WebSphere MQ Security 筆記
Identification is being able to identify uniquely a user of a system or an application
that is running in the system. Authentication is being able to prove that a user or
application is genuinely who that person or what that application claims to be.
ex: IBM MQ==>the message channel agent (MCA) at each end of the channel to authenticate its partner
“Access control” (存取控制)
The access control service protects critical resources in a system by limiting access
only to authorized users and their applications.
ex：IBM MQ ==> Allowing a user’s application to perform only those operations on a queue that
are necessary for its function. For example, an application might need only to
browse messages on a particular queue, and not to put or get messages.
protects sensitive information from unauthorized disclosure.
Sensitive data should be encrypted when it is transmitted over a communications
network, especially over an insecure network such as the Internet. In a networking
environment, access control mechanisms are not effective against attempts to
intercept the data, such as wiretapping.
ex：IBM MQ ==> After a sending MCA gets a message from a transmission queue, the message is
encrypted before it is sent over the network to the receiving MCA. At the other
end of the channel, the message is decrypted before the receiving MCA puts it
on its destination queue.
“Data integrity” (資料完整性)
The data integrity service aims only to detect whether data has been modified. It
does not aim to restore data to its original state if it has been modified.
ex：IBM MQ ==>While messages are stored on a local queue, the access control mechanisms
provided by WebSphere MQ might be considered sufficient to prevent deliberate
modification of the contents of the messages. However, for a greater level of
security, a data integrity service can be used to detect whether the contents of a
message have been deliberately modified between the time the message was put
on the queue and the time it was retrieved from the queue.
The non-repudiation service can contain more than one component, where each
component provides a different function. If the sender of a message ever denies
sending it, the non-repudiation service with proof of origin can provide the receiver
with undeniable evidence that the message was sent by that particular individual.
you might require contemporaneous evidence that a particular message was sent
or received by an application associated with a particular individual.
Link level security and application level security
QManager 和 QManager之間 ==> Link level security
QManager 和Application之間 ==> application level security (end-to-end security or message level
The following queue manager parameters support SSL:
SSLCRLNL Allows access to a certificate revocation list. The SSLCRLNL attribute specifies a namelist. The namelist contains zero or more authentication information objects. Each authentication information object gives access to an LDAP server.
SSLCRYP On Windows and UNIX systems, sets the SSLCryptoHardware queue Protecting channel initiator definitions manager attribute. This attribute is the name of the parameter string that you can use to configure the cryptographic hardware you have on your system.
SSLEV Determines whether an SSL event message will be reported if a channel using SSL fails to establish an SSL connection
SSLFIPS Specifies whether only FIPS-certified algorithms are to be used if cryptography is carried out in WebSphere MQ. If cryptographic hardware is configured, the cryptographic modules used are those provided by the hardware product, and these may, or may not, be FIPS-certified to a particular level. This depends on the hardware product in use.
SSLKEYR On Windows and UNIX systems, associates a key repository with a queue manager. The key database is held in a GSKit key database. (The IBM Global Security Kit (GSKit) enables you to use SSL security on Windows and UNIX systems systems.)
SSLRKEYC The number of unencrypted bytes sent and received within an SSL conversation before the secret key is renegotiated. The number of bytes includes control information sent by the MCA.
The following channel parameters support SSL:
SSLCAUTH Defines whether WebSphere MQ requires and validates a certificate from the SSL client. SSLCIPH Specifies the encryption strength and function (CipherSpec), for example NULL_MD5 or RC4_MD5_US. The CipherSpec must match at both ends of channel.
SSLPEER Specifies the distinguished name (unique identifier) of allowed partners.
setmqaut, dspmqaut, dmpmqaut, rcrmqobj, rcdmqimg, and dspmqfls commands to support the authentication information object
1.WebSphere MQ Security (SC34-6588-01)
2.Security Architecture: Securing the Open Client/Server Distributed Enterprise (SC28-8135-01) [http://publibfp.boulder.ibm.com/cgi-bin/bookmgr/BOOKS/isa1a100/CCONTENTS]
3. WebSphere MQ System Administration Guide
Next you must ensure that SSL connections that use the SSLPEER channel parameter have any multiple Organizational Unit entries ordered correctly. Chapter 2. Installing the WebSphere MQ Server 47
v If the SSLPEER value is not used, or if the SSLPEER value is used but multiple Organizational Unit entries are not used, select Not Used and click Next. v If the SSLPEER value is used with multiple Organizational Unit entries , check the ordering of the SSLPEER fields and select Yes when they are correctly ordered. Click Next.Note: At any time, you can click More Information to view online help about how to check SSLPEER fields. When you are finished, close the WebSphere MQ Help Center window to return to the current window.