todays mq infrastructure and tomorrows
DESCRIPTION
TRANSCRIPT
Today’s MQ Infrastructure & Tomorrow's
Security & High Availability with MQ 7.1, MQ AMS & MQ FTE
2
Agenda – MQ Infrastructure
Universal Connectivity: The Path to the Future
MQ File Transfer Edition
MQ Security – With MQ AMS
MQ 7.1 – the latest MQ Infrastructure featuresIncluding MQ “Security Policies”
3
by doing great work with Great CustomersF i n a n c i a l S e r v i c e s
H e a l t h c a r e G o v e r n m e n t
E d u c a t i o n
R e t a i l & D i s t r i b u t i o n U t i l i t i e s
I n s u r a n c e
WebSphere MQ Value: Connectivity to, from & within an EnterpriseThe path to the future
A Universal Message Bus for access to data wherever it exists to support your business
Provides a comprehensive range of Messaging capabilities to support your Business requirements for data integration
Managed File Transfer Messaging integration patterns Reliability and availability QoS SOA foundation
Provides appropriate data accessand data privacy controls to help meet audit and regulatory requirements
WMQ Telemetry is one step in extending the reach of WMQ to a wider world of data relevant to your business
Recent technology demonstration of MQ Web Messaging using HTML5 WebSockets continues this progress
4
Petrol Forecourt
BranchOutlet
Regional Office
Retail Store
Refinery
MobilePhone
Sensore.g. RFID
Enterprise
PervasiveDevice
CSS: F S
IBM Universal MessagingProven, Flexible, Robust business data delivery from anywhere to everywhere
5
Extra Data Protection
MQ Advanced Message SecurityMQ Advanced Message Security
MQ File Transfer EditionMQ File Transfer Edition
MQ for z/OSMQ for z/OS
MQMQ
BusinessTransactions
Leveraging System z
Managed File Transfer
Cloud Platform-as-a-Service
MQ Hypervisor EditionMQ Hypervisor Edition
MQ Low Latency MessagingMQ Low Latency Messaging
MQ HTTP BridgeMQ HTTP Bridge
MQ TelemetryMQ Telemetry
Sense and Respond
Real-time Awareness
IBM UNIVERSAL MESSAGINGIBM UNIVERSAL MESSAGING
Web applications
6
WMQ Family Roadmap – continual delivery of customer value
(3Q/09)MQ V7.0.1 withMulti-Instance QMgrs,Automatic Client Reconnect,z/OS Availability, Capacity and Performance improvements
(4Q/09)MQ FTE V7.0.2 FTP Bridging
(4Q/10)MQ Advanced Message Security V7.0.1
(1Q/10)Security SupportPacs and Wizards
(4Q/10)MQ FTE V7.0.3 end-to-end security
(3Q/10)MQ Telemetry V7.0.1
(4Q/09)MQ LLM V2.3 msg store
(2Q/11)MQ FTE V7.0.4 C:D Integration
(2Q/11)MQ WebSockets Tech Preview.MQ HVE for RHEL ESX and
IBM Workload Deployer
(1Q/11)MQ V7.0.1.4Pre-Connect Exit
Early Access Programs
2009
2010
2011
2012
( )MQ LLM V2.x
( )MQ AMS V7.x
(4Q/11 )MQ V7.1 with Multi-version Install,Out-of-the-box security,Multicast capability,Improved Performance, z/OS Shared Q enhancements
( )MQ FTE V7.x
(2Q/10)MQ LLM V2.4 late join
(4Q/10)MQ LLM V2.5 self-managing
(2Q/11)MQ LLM V2.6 improved perf.
CSS: F S
7
MQ FTE
Quick Overview
Directory Monitoring
File to Message - Message to File
FTP & SFTP Bridging agents
FTP Spaghetti Infrustructure (haphazard growth)
X Unreliable transport mechanisms Each link in a chain reduces reliabilityX No central set-up, logging or monitoringX Poor documentation of overall systemX Expensive, one-off solutionsX High maintenance costs (60 – 70% of a company’s IT budget)X Lack of business agility
Ideal File Transfer Infrastructure
CentralizedMonitoring
Event basedCentralized
Logging
Automation&
CentralizedSet-up
Reliable Transport
Reliable Transport
Reliable Transport
Reliable Transport Reliable
Transport
Reliable Transport
Reliable Transport
Documented,Standardized
Solutions
MQ FTE allows you to…go from this
…to this
MQ FTE 7.0.2 Protocol BridgeSupport for transferring files located on FTP and SFTP servers
The source or destination for a transfer can be an FTP or an SFTP server
Fully integrated into graphical, command line and XML scripting interfacesJust looks like another FTE agent…
Enables incremental modernization of (S)FTP-based Legacy solutionsThis helps ease migration from a non-managed (FTP or SFTP) network to a managed network based
on WebSphere MQ File Transfer Edition. (I.E. less rip & replace).Ensures reliability of transfers across FTP/SFTP with checkpoint restartProvides auditability of transfers across FTP/SFTP to central audit log
FTP
FTP
FTP
MQ network
FTP FTP / SFTPnetwork
FTP/SFTPServer
Audit information
FTE
BridgingAgent
Files exchanged between FTE and FTP/SFTP
FTE
FTE
FTE
ProtocolBridgeAgent
FTPServer
12
/incoming/monitor
/A /B /C
Resource Monitor
FTE Sending Agent
FTE Receiving AgentOfficeA
FTE Receiving AgentOfficeB
FTE Receiving AgentOfficeC
• Three sub directories with the same names of three destination FTE Agents• When a file with an extension of “doc” is added to one of the sub directories
…• The Resource monitor detects the file and• creates a file transfer request for the file where
the destination agent has the same name as the sub directory.http://www.ibm.com/developerworks/websphere/library/techarticles/0910_bonney/0910_bonney.html• Company in Florida is using the above system and planning to scale
up further
1.Doc
MQ FTE: Use Case 1: Directory Monitor
13
File & Message Broker Hub: Connect Anything to Anything
Integration with WebSphere Message Broker for File Processing
Tight integration between FTE and WebSphere Message BrokerEnables ESB capabilities to be applied to file dataAbility to parse and transform files and process into messages, files, events, service requests etc
WMQ FTE
Network
WebSphere
Message
Broker
Files
Messages
Files
MQ, FTE, FTP, HTTP,
SOAP…
Enrich, Mediate, Transform…
14
WMB FTEInput and FTEOutput nodes
FTEInput node
Build flows that accepts file transfers from the WMQ FTE network
FTEOutput node
Build flows that are designed to send a file across a WMQ FTE network
When WMQ FTE nodes are used in a flow an FTE agent is automatically stated in
the Message Broker Execution Group
Message Flow
FTE Agent
Execution Group
Message Broker
FTEInput FTEOutput
FTE Agent
FTE Agent
FTE Agent
15
File & Message Hub (HTTP and MQ FTE)Web based File Transfers using the Web Gateway
Web-based File Transfer
A RESTful API for sending files into and receiving files from a WMQ FTE networkReliable and secure file transfer option for Web usersAuditable transfer and large file supportZero-footprint file transfer support without the need to provision and install codeInterfaces for embedding into third party and custom user applications
WMQ FTE
Network
WMQ
FTE
Server HTTP
/S
16
Options for converting data between files & messages
WMQFTE
WMQFTE
WMQFTE
WMQFTE
The file can be split based on:
SizeBinary delimiterRegular expression
One message becomes one file
Optionally, a delimiter can be inserted between each message used to compose the file
One file becomes one message
A group of messages (or all messages on the queue) to one file
One message to one file
One file to a group of messages
One file to one message
17
End-to-end encryption using WebSphere MQ Advanced Message Security
WMQ FTE already supports transport level encryption using SSL
Data is encrypted before it is sent over a channel and decrypted when it is received
FTE Agent
WebSphereMQ
QueueManager
WebSphereMQ
QueueManager
FTE Agent
svrconn channel
sndr/rcvrchannels
FTE Agent
WebSphereMQ
QueueManager
WebSphereMQ
QueueManager
FTE Agent
svrconn channel
sndr/rcvrchannels
V7.0.3 (when combined with WMQ AMS v7.0.1) allows file data to be encrypted at the source system and only decrypted when it reaches the destination system
– This helps reduce encryption costs
– Data is secure even when at rest on a queue
AuditableRecords complete and detailed audit log of entire file journey“What went where, when and to whom”
ReliableFile contents not corrupted or partially transmitted Files only appear at destination whole and intact
SecureFiles content encrypted during transmission File access authenticated and controlled
AutomatedEliminates need to manually detect problems and restart transfersProviding scheduling and triggering for event-driven transfers
Centralized Remote control and monitoring of file progress from anywhere
FlexibleAble to deploy and re-configure file transfers instantaneously from anywhereManaging transfers end-to-end across a network – not just between 2 points
Any file size No upper limit on the size of file that can be moved
Integrated With SOA infrastructure: Messaging, ESBs, Governance, B2B and BPM
Cost Effective
Provides a consolidated transport for moving both Files and Messages
Customer Survey: Of the points below:Which point(s) matters most to you?
Securing the Universal Messaging Bus
20
MQ AMS
Quick Overview
Message Level Protection
WMQ AMS - Key Features
Architecture
Interceptors
Policies
WebSphere MQ Advanced Message SecurityWhat is it?
New product - WebSphere MQ Advanced Message Security Replaces WebSphere MQ Extended Security Edition Component added to WebSphere MQ V7 or V6
Enhances MQ security processing Provides additional security services over and above base QM Designed to assist with requirements such as PCI DSS compliance
Application ---> Application protection for point-to-point messagingIndustry standard asymmetric cryptography used to protect individual messagesUses Public Key Infrastructure (PKI) to protect MQ messages
Uses digital certificates (X.509) for applications
Non-invasiveNo changes required to MQ applications
Security policies used to define the security level required Administratively controlled policies applied to queues
• Command line• Explorer
Message Level ProtectionEnables secure message transfers at application levelAssurance that messages have not been altered in transit
When issuing payment information messages, ensure the payment amount does not change before reaching the receiver
Assurance that messages originated from the expected sourceWhen processing messages, validate the sender
Assurance that messages can only be viewed by intended recipient(sWhen sending confidential information.
WMQ AMS - Key Features
Secures sensitive or high-value MQ messagesDetects and removes rogue or unauthorized messages before
they are processed by receiving applicationsVerifies that messages are not modified in transit from queue to
queueProtects messages not only when they flow across the network
but when they are at rest in queuesMessages from existing MQ applications are transparently
secured using interceptorsProtects point-to-point messages
WMQ AMS - Key Features (continued)No prereq products
Significantly simplified installation and configuration compared to predecessor productUp and running in minutes …
Works in conjunction with SSLCan choose to use either or both depending on your requirements
Works in conjunction with WMQ authorisation model (OAM and SAF)No changes required to WMQ applications
Works with local applications and clients, including JavaSupport for WMQ V6 and V7
No changes required to existing object definitionsFine-grained policies to define which queues are protected and how
Asymmetric cryptography used to protect individual messagesAdministratively controlled policies
Command lineMQ Explorer
WMQ + ESE 6 Architecture
WMQ + MQ AMS
Logical Architecture Design – Distributed Platforms
Interceptors
MQ AMS interceptors
MQ AMS functionality is implemented in interceptors.There are no long running processes or daemons (Except in z/OS).
Existing MQ applications do not require changes.Three interceptors are provided:1.Server interceptor for local (bindings mode) MQI API & Java applications.
Implemented as queue manager API exit.2. MQI API client interceptor for remote (client mode) MQ API applications.
MQ AMS interceptor imbedded in MQ client code.3. Java client interceptor for remote (client mode) MQ JMS and MQ classes for java
applications (J2EE and J2SE).MQ AMS interceptor imbedded in MQ java client code.MQ V7.0 java client required.SupportPac MQC7 WebSphere MQ V7.0 clients.
Protecting files transferred with WMQ FTE
AMS plugs in on top of / alongside WebSphere MQ File Tranfer Edition, enable file data to be encrypted in transit through the MQ network
Apply AMS protection to your WMQ FTE agent data queue
it's that simple!
Instantly familiar UI and command line: no new tools to learn!
Message protection policies
Created or updated or removed by command ‘setmqspl’Or by MQ AMS plug-in for MQ Explorer (GUI).Policies are stored in queue
‘SYSTEM.PROTECTION.POLICY.QUEUE’.Each protected queue can have only one policy.Two types of policies:
Message Integrity policy.Message Privacy policy.
Display policies with command ‘dspmqspl’.
Message integrity policy exampleThis policy is to enforce
integrity protection (signature) for messages put on queue Q.INTEGRITY in queue manager QM.
The message signing algorithm is SHA1.
Messages can only by signed by one authorized application.
Messages signed by any other signer are sent to the SYSTEM.PROTECTION.ERROR.QUEUE and error returned to the receiving application.
setmqspl -m QM
-p Q.INTEGRITY
-s SHA1
-e NONE
-'CN=pdmqss,O=tivoli,C=US'
Message privacy policy
Encryption algorithms: RC2, DES, 3DES, AES128 and AES256.
Message privacy requires that encrypted messages are also signed.
The list of authorized signers is optional.
It is mandatory to specify at least one recipient
setmqspl -m <queue_manager> -p <protected_queue_name> -s <SHA1 | MD5> -e <encryption algorithm> -a <Authorized signer DN1> -a <Authorized signer DN2> -r < Message recipient DN1> -r < Message recipient DN2>
Message privacy policy example
This policy enforces privacy protection (signature and encryption) for messages put on queue Q.PRIVACY in queue manager QM.
The message signing algorithm is SHA1.
The message encryption algorithm is AES128.
Two message recipients are listed using their certificates DN.
Messages retrieved by unauthorized recipients cause messages to be sent to the SYSTEM.PROTECTION.ERROR.QUEUE.
Setmqspl -m QM -p Q.PRIVACY -s SHA1 -e AES128 -r ‘-CN=pmqdss,O=tivoli,C=US' -r ‘-CN=Vicente
Suarez,OU=ISSW,O=IBM,L=Hursley,C=GB'
WebSphere MQ AMS : Integrity Message Format
WebSphere MQ AMS
1.Install AMS Interceptor2.Create public / private key pairs3.Copy public key
AMS SummaryWebSphere MQ Advanced Message Security V7.0.1
It is a new member of the WebSphere MQ family.It is a replacement for MQ ESE V6.0It protects message integrity and/or privacy.It supports MQ V6 and V7.It does not support Pub/Sub.Existing MQ applications do not require changes.MQ AMS uses interceptors, policies, keystores and
certificates.
MQ in the cloudMQ Cloud Support: HyperVisor Editions HVE is pre-packaged image of MQ with an operating system
For easy configuration deployment into virtualised environments
First release included MQ V7.0.1.4 and Red Hat Enterprise Linux x86 64-bit OS
Also now available with an AIX flavour
Pre-defined patterns for IBM WebSphere Workload Deployerdeployconfigure
HVEConfig Pattern
CSS: F S
WebSphere MQ V7.1: Feature Summary
New Feature Benefits Details
Multi-Version Install capability on Distributed platforms
Makes it easier to deploy and upgrade systems and stage version to version migration
Unix and Windows support for multiple versions of MQ V7.x (AND one copy of MQ V7.0.1) down to fixpack levels.Relocatable installation support.Applications can connect to any Qmgr
Enhanced SecuritySimplified Configuration
Enhanced Authorisation and Auditing
IP address Authorisation capability
Additional crypto algorithms
More granular authorisation for non-local queues
Application Activity Reports
Cloud Support Simplifies and support Cloud deployments Additional HVE images
Enhanced Clustering Improves ease-of-useAuthorisation on Cluster Q rather than XMIT Q on Dist. Platforms
Bind-on-Group Support
Multicast capability New messaging QoS provides low latency with high fan-out capability
MQ Pub/Sub Topic space can now map to multicast Group AddressesProvides direct interoperability with MQ LLM
Improved scalability and availability on z/OS
Further exploitation of z196
Customer control over CF storage useCF Connectivity Loss improvements
Code contention reduced to improve multi-processor linear scalingUse of MQ Datasets rather than DB2 significantly improves “large” message capabilityStructure rebuild capability for CF Connectivity Loss scenarios
Improved Performance on Dist platforms
Improved multiprocessor exploitation Various code improvements
40 CSS: F S
WebSphere MQ V7.1Announced: 4 October 2011Availability: 11 November 2011
Scalability & Performance – Distributed platforms Performance measured and improved for a range of scenarios
Hardware capabilities have evolved over years to have more CPUs, more memory etc
MQ topologies have evolved to have more clients and larger/fewer queue managers
“Fastest MQ ever”: better performance than V6 and V7
Multicast faster than traditional non-persistent
Over 5x for one-many publications
Performance reports to be released on availabilityCSS: F S
CSS: F S
Channel Access Blocking Points
IP Firewall
Listener blocking
Channel blocking and mapping
Access Control Lists
CSS: F
Blocking at the Listener Single list of IP address patterns NOT A REPLACEMENT FOR AN IP FIREWALL
Temporary blockingBlocking until IP firewall updatedShouldn’t be many entries in the list
Blocked before any data read from the socket
i.e. before SSL HandshakeBefore channel name or userid is known
Avoiding DoS attack
Really the place of the IP firewallSimplistic ‘hold’ of inbound connection to avoid
reconnect busy loop Network Pingers if blocked don’t raise an alert
Immediate close of socket with no data not considered a threat
SET CHLAUTH(*) TYPE(BLOCKADDR) ADDRLIST(‘9.20.*’, ‘192.168.2.10’)
CSS: F
SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS)
Channel Access Policy (1)
“We must make sure our system is completely locked down”
CSS: F
“Our Business Partners must all connect using SSL, so we will map their access from the certificate DNs”
SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS)
SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK123)
SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK456)
Channel Access Policy (2)
CSS: F
“Our Administrators connect in using MQ Explorer, but don’t use SSL. We will map their access by IP Address”
SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS)
SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK123)
SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK456)
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)ADDRESS(‘9.20.1-30.*’) MCAUSER(ADMUSER)
Channel Access Policy (3)
CSS: F
SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS)
SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK123)
SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK456)
SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)ADDRESS(‘9.20.1-30.*’) MCAUSER(ADMUSER)
SET CHLAUTH(TO.CLUS.*) TYPE(QMGRMAP)QMNAME(CLUSQM*) MCAUSER(CLUSUSR) ADDRESS(‘9.30.*’)
Channel Access Policy (4)
“Our internal cluster doesn’t use SSL, but we must ensure only the correct queue managers can connect into the cluster”
CSS: F
MQ High Availability: Multi-instance Queue Managers
Owns the queue manager data
MQClient
Machine A Machine B
QM1
QM1Active
instance
QM1Standbyinstance
can fail-over
MQClient
network
192.168.0.2192.168.0.1
networked storage
1. Normal Execution
Multi-instance Queue Managers
MQClient
Machine A Machine B
QM1
QM1Active
instance
QM1Standbyinstance
locks freed
MQClient
network
192.168.0.1
networked storage
2. Disaster Strikes
Connections broken from clients
192.168.0.2
Multi-instance Queue Managers
MQClient
Machine B
QM1
MQClient
network
networked storage
Owns the queue manager data
QM1Active
instance
3. Standby Comes to Life Connections
still broken
192.168.0.2
Multi-instance Queue Managers
MQClient
Machine B
QM1
QM1Active
instance
MQClient
network
networked storage
Owns the queue manager data
4. Recovery Complete Clients reconnected.
Processing continues.
192.168.0.2
Multi-instance queue managers: How it looks As a graphical example, SupportPac MS0P V7.0.1
Multi-instance queue managers: How it looks Enhanced dspmq New option for dspmq to output English-only text
Useful for programmable parsing
$ hostnamerockall$ dspmq -xQMNAME(V7) STATUS(Running) INSTANCE(rockall) MODE(Active)QMNAME(V7B) STATUS(Running) INSTANCE(rockall) MODE(Active)QMNAME(V7C) STATUS(Running as standby) INSTANCE(llareggub) MODE(Active) INSTANCE(rockall) MODE(Standby)
Message Broker exploits MQ 7.0.1 multi-instance queue manager capability
Active and stand-by queue managers
Start multiple instances of a queue manager on different machines
One is “active” instance; other is “standby” instance
Shared data is held in shared networked storage but owned by active instance
Exploitation by Message Broker
If standby instance of the queue manager becomes active, then the newly active MQ instance will start message broker once MQ recovery is complete
Message Broker H.A. using MQ 7.0.1 multi instance queue managers
Automatic Client Reconnection Client library provides necessary reconnection logic on detection of a failure Hides failure from application code
QM1
MQ Client
Application
QM3
QM2
Automatic Client Reconnection
Tries to hide queue manager failures by restoring current state automatically For example, if MQPUT returns error, client reruns
MQCONN/MQOPEN/MQPUT internally
Uses the list of addresses in CONNAME to find queue manager MQSERVER environment variable also understands list MQSERVER=SYSTEM.DEF.SVRCONN/TCP/host1(1414),host2(1414)
Can reconnect to the same or different Queue Manager
Re-opens queues and other qmgr objects, re-establishes subscriptions
Reconnection interval is backed off exponentially on each unsuccessful retry Total timeout is configurable – default 30 minutes.
Automatic Client Reconnection: Details Enabled in application code or ini file
Event Handler callback shows reconnection is happening if app cares Good For Debugging If callback occurs may decide on special handling for following 3 cases.
1. Not all MQI is seamless, but majority repaired transparently• eg a browse cursor would revert to the top of the queue, non-persistent messages will have been lost
during restart, non-durable subscriptions may miss some messages, in-flight transactions backed out, hObj values maintained
2. Some MQI options will fail if you have reconnection enabled• Using MQGMO_LOGICAL_ORDER, MQGET gives MQRC_RECONNECT_INCOMPATIBLE
3. Tries to keep dynamic queues with same name• So replies may not be missed
Initially just in MQI and JMS – not the other OO classes Requires both client and server to be V7.0.1 level with SHARECNV>0 Server can be z/OS
