You are previewing Secure Messaging Scenarios with WebSphere MQ.
O'Reilly logo
Secure Messaging Scenarios with WebSphere MQ

Book Description

The differences between well-designed security and poorly designed security are not always readily apparent. Poorly designed systems give the appearance of being secure but can over-authorize users or allow access to non-users in subtle ways. The problem is that poorly designed security gives a false sense of confidence. In some ways, it is better to knowingly have no security than to have inadequate security believing it to be stronger than it actually is. But how do you tell the difference? Although it is not rocket science, designing and implementing strong security requires strong foundational skills, some examples to build on, and the capacity to devise new solutions in response to novel challenges. This IBM® Redbooks® publication addresses itself to the first two of these requirements. This book is intended primarily for security specialists and IBM WebSphere® MQ administrators that are responsible for securing WebSphere MQ networks but other stakeholders should find the information useful as well.

Chapters 1 through 6 provide a foundational background for WebSphere MQ security. These chapters take a holistic approach positioning WebSphere MQ in the context of a larger system of security controls including those of adjacent platforms' technologies as well as human processes. This approach seeks to eliminate the simplistic model of security as an island, replacing it instead with the model of security as an interconnected and living system. The intended audience for these chapters includes all stakeholders in the messaging system from architects and designers to developers and operations.

Chapters 7 and 8 provide technical background to assist in preparing and configuring the scenarios and chapters 9 through 14 are the scenarios themselves. These chapters provide fully realized example configurations. One of the requirements for any scenario to be included was that it must first
be successfully implemented in the team's lab environment. In addition, the advice provided is the cumulative result of years of participation in the online community by the authors and reflect real-world practices adapted for the latest security features in WebSphere MQ V7.1 and WebSphere MQ V7.5. Although these chapters are written with WebSphere MQ administrators in mind, developers, project leaders, operations staff, and architects are all stakeholders who will find the configurations and topologies described here useful.

The third requirement mentioned in the opening paragraph was the capacity to devise new solutions in response to novel challenges. The only constant in the security field is that the technology is always changing. Although this book provides some configurations in a checklist format, these should be considered a snapshot at a point in time. It will be up to you as the security designer and implementor to stay current with security news for the products you work with and integrate fixes, patches, or new solutions as the state of the art evolves.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. Introduction
    1. 1.1 Why read this book
    2. 1.2 Currency
    3. 1.3 Scope
  5. Chapter 2. What is security
    1. 2.1 Defining requirements
    2. 2.2 Security as a system
    3. 2.3 The security lifecycle
      1. 2.3.1 Provisioning access
      2. 2.3.2 Revoking access
      3. 2.3.3 Monitoring and accountability
      4. 2.3.4 Ongoing maintenance
      5. 2.3.5 Recovery
    4. 2.4 Summary
  6. Chapter 3. Authentication and authorization
    1. 3.1 Relationship between authentication and authorization
    2. 3.2 Authentication in WebSphere MQ
      1. 3.2.1 Connection authentication
      2. 3.2.2 Message-level authentication
    3. 3.3 Authorization in WebSphere MQ
      1. 3.3.1 Connection-level authorization
      2. 3.3.2 Message-level authorization
  7. Chapter 4. Connection-level security
    1. 4.1 Architecture
    2. 4.2 Authentication
      1. 4.2.1 Assertion
      2. 4.2.2 Origin
      3. 4.2.3 Certificate
    3. 4.3 Identity resolution
    4. 4.4 Binding authentication to authorization
    5. 4.5 Default CHLAUTH rules
    6. 4.6 Provisioning access
    7. 4.7 Upgrade and migration
    8. 4.8 Access control lists
    9. 4.9 Authorizing topics
    10. 4.10 Authorizations that grant administrative access
      1. 4.10.1 Granting +crt authority
      2. 4.10.2 Granting +set authority on the queue manager
      3. 4.10.3 Granting +setid or +setall on queues
    11. 4.11 Common mistakes
      1. 4.11.1 Unprotected channels
      2. 4.11.2 Granting access to principals
      3. 4.11.3 Administrative users with mqm as a secondary group
      4. 4.11.4 Unquoted asterisks in setmqaut commands
      5. 4.11.5 Using generic authorizations
      6. 4.11.6 Granting access to the nobody group
  8. Chapter 5. Message-level security
    1. 5.1 Architecture
    2. 5.2 Policies
    3. 5.3 Use cases
      1. 5.3.1 Business-to-business (B2B)
      2. 5.3.2 End-to-end encryption
      3. 5.3.3 Data aggregation
      4. 5.3.4 Command and control flows
  9. Chapter 6. WebSphere MQ security controls
    1. 6.1 Overview
    2. 6.2 Operating system and file system resources
      1. 6.2.1 File system as the root of trust in the server
      2. 6.2.2 Restrict file system access
      3. 6.2.3 Restrict access to mqm home directory and tools
      4. 6.2.4 Limit access to the mqm user ID
      5. 6.2.5 mqm group membership
      6. 6.2.6 Files and directories
      7. 6.2.7 Fully specified names in mqm cron job scheduler
      8. 6.2.8 Do not administer WebSphere MQ as root
      9. 6.2.9 Protection of WebSphere MQ backups
      10. 6.2.10 Increase the size of error logs
      11. 6.2.11 Archiving error logs
      12. 6.2.12 Isolation of staging environments
      13. 6.2.13 Protect user-provided executables
    3. 6.3 Queue manager local resources
      1. 6.3.1 Define a system dead letter queue
      2. 6.3.2 Considerations for dead-letter queue handler
      3. 6.3.3 Enable event messages
      4. 6.3.4 Restrict access to remote clustered queues
      5. 6.3.5 Do not disable WebSphere MQ authorization checks
      6. 6.3.6 Generic authorization profile names
      7. 6.3.7 PROCESS and SERVICE objects should use explicit paths
      8. 6.3.8 Run the command server only when it is needed
      9. 6.3.9 Limited use of trigger monitors
      10. 6.3.10 Minimal authority on SYSTEM objects
      11. 6.3.11 Object names
      12. 6.3.12 Realistic attribute values
    4. 6.4 Channels, transmission queues, and communications
      1. 6.4.1 Use channel authentication rules
      2. 6.4.2 Disable all incoming SYSTEM channels
      3. 6.4.3 Always specify a low-privileged MCAUSER
      4. 6.4.4 Avoid use of put authority context on channels
      5. 6.4.5 Do not enable automatic channel definition
      6. 6.4.6 Avoid using a default transmission queue
      7. 6.4.7 Avoid use of SERVER channels
      8. 6.4.8 Restrict access to transmission queues
      9. 6.4.9 Increase message retry on channels
      10. 6.4.10 Use the managed listener
      11. 6.4.11 Specify local address on outbound channels
      12. 6.4.12 Usage of port numbers
      13. 6.4.13 Queue manager to queue manager versus clients
      14. 6.4.14 Separate channels for application messaging
    5. 6.5 Queues and other objects
      1. 6.5.1 Restrict access to system default objects
      2. 6.5.2 Least access authorization model
      3. 6.5.3 Authority to SYSTEM.BASE.TOPIC
      4. 6.5.4 Considerations for dead letter queue and topics
    6. 6.6 Applications using WebSphere MQ
      1. 6.6.1 Avoid setting message context fields
      2. 6.6.2 Avoid alternate user ID
      3. 6.6.3 User ID and password fields on client connections
      4. 6.6.4 Use segregated input queues
      5. 6.6.5 Careful use of report messages
    7. 6.7 Recent changes
      1. 6.7.1 Dedicated cluster transmission queues
      2. 6.7.2 WebSphere Message Broker default configuration wizard
      3. 6.7.3 MCA interception for clients
      4. 6.7.4 RFC 5280 certificate validation policy
      5. 6.7.5 FIPS compliance on SSL/TLS and AMS
      6. 6.7.6 New CipherSpecs and CipherSuites
      7. 6.7.7 NSA Suite B support
      8. 6.7.8 Distinguished Encoding Rules in SSLPEER and SSLCERTI
    8. 6.8 Procedural considerations
      1. 6.8.1 Software currency
      2. 6.8.2 Periodic revalidation of security roles
      3. 6.8.3 Resource monitoring to detect and record security incidents
  10. Chapter 7. Operating system specifics
    1. 7.1 IBM z/OS
      1. 7.1.1 WebSphere MQ security management
      2. 7.1.2 TLS/SSL certificate and key repository management
      3. 7.1.3 Queue sharing groups
      4. 7.1.4 Channel types have additional values of PUTAUT
      5. 7.1.5 Separating put and get authority
      6. 7.1.6 Publish/subscribe security
      7. 7.1.7 Certificate sharing in a queue sharing group
      8. 7.1.8 RESLEVEL security
    2. 7.2 IBM i
      1. 7.2.1 Special users
      2. 7.2.2 Command authorization
      3. 7.2.3 Key repository
    3. 7.3 Microsoft Windows
      1. 7.3.1 Specific profiles for principals and groups in OAM
      2. 7.3.2 Deleting user IDs or groups
      3. 7.3.3 Service user ID using active directory
      4. 7.3.4 Application event log
      5. 7.3.5 Securing shared data for multiple instance queue managers on Windows
  11. Chapter 8. Scenario preparation
    1. 8.1 Overview
    2. 8.2 Servers and network topology
    3. 8.3 Operating systems and infrastructure software
      1. 8.3.1 Virtualization
      2. 8.3.2 UNIX servers
      3. 8.3.3 Windows servers
    4. 8.4 Operating system configuration
      1. 8.4.1 Virtualization
    5. 8.5 WebSphere MQ installation and configuration
    6. 8.6 Other software installation and configuration
    7. 8.7 Naming standards and conventions
      1. 8.7.1 Host names
      2. 8.7.2 User ID and group names
      3. 8.7.3 Queue manager names
      4. 8.7.4 Channel names
      5. 8.7.5 WebSphere MQ object names
    8. 8.8 Certificate authorities
    9. 8.9 OCSP responder
    10. 8.10 LDAP server to host CRLs
    11. 8.11 WebSphere MQ (CMS) keystores
    12. 8.12 Other certificate tools
  12. Chapter 9. Scenario: WebSphere MQ administration
    1. 9.1 Scenario overview
      1. 9.1.1 Scenario design
      2. 9.1.2 Prerequisites
      3. 9.1.3 Using the additional material for scripts and common variables
    2. 9.2 Implementing the scenario
      1. 9.2.1 Preparing the operating system user IDs and groups
      2. 9.2.2 Creating the queue manager and listener
      3. 9.2.3 Authorizing queue manager and system objects to enable remote WebSphere MQ Explorer
      4. 9.2.4 Defining application objects and limited administration authority
      5. 9.2.5 Providing authority to display all objects
      6. 9.2.6 Defining a channel for anonymous remote WebSphere MQ Explorer
      7. 9.2.7 Defining a secure channel for remote administration roles
      8. 9.2.8 Creating a key repository for queue manager
      9. 9.2.9 Generating the queue manager certificate and adding it to the key repository
      10. 9.2.10 Creating a key repository for users
      11. 9.2.11 Generating the user certificates and adding them to the key repository
      12. 9.2.12 Building the Java keystore files for users of WebSphere MQ Explorer
      13. 9.2.13 Setting up the WebSphere MQ Explorer workstation
    3. 9.3 Configuring WebSphere MQ Explorer for the anonymous administration role
      1. 9.3.1 Configuring a new queue manager
      2. 9.3.2 Verifying the display of objects
      3. 9.3.3 Verifying that the user has no authority to alter objects
      4. 9.3.4 Removing the queue manager from WebSphere MQ Explorer
    4. 9.4 Configuring WebSphere MQ Explorer for a limited administration role
      1. 9.4.1 Configuring the new queue manager
      2. 9.4.2 Displaying the channel status
      3. 9.4.3 Verifying that the user can display objects
      4. 9.4.4 Verifying that the user has authority to alter APP1 objects
      5. 9.4.5 Verifying that the user has no authority to alter APP2 objects
    5. 9.5 Configuring WebSphere MQ Explorer for a full administration role
      1. 9.5.1 Displaying the channel status
    6. 9.6 Summary
  13. Chapter 10. Scenario: Securing IBM WebSphere MQ connections to connect a business partner
    1. 10.1 Scenario overview
      1. 10.1.1 Scenario design
      2. 10.1.2 Scenario flow
    2. 10.2 WebSphere MQ and WebSphere MQ Internet pass-thru features and practices
      1. 10.2.1 Application considerations
      2. 10.2.2 Application queue manager
      3. 10.2.3 Gateway queue manager
      4. 10.2.4 WebSphere MQ Internet pass-thru server
    3. 10.3 Implementing the scenario
      1. 10.3.1 Application queue manager configuration
      2. 10.3.2 Gateway queue manager configuration
      3. 10.3.3 WebSphere MQ Internet pass-thru configuration
      4. 10.3.4 Application configuration
      5. 10.3.5 Firewall configuration
    4. 10.4 Results of testing
    5. 10.5 Advanced Encryption Standard support in WebSphere MQ Internet pass-thru
    6. 10.6 Summary
  14. Chapter 11. Scenario: Fine-grained cluster security
    1. 11.1 Scenario overview
      1. 11.1.1 Scenario design
      2. 11.1.2 Preparing for the scenario
      3. 11.1.3 Creating the cluster
    2. 11.2 Authorizing access using the authority context of user IDs
      1. 11.2.1 Creating authorization profiles for the full-repository queue managers
      2. 11.2.2 Creating authorization profiles for the cluster member queue managers
      3. 11.2.3 Setting the MCAUSER user to block unauthorized access
      4. 11.2.4 Validating the authorization settings
      5. 11.2.5 Summary
    3. 11.3 Authorizing access using queue manager name mapping
      1. 11.3.1 Creating CHLAUTH records for the full-repository queue managers
      2. 11.3.2 Configuring the cluster member queue managers
      3. 11.3.3 Validating the authorization settings
      4. 11.3.4 Summary
    4. 11.4 Using SSL for mutual authentication
      1. 11.4.1 Creating certificates for the cluster queue managers
      2. 11.4.2 Configuring the cluster queue managers to use SSL
      3. 11.4.3 Validating the settings
      4. 11.4.4 Summary
    5. 11.5 Authorizing access with X.509 DN mapping
      1. 11.5.1 Configuring X.509 DN to MCAUSER mapping
      2. 11.5.2 Validating the settings
      3. 11.5.3 Summary
    6. 11.6 Authorizing access with X.509 and IP address mapping
      1. 11.6.1 Validating the settings
      2. 11.6.2 Summary
    7. 11.7 Considerations for large clusters
    8. 11.8 Summary
  15. Chapter 12. Scenario: CRL/OCSP certificate revocation
    1. 12.1 Scenario overview
      1. 12.1.1 CRL design
      2. 12.1.2 OCSP design
      3. 12.1.3 Prerequisites
      4. 12.1.4 Certificate authorities that are used in this scenario
    2. 12.2 Certificate revocation
    3. 12.3 Using certificate revocation lists
      1. 12.3.1 Configuring CRL in WebSphere MQ
      2. 12.3.2 Turning off CRL checking
      3. 12.3.3 For more information
    4. 12.4 Using Online Certificate Status Protocol (OCSP)
      1. 12.4.1 Configuring OCSP in WebSphere MQ
      2. 12.4.2 Making OCSP checking optional
      3. 12.4.3 For more information
    5. 12.5 Troubleshooting
      1. 12.5.1 Security troubleshooting
      2. 12.5.2 Event messages
      3. 12.5.3 SSL troubleshooting
    6. 12.6 Summary
  16. Chapter 13. Scenario: End-to-end security using WebSphere MQ AMS
    1. 13.1 Scenario overview
      1. 13.1.1 Scenario design
      2. 13.1.2 Prerequisites
    2. 13.2 Configuring for first use
      1. 13.2.1 Queue manager configuration
      2. 13.2.2 Authorizations
      3. 13.2.3 Application configuration
    3. 13.3 Exchanging signed messages
      1. 13.3.1 Integrity policy definition
      2. 13.3.2 Test sending and receiving signed messages
    4. 13.4 Exchanging encrypted messages
      1. 13.4.1 Key exchange
      2. 13.4.2 Encryption policy definition
      3. 13.4.3 Testing the send and receive of encrypted messages
    5. 13.5 Summary
    6. 13.6 Further considerations
  17. Chapter 14. Scenario: WebSphere MQ AMS revocation checking
    1. 14.1 Scenario overview
      1. 14.1.1 Scenario design
      2. 14.1.2 Prerequisites
    2. 14.2 Implementing the scenario
      1. 14.2.1 Queue manager configuration
      2. 14.2.2 Client configuration
      3. 14.2.3 Applications
    3. 14.3 Testing the certificate revocation
      1. 14.3.1 Test 1: Revoking the receiver’s certificate
      2. 14.3.2 Test 2: Revoking the senders certificate
      3. 14.3.3 Test 3: Both certificates are renewed
    4. 14.4 Summary
    5. 14.5 Further considerations
  18. Appendix A. Working with the itsoME message exit
    1. A.1 Description
    2. A.2 Inbound traffic
    3. A.3 Outbound traffic
    4. A.4 Configuring the exit
    5. A.5 Compiling the exit
    6. A.6 Installing the exit
    7. A.7 Design considerations
    8. A.8 Debugging
    9. A.9 Message exit source
  19. Appendix B. Additional tooling for WebSphere MQ Internet pass-thru
    1. WebSphere MQ Internet pass-thru start/stop script
    2. WebSphere MQ Internet pass-thru control script
      1. WebSphere MQ Internet pass-thru security exit (itsoBlockExit)
  20. Appendix C. Certificate administration techniques and special WebSphere MQ security checks
    1. Managing certificates on z/OS
    2. Simple z/OS MQ security check
  21. Appendix D. Additional material
    1. Locating the Web material
    2. Using the Web material
  22. Related publications
    1. IBM Redbooks
    2. Online resources
    3. Help from IBM
  23. Back cover