• Each security feature section will have: What is it and Why do you use it Main points of the feature How to configure it.


Available Security Features• Connection Authentication• Authorisation• Channel Authentication• Transport Layer Security (TLS)• Security Exits• AMS


Client to Queue Manager connections (Net)

Channel Authentication(BLOCKADDR)

TLS

Channel Authentication(ADDR/USER/SSL Map)

Security Exit

Connection Authentication

Channel Authentication(BLOCKUSER)

Authorisation

MQRC_NONE

MQRC_NOT_AUTHORIZED

Or


Client to Queue Manager connections (Local)


TLS

Channel Authentication(ADDR/USER/SSL Map)

Security Exit


Channel Authentication(BLOCKUSER)

Authorisation


Queue Manager to Queue Manager


TLS

Channel Authentication(ADDR/QMName/SSL Map)

Security Exit

Authorisation


Working example • Queue Manager• Channel Type(SVRCONN)• Local Queue

• Channel Authentication – Disabled• Connection Authentication – Disabled• MQ Administrator set on Channel MCA• No Security Exit• TLS not configured• AMS not configured

CTU

Client.Data.Q

Client.Connections




Introduction• Authentication is used to force clients to identify

themselves.

• It is usually used in combination with authorisation.

• Connection authentication was added as a feature of MQ in version 8.

*****


Main features• MQ allows you to specify levels of security for

connections Client and local can be set to different levels Different client connections can have different levels

using Channel Authentication records.

• Also allows two different user repositories to check supplied credentials against Operating system OAM. LDAP Server

*****


Configuration

DEFINE AUTHINFO(USE.OS) AUTHTYPE(IDPWOS)

DEFINE AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP) CONNAME(‘ldap1(389),ldap2(389)’) LDAPUSER(‘CN=QMGR1’) LDAPPWD(‘passw0rd’) SECCOMM(YES)

MQCONNXUser1 + pwd1

Application (User2)

QMGRCTU

O/S UserRepository(z/OS + Dist)

Network

Communicatio

ns LDAP Server (Dist only)


ConfigurationCHCK…NONE

OPTIONAL

REQUIRED

REQDADM

MQCONNX

MQCONNX

Application (User2)

QMGRCTU

Network

Communications

Inter process Communications

DEFINE AUTHINFO(USE.PW) AUTHTYPE(xxxxxx) CHCKLOCL(OPTIONAL) CHCKCLNT(REQUIRED)ADOPTCTX(NO)

ALTER QMGR CONNAUTH(USE.PW)

REFRESH SECURITY TYPE(CONNAUTH)

MQRC_NOT_AUTHORIZED (2035)

MQRC_NONE (0)

UserRepository

Application (User4)


ConfigurationDEFINE AUTHINFO(USE.PW) AUTHTYPE(xxxxxx)

CHCKCLNT(OPTIONAL)SET CHLAUTH(‘*’) TYPE(ADDRESSMAP)

ADDRESS(‘*’) USERSRC(CHANNEL) CHCKCLNT(REQUIRED)ADOPTCTX(NO)

SET CHLAUTH(‘*’) TYPE(SSLPEERMAP) SSLPEER(‘CN=*’) USERSRC(CHANNEL) CHCKCLNT(ASQMGR)

CHCKCLNTASQMGR

REQUIRED

REQDADM

QMGRCTU

User's Digital Certificate

CA Sig

MQCONNX

Application (User2)

MQRC_NONE (0)

SSL/TLS Network Communications

MQCONNX

Application (User4)

Clear Network

Communications

MQRC_NOT_AUTHORIZED (2035)


Configuration• Procedural MQI changes:• MQCSP structure

Connection Security Parameters User ID and password

• MQCNO structure Connection Options

MQCNO cno = {MQCNO_DEFAULT};

cno.Version = MQCNO_VERSION_5;

cno.SecurityParmsPtr = &csp;

MQCONNX(QMName, &cno, &hConn, &CompCode, &Reason);

MQCSP csp = {MQCSP_DEFAULT};

csp.AuthenticationType = MQCSP_AUTH_USER_ID_AND_PWD;csp.CSPUserIdPtr = “parrobe"; csp.CSPUserIdLength = 7; /* Max: MQ_CLIENT_USER_ID_LENGTH */csp.CSPPasswordPtr = "passw0rd";csp.CSPPasswordLength = 8; /* Max: MQ_CSP_PASSWORD_LENGTH */


Configuration• Object Oriented MQ classes changes

• JMS/XMS classes changes

MQEnvironment.properties = new Hashtable();MQEnvironment.userID = “parrobe";MQEnvironment.password ="passw0rd";

System.out.println("Connecting to queue manager");MQQueueManager qMgr = new MQQueueManager(QMName);

cf = getCF();

System.out.println("Creating the Connection with UID and Password");Connection conn = cf.createConnection(“parrobe", "passw0rd");


Authorisation


Introduction• Authorisation is used to limit what connected

applications can do.

• Authority can be given on a per group basis Windows allows per user by default Linux can do per user with configuration

• Authority to perform an action is given. By default a user/group will not have any authority

• Best practice is to only grant minimum required authority


Features• Each object in MQ can have separate authorities for

each user/group Additionally you can also supply a generic object

name

• MQ supplies 5 tools to view and modify authority records MQ Explorer

⁻ Display, create and alter authority records for all objects


Tools (continued) runmqsc

⁻ Display, create & Alter Authority records for all objects

setmqaut⁻ Create & Alter authority records for requested

objects dspmqaut

⁻ Displays authority records for requested objects dmpmqaut

⁻ Outputs authority records for requested objects, output can be inputted into QMGR.


Which user is used for authorization?

Method NotesClient machine user ID flowed to server

This will be over-ridden by anything else. Rarely do you want to trust an unauthenticated client side user ID.

MCAUSER set on SVRCONN channel definition

A handy trick to ensure that the client flowed ID is never used is to define the MCAUSER as ‘rubbish’ and then anything that is not set appropriately by one of the next methods cannot connect.

MCAUSER set by ADOPTCTX(YES)

The queue manager wide setting to adopt the password authenticated user ID as the MCAUSER will over-ride either of the above.

MCAUSER set by CHLAUTH rule To allow more granular control of MCAUSER setting, rather than relying on the above queue manager wide setting, you can of course use CHLAUTH rules

MCAUSER set by Security Exit Although CHLAUTH gets the final say on whether a connection is blocked (security exit not called in that case), the security exit does get called with the MCAUSER CHLAUTH has decided upon, and can change it.


Configuration• Example 1: Granting clients the ability to read to the

Queue Here we will give the group “readers” authority to

connect In a command prompt

• Queue Manager to create authority record for• Object type you are creating authority record for• Group to give authority to• Authorities

Setmqaut –m CTU –t qmgr –g readers +connect


Configuration• Example 1: Granting clients the ability to read to the

Queue Here we will give the group “readers” GET and

BROWSE authority In runmqsc.

• Object to grant authorities for• Object type• Group to grant authority• Authority to add

SET AUTHREC PROFILE(CLIENT.DATA.Q) OBJTYPE(QUEUE) +GROUP(‘readers’) AUTHADD(GET) AUTHADD(BROWSE)


Channel Authentication Records


Introduction• Allows Granular control over connections

Can Supply a whitelist or blacklist to block or allow connections

• Can filter on: SSL distinguished name (both issuer and subject) Client user ID (Application or final adopted) Remote Queue Manager name IP/Hostname Blocking at channel (ADDRESSMAP) or listener

(BLOCKADDR) level


Features• Values used in filters can be specific or generic• Specific rules have higher precedence than generic

rules1. Addressmap blocking ‘*’2. Addressmap allowing ‘127.0.0.1’ Any connections from 127.0.0.1 will be allowed by

(2). Other connections blocked by (1)


Features

• When creating Channel Authentication rule you can set it to use a different User ID for future authority checks: NOACCESS – Blocks the connection regardless CHANNEL – Use the User ID specified in Channel

MCA⁻ If this is blank then we use the userid supplied by

application MAP – Use the User ID specified in this rule.


Configuration• Example 1: Blacklisting bad connections

Aim: Block connections from 129.1.198.X

• In Rumqsc:

• Channel name• Rule type• Address to match to• Action• Warn

SET CHLAUTH(‘CLIENT.CONNECTIONS’) TYPE(ADDRESSMAP) +ADDRESS(‘129.1.198.*’) USERSRC(NOACCESS) WARN(NO)


Configuration• In MQ Explorer:


Transport Layer Security


Introduction• TLS is used for two reasons in MQ:

Authentication with a Queue Manager Encrypting and protecting data in transit between a

client or Queue Manager and destination Queue Manager.

• Uses a certificate containing a public-private key pair in order to establish a secure link. Called an SSL Handshake.

*iu9a906as%7A90#][Ad 0


Features• During the SSL Handshake, asymmetric encryption is

used. Once the handshake is completed symmetric

encryption is used to transfer data.

• Channels are enabled for SSL/TLS by setting a CipherSpec. Only one CipherSpec can be used on a channel.

*iu9a906as%7A90#][Ad 0


Features• A server Queue Manager must have a certificate• A client application (or client Queue Manager) does not

require a certificate. But does require a copy of the server Queue

Manager’s public certificate.

• As of MQ v8 a channel can use a different certificate than the Queue Manager it is defined on.

*iu9a906as%7A90#][Ad 0


Tools• MQ Supplies 3 tools for your certificate and key

repository management needs: strmqikm (or IBM Key Management)

⁻ IBM JRE GUI tool for managing certificates runmqckm

⁻ command line tool to manage certificates – can handle JKCS repositories

runmqakm⁻ Command line tool to manage certificates – can

handle Elliptic Curve certificates

*iu9a906as%7A90#][Ad 0


Defaults• Default location for Queue Manager Key Repository is

<MQ Data Root>/qmgrs/<QM Name>/ssl/key.kdb⁻ Can be changed using Queue Manager SSLKEYR

attribute

• Default certificate used by the Queue Manager is Ibmwebspheremq<qmname>

⁻ Can be changed in MQ v8+ using Queue Manager CERTLABL attribute

*iu9a906as%7A90#][Ad 0


Configuration• Example 1: Setting up a Queue Manager to use SSL/TLS• First create the Key Repository the Queue Manager will

use: In a command prompt:

• What we are altering• Action to perform• Name and location of key repository to create • Password to access the key repository• Tells runmqakm to stash the password which is used by

MQ.

*iu9a906as%7A90#][Ad 0

runmqakm –keydb –create –db /var/mqm/qmgrs/CTU/ssl/key.kdb –pw passw0rd -stash


Configuration• Example 1: Setting up a Queue Manager to use SSL/TLS• Next create the Queue Manager’s certificate

• In a command prompt:

• What we are altering• The action to perform• Where to store the certificate• Tells runmqakm to use the stash file to access the key repository• The distinguished name to give the certificate• The label to refer to the certificate

*iu9a906as%7A90#][Ad 0

runmqakm –cert –create –db /var/mqm/qmgrs/CTU/ssl/key.kdb –stashed –dn “CN=CTU,OU=MQ,O=IBM,C=UK” –label ibmwebspheremqctu


Configuration• Example 1: Setting up a Queue Manager to use SSL/TLS• Next set the Queue Manager to use Key Repository

Unless you are using defaults In runmqsc

• Location of the key repository to use No file extension!

• Label of certificate to use

*iu9a906as%7A90#][Ad 0

ALTER QMGR SSLKEYR(‘/var/mqm/qmgrs/CTU/ssl/key’) +CERTLABL(‘ibmwebspheremqctu’)


Configuration• Example 1: Setting up a Queue Manager to use SSL/TLS• Finally set a channel to use SSL

In runmqsc

• Channel name• Whether to enforce mutual authentication• The CipherSpec to use on this channel

*iu9a906as%7A90#][Ad 0

ALTER CHANNEL(‘CLIENT.CONNECTIONS’) SSLCAUTH(REQUIRED) +SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)


Configuration• Example 1: Client application changes• MQSCO structure

• SSL Security Parameters• Location of Key Repository• Certificate label to use (MQ v8 Only)

• MQCNO structure• Connection Options

*iu9a906as%7A90#][Ad 0

MQSCO sco = {MQSCO_DEFAULT};

sco.version = MQSCO_VERSION_5sco.KeyRepository = “/var/client/clientkeyr”;Sco.CertificateLabel = “clientcertificate”

MQCNO cno = {MQCNO_DEFAULT};

cno.Version = MQCNO_VERSION_4;

cno.SSLConfigPtr = &sco;

MQCONNX(QMName, &cno, &hConn, &CompCode, &Reason);


Configuration• Example 1: Client application• Alternatively, if you cannot adjust your application

In command prompt

*iu9a906as%7A90#][Ad 0

EXPORT MQSSLKEYR=var/client/clientkeyrEXPORT MQCERTLABL=clientcertificate


Configuration• Example 1: Client application

Ensure the certificate trust chain is complete on each side

*iu9a906as%7A90#][Ad 0

ibmwebspheremqctuQueue Manager KeystoreClient Keystore

runmqakm –cert –extract –db /var/mqm/qmgrs/CTU/ssl/key.kdb –stashed –label ibmwebspheremqctu –file /var/certs/qmgr.cer

Qmgr.cer


Configuration• Example 1: Client application


*iu9a906as%7A90#][Ad 0


Qmgr.cer

runmqakm –cert –add –db /var/client/clientkeyr.kdb –stashed –label qmgrsignercert –file /var/certs/qmgr.cer

qmgrsignercert


Configuration• Example 1: Client application (Mutual Authentication)


*iu9a906as%7A90#][Ad 0


client.cerqmgrsignercert

clientcertificate

clientsignercert

runmqakm –cert –extract –db /var/client/clientkeyr.kdb –stashed –label clientcertificate –file /var/certs/client.cer

runmqakm –cert –add –db /var/mqm/qmgrs/CTU/ssl/key.kdb –stashed –label clientsignercert –file /var/certs/client.cer


Security Exits


Introduction• Security exits are bespoke, customer created exists that

are ran during the security checks.

• MQ contains an API used in the security exits to extract information about an incoming connection. This information can then be used in the security

exit to determine whether to allow or disallow a connection.

• Prior to MQ v8 a security exit was used in MVS to supply connection authentication capabilities CSQ4BCX3


Features• Security exits are stored in

<MQ Data Root>/exits/<Installation name>• MQ will look in this folder when an exit is attached to a

channel

• Exits are referenced in SCYEXIT channel attribute Without the file suffix or location


Features• As well as security exits there are also:

Receive exits – RCVEXIT Send exits – SENDEXIT

• For each exit you can also supply custom data to pass to the exit using the channel’s ***DATA attribute For example Security exit data using SCYDATA


Configuration• First write a C Application with the following skeleton

code:void MQENTRY MQStart() {;} void MQENTRY EntryPoint (PMQVOID pChannelExitParms, PMQVOID pChannelDefinition, PMQLONG pDataLength, PMQLONG pAgentBufferLength, PMQVOID pAgentBuffer, PMQLONG pExitBufferLength, PMQPTR pExitBufferAddr) { PMQCXP pParms = (PMQCXP)pChannelExitParms; PMQCD pChDef = (PMQCD)pChannelDefinition; /* TODO: Add Security Exit Code Here */ }


Configuration• Next compile and link the exit as a Dynamic library and

place in: <MQ Data Root>/exits/<Installation name>


Configuration• Next specify the exit on the channel:

In runmqsc

• Channel name• Name of security exit to run

Without location or file extension• Custom data to pass to the security exit

ALTER CHANNEL(‘CLIENT.CONNECTIONS’) SCYEXIT(‘mqccred’) +SCYDATA(‘sec exit data’)


Advanced Messaging Security


Introduction• AMS provides a higher level of protection to messages

• Has two levels of protection - policies Integrity protection

⁻ Prevents messages from being tampered with.⁻ Guarantees message has been received from

known source Integrity and privacy protection

⁻ Same benefits as Integrity protection⁻ Also provides encryption to prevent

unauthorised recipients seeing message

!*5

4%@

”p


Features• AMS does not perform access control but simply

provides privacy and integrity to messages.

• Messages are protected using certificates that each signer and recipient will need. Depending on level of protection

!*5

4%@

”p


Features• It is an end-to-end security model

Messages are protected from creation until destruction

• Messages can be protected so that only authorised users can see message data This means even MQ Administrators cannot view a

message.

• Messages are protected both in transit and at rest Satisfies the standards compliance for certain data

types (HIPAA, PCI, etc)

!*5

4%@

”p


Features• AMS is incorporated into MQ Client applications

without the need for re-building applications No code changes are necessary!

• Message size will increase in order to incorporate AMS format New message size = 1280 + [Old Message Length] +

(200 x [# of recipients])

!*5

4%@

”p


Tools• Unlike SSL, it requires the FULL trust chain

Subject certificate, signer certificate, signer’s signer certificate, etc

• MQ has three tools for defining and managing policies MQ Explorer

⁻ Define, display, delete policies setmqspl

⁻ Define, delete policies dspmqspl

⁻ Display policies

!*5

4%@

”p


Configuration• Example 1: Configuring MQ to protect messages

In a command prompt:

• Queue Manager• Queue to protect• Signing algorithm• Authorised signer• Encryption algorithm• Authorised recipient

!*5

4%@

”p

setmqspl -m CTU -p CLIENT.DATA.Q -s SHA512 -a "CN=CLIENT1,O=CLIENTORG,C=UK" -e AES256 -r "CN=CLIENT2,O=CLIENTORG,C=UK"


Configuration

Example 1: Application changes

!*5

4%@

”p

Alice’sSending/Receiving

App

AliceCertificate

MQS_KEYSTORE_CONF=/…/Keystore.conf(Or create Keystore.conf in home directory)

No Changes Necessary!

Keystore.conf

cms.keystore=/…/Keystorecms.certificate=AliceCertificate

Keystore

For Additional Information IBM Digital Experience Solutions

http://www-01.ibm.com/software/collaboration/digitalexperience

WebSphere Portal and IBM Web Content Manager Information Center Wiki

http://www-10.lotus.com/ldd/portalwiki.nsf/

IBM Digital Experience Demonstrations: http://www.youtube.com/user/IBMXWebX

• IBM Digital Experience Developerhttp://developer.ibm.com/digexp

IBM Software Business Solutions Cataloghttps://greenhouse.lotus.com/catalog/

Where can I get more information about IBM MQ?

IBM Messaging developerWorksdeveloper.ibm.com/messagingIBM Messaging Youtubehttps://www.youtube.com/IBMmessagingMedia

LinkedIn Ibm.biz/ibmmessaging Twitter@IBMMessagingIBM MQ FacebookFacebook.com/IBM-MQ-8304628654/

https://developer.ibm.com/messaging/

https://www.youtube.com/user/IBMmessagingMedia

https://twitter.com/IBMmessaging

https://www.facebook.com/IBM-MQ-8304628654/


Rob Parker

Thank you very much.

IBMIBM MQ Ecosystem

[email protected]


Your feedback is valuablePlease complete your session or lab evaluation!Session number I173

Provide your evaluations by: Evaluation forms:Fill out a form at the end of each session Paper forms are located in each of the session or lab rooms

Complete the session survey on Event Connect Portal:ibmeventconnect.com/madrid2016Select Sessions, then Session Finder, and complete the survey

- Or -

64

Notes and Disclaimers

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law

65

Notes and Disclaimers

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

http://www.ibm.com/legal/copytrade.shtml