ibm mq advanced message security - gse...
TRANSCRIPT
![Page 1: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/1.jpg)
IBM MQ Advanced Message
Security
Gwydion Tudur
IBM MQ for z/OS Development
01/11/2016
Session FC
![Page 2: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/2.jpg)
Agenda
Message Level Security
Digital Cryptography 101 (Keys, hashes, Alice & Bob)
IBM MQ Advanced Message Security Introduction
Administration
Enhancements in V9 release
Architecture
![Page 3: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/3.jpg)
Message Level Security
“Valuable” messages
– In flight on the network
– At rest, on disk
– Monitoring and control messages
Large networks, difficult to prove security of messages
– Injection
– Modification
– Unauthorized viewing
Data subject to standards compliance (PCI, HIPAA, etc)
– Credit card data protected by PCI
– Confidential government data
– Personal information e.g. healthcare
– Data at rest, administrative privileges, etc
![Page 4: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/4.jpg)
Message Level Security – Requirements
Assurance that messages have not been altered in transit
– When issuing payment information messages, ensure the payment
amount does not change before reaching the receiver
Assurance that messages originated from the expected source
– When processing control messages, validate the sender
Assurance that messages can only be viewed by intended recipient(s)
– When sending confidential information
![Page 5: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/5.jpg)
Cryptography Choices
Symmetric Key
– Single secret key
– Relatively fast
– Poses key distribution challenges when faced with large numbers of
senders/receivers
– The key has to be known by the sender and receiver
Asymmetric Keys
– Private & Public key pairing
– Message encrypted with one key can only be decrypted by the other one
– Slower than symmetric key cryptography
– Asymmetric Keys can be used to solve the key distribution challenges associated
with symmetric keys
![Page 6: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/6.jpg)
Symmetric Key Cryptography
DecryptionEncryption
plaintext
ciphertext plaintext
![Page 7: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/7.jpg)
Asymmetric Key Cryptography
DecryptionEncryption
plaintext plaintext
Bob
Bob's Public Key Bob's Private Key
ciphertext
![Page 8: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/8.jpg)
Hash Functions
Hash Function
– Computes the message MAC (Message Authentication Code)
– Easy to compute
– Very difficult to reverse
– Computationally infeasible to find two messages that hash to the same
value
Hash Function
hhhhhhhhMessage of length nMessage of length n
Fixed Fixed
length, length,
short short
numbernumber
Fixed Fixed
length, length,
short short
numbernumber
Fixed Fixed length, length, short short numbernumber
Fixed Fixed length, length, short short numbernumber
![Page 9: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/9.jpg)
Digital Signatures
Alice Alice's
plaintext
hhhhHash
Functionhhhh
Alice "signs" the
hash (encrypts the
hash with her
private key)
Bob
Bob decrypts the
signed hash with
Alice's public key
hhhh hhhh
hhhhHash
Function
Bob hashes the plaintext
to derive the hash
If hashes match:
ƒOnly Alice could
have signed
ƒPlaintext didn't
change in transit
![Page 10: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/10.jpg)
IBM MQ Advanced Message Security
Sending
App
Receiving
App
MQ Msg
&@Ja^!&@Ja^!
MQ Msg
![Page 11: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/11.jpg)
IBM MQ Advanced Message Security – Key points
Provides additional security to that provided by base MQ
End-to-end security, message level protection
– A security policy defines what protection should be applied to messages
– AMS intercepts messages at “endpoints” and applies the policy
– Well suited to point to point, can also protect publish/subscribe but...
– … have to know the identity of the intended recipients ahead of operation
Asymmetric cryptography used to protect each message
– Integrity policies prove message origin, content not changed
– Privacy policies as per integrity plus each message encrypted with unique key
– Confidentiality policies encrypt messages, with option to reuse key (new in V9)
Non-invasive
– No code changes or re-linking of applications
Administrative interfaces for policy management
– Command line (batch on z/OS)
– MQ Explorer
![Page 12: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/12.jpg)
IBM MQ Advanced Message Security – Security
Features
AMS is an optional component of MQ, not a replacement to base MQ
security
IBM MQ base
– Authentication (local OS user id, SSL peer and CHLAUTH for channels)
– Authorization (OAM on distributed, RACF on z/OS)
– Integrity (SSL for channels)
– Privacy (SSL for channels)
IBM MQ Advanced Message Security
– Integrity (End-to-end digital signing of messages)
– Confidentiality (End-to-end message encryption)
– Privacy (End-to-end digital signing and encryption of messages)
![Page 13: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/13.jpg)
IBM MQ Advanced Message Security –
Commands
Command line tools
– setmqspl – Set message protection policy
• -m Queue manager
• -p Policy name (matches queue name used in application)
• -s Signing algorithm (MD5, SHA1, SHA256, SHA384, SHA512)
• -a Authorised signers (Signed messages - DN list)
• -e Encryption algorithm (RC2, DES, 3DES, AES128, AES256)
• -r Message recipients (Encrypted messages - DN list)
• -c Key reuse count (Encrypted messages – eliminate asymmetric key
operations)
– dspmqspl – Display message protection policies
• -m Queue manager
• [-export]
• [-p Policy name]
![Page 14: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/14.jpg)
IBM MQ Advanced Message Security
Security Policies in MQ Explorer
![Page 15: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/15.jpg)
AMS Enhancements in IBM MQ 9
AMS Java client now uses BouncyCastle provider
No longer restricted to using IBM JRE
AMS Java client now included in WebSphere Application Server V9
MQ resource adapter
New Encryption only QoS
Confidentiality policies
Halves amount of asymmetric key operations
Improved performance
Can optionally reuse encryption keys for multiple messages going to
same recipient
2nd and subsequent messages incur no asymmetric key operations
Similar performance to plaintext/unprotected message throughput
![Page 17: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/17.jpg)
IBM MQ Advanced Message Security –
Architecture
MCA
Queue
Manager
OK?
y/n
MQ
Application
AMS Intercept
Key
Store
Object
Authority
Manager
![Page 18: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/18.jpg)
IBM MQ Advanced Message Security –
Architecture
MCA Interception
MCA
Queue
Manager
OK?
y/n
MQ Client
Application
AMS InterceptKey
Store
Object
Authority
Manager
![Page 19: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/19.jpg)
IBM MQ AMS – Signed (Integrity Policy)
Message Data
Message
Data
PDMQv1 Header
PKCS #7
Signature
Original MQ Message AMS Signed Message
Message PropertiesMessage Properties
![Page 20: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/20.jpg)
IBM MQ AMS – Signed & Encrypted (Privacy
Policy)
Message Data
Message
Data
PDMQv1 Header
PKCS #7
Signature
Message PropertiesMessage Properties
Key encrypted with certificate
Data encrypted with key
Original MQ Message AMS Signed & Encrypted Message
![Page 21: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/21.jpg)
IBM MQ AMS – Encrypted (Confidentiality
Policy)
Message Data
PDMQv2 Header
PKCS #7
Message PropertiesMessage Properties
Key encrypted with certificate
Symmetric Key
Message Data
Original MQ Message AMS Encrypted Message
![Page 22: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/22.jpg)
How to secure an existing MQ application – No
protection
STOCKSending
App
Receiving
App
ORDERSAlice Bob
![Page 23: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/23.jpg)
How to secure an existing MQ application –
SPLCAP(ENABLED)
STOCKSending
AppReceiving
App
ORDERSAlice Bob
1.Install IBM MQ AMS Component on server
![Page 24: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/24.jpg)
How to secure an existing MQ application –
Assign Certificates
STOCKSending
App
Receiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Keystore
Bob Private
Bob Public
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
![Page 25: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/25.jpg)
How to secure an existing MQ application –
Exchange Public Key
STOCKSending
AppReceiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Bob Public
Keystore
Bob Private
Bob Public
Alice Public
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
3.Exchange public keys
![Page 26: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/26.jpg)
How to secure an existing MQ application – Set
security policy
STOCKSending
App
Receiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Bob Public
Keystore
Bob Private
Bob Public
Alice Public
Policy
ORDERS
Privacy
Recipient : Bob
Signer : Alice
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
3.Exchange public keys
4.Define security policy for the queue
![Page 27: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/27.jpg)
How to secure an existing MQ application –
Privacy & Integrity
STOCKSending
App
Receiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Bob Public
Keystore
Bob Private
Bob Public
Alice Public
Policy
ORDERS
Privacy
Recipient : Bob
Signer : Alice
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
3.Exchange public keys
4.Define security policy for the queue
5.Messages can only be viewed by Bob, Bob will only accept messages from Alice
Send/Rcv
App
Charlie
![Page 28: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/28.jpg)
Where do I get more information?
• IBM MQ Knowledge Center
http://www.ibm.com/software/integration/wmq/library/
• IBM Messaging developerWorks
developer.ibm.com/messaging
• IBM Messaging Youtube
https://www.youtube.com/IBMmessagingMedia
ibm.biz/ibmmessaging
@IBMMessaging
• IBM MQ Facebook
facebook.com/IBM-MQ-8304628654/
![Page 29: IBM MQ Advanced Message Security - GSE Homepageconferences.gse.org.uk/attachments/presentations/mMPBII_1477933027.pdfAgenda Message Level Security Digital Cryptography 101 (Keys, hashes,](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ab6edf47f8b9a2f438e39dd/html5/thumbnails/29.jpg)
Session feedback
• Please submit your feedback at
http://conferences.gse.org.uk/2016/feedback/FC
• Session is FC