Post on 25-Mar-2018
IBM MQ Advanced Message
Security
Gwydion Tudur
IBM MQ for z/OS Development
01/11/2016
Session FC
Agenda
Message Level Security
Digital Cryptography 101 (Keys, hashes, Alice & Bob)
IBM MQ Advanced Message Security Introduction
Administration
Enhancements in V9 release
Architecture
Message Level Security
“Valuable” messages
– In flight on the network
– At rest, on disk
– Monitoring and control messages
Large networks, difficult to prove security of messages
– Injection
– Modification
– Unauthorized viewing
Data subject to standards compliance (PCI, HIPAA, etc)
– Credit card data protected by PCI
– Confidential government data
– Personal information e.g. healthcare
– Data at rest, administrative privileges, etc
Message Level Security – Requirements
Assurance that messages have not been altered in transit
– When issuing payment information messages, ensure the payment
amount does not change before reaching the receiver
Assurance that messages originated from the expected source
– When processing control messages, validate the sender
Assurance that messages can only be viewed by intended recipient(s)
– When sending confidential information
Cryptography Choices
Symmetric Key
– Single secret key
– Relatively fast
– Poses key distribution challenges when faced with large numbers of
senders/receivers
– The key has to be known by the sender and receiver
Asymmetric Keys
– Private & Public key pairing
– Message encrypted with one key can only be decrypted by the other one
– Slower than symmetric key cryptography
– Asymmetric Keys can be used to solve the key distribution challenges associated
with symmetric keys
Symmetric Key Cryptography
DecryptionEncryption
plaintext
ciphertext plaintext
Asymmetric Key Cryptography
DecryptionEncryption
plaintext plaintext
Bob
Bob's Public Key Bob's Private Key
ciphertext
Hash Functions
Hash Function
– Computes the message MAC (Message Authentication Code)
– Easy to compute
– Very difficult to reverse
– Computationally infeasible to find two messages that hash to the same
value
Hash Function
hhhhhhhhMessage of length nMessage of length n
Fixed Fixed
length, length,
short short
numbernumber
Fixed Fixed
length, length,
short short
numbernumber
Fixed Fixed length, length, short short numbernumber
Fixed Fixed length, length, short short numbernumber
Digital Signatures
Alice Alice's
plaintext
hhhhHash
Functionhhhh
Alice "signs" the
hash (encrypts the
hash with her
private key)
Bob
Bob decrypts the
signed hash with
Alice's public key
hhhh hhhh
hhhhHash
Function
Bob hashes the plaintext
to derive the hash
If hashes match:
ƒOnly Alice could
have signed
ƒPlaintext didn't
change in transit
IBM MQ Advanced Message Security
Sending
App
Receiving
App
MQ Msg
&@Ja^!&@Ja^!
MQ Msg
IBM MQ Advanced Message Security – Key points
Provides additional security to that provided by base MQ
End-to-end security, message level protection
– A security policy defines what protection should be applied to messages
– AMS intercepts messages at “endpoints” and applies the policy
– Well suited to point to point, can also protect publish/subscribe but...
– … have to know the identity of the intended recipients ahead of operation
Asymmetric cryptography used to protect each message
– Integrity policies prove message origin, content not changed
– Privacy policies as per integrity plus each message encrypted with unique key
– Confidentiality policies encrypt messages, with option to reuse key (new in V9)
Non-invasive
– No code changes or re-linking of applications
Administrative interfaces for policy management
– Command line (batch on z/OS)
– MQ Explorer
IBM MQ Advanced Message Security – Security
Features
AMS is an optional component of MQ, not a replacement to base MQ
security
IBM MQ base
– Authentication (local OS user id, SSL peer and CHLAUTH for channels)
– Authorization (OAM on distributed, RACF on z/OS)
– Integrity (SSL for channels)
– Privacy (SSL for channels)
IBM MQ Advanced Message Security
– Integrity (End-to-end digital signing of messages)
– Confidentiality (End-to-end message encryption)
– Privacy (End-to-end digital signing and encryption of messages)
IBM MQ Advanced Message Security –
Commands
Command line tools
– setmqspl – Set message protection policy
• -m Queue manager
• -p Policy name (matches queue name used in application)
• -s Signing algorithm (MD5, SHA1, SHA256, SHA384, SHA512)
• -a Authorised signers (Signed messages - DN list)
• -e Encryption algorithm (RC2, DES, 3DES, AES128, AES256)
• -r Message recipients (Encrypted messages - DN list)
• -c Key reuse count (Encrypted messages – eliminate asymmetric key
operations)
– dspmqspl – Display message protection policies
• -m Queue manager
• [-export]
• [-p Policy name]
IBM MQ Advanced Message Security
Security Policies in MQ Explorer
AMS Enhancements in IBM MQ 9
AMS Java client now uses BouncyCastle provider
No longer restricted to using IBM JRE
AMS Java client now included in WebSphere Application Server V9
MQ resource adapter
New Encryption only QoS
Confidentiality policies
Halves amount of asymmetric key operations
Improved performance
Can optionally reuse encryption keys for multiple messages going to
same recipient
2nd and subsequent messages incur no asymmetric key operations
Similar performance to plaintext/unprotected message throughput
IBM MQ Advanced Message Security –
Architecture
MCA
Queue
Manager
OK?
y/n
MQ
Application
AMS Intercept
Key
Store
Object
Authority
Manager
IBM MQ Advanced Message Security –
Architecture
MCA Interception
MCA
Queue
Manager
OK?
y/n
MQ Client
Application
AMS InterceptKey
Store
Object
Authority
Manager
IBM MQ AMS – Signed (Integrity Policy)
Message Data
Message
Data
PDMQv1 Header
PKCS #7
Signature
Original MQ Message AMS Signed Message
Message PropertiesMessage Properties
IBM MQ AMS – Signed & Encrypted (Privacy
Policy)
Message Data
Message
Data
PDMQv1 Header
PKCS #7
Signature
Message PropertiesMessage Properties
Key encrypted with certificate
Data encrypted with key
Original MQ Message AMS Signed & Encrypted Message
IBM MQ AMS – Encrypted (Confidentiality
Policy)
Message Data
PDMQv2 Header
PKCS #7
Message PropertiesMessage Properties
Key encrypted with certificate
Symmetric Key
Message Data
Original MQ Message AMS Encrypted Message
How to secure an existing MQ application – No
protection
STOCKSending
App
Receiving
App
ORDERSAlice Bob
How to secure an existing MQ application –
SPLCAP(ENABLED)
STOCKSending
AppReceiving
App
ORDERSAlice Bob
1.Install IBM MQ AMS Component on server
How to secure an existing MQ application –
Assign Certificates
STOCKSending
App
Receiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Keystore
Bob Private
Bob Public
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
How to secure an existing MQ application –
Exchange Public Key
STOCKSending
AppReceiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Bob Public
Keystore
Bob Private
Bob Public
Alice Public
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
3.Exchange public keys
How to secure an existing MQ application – Set
security policy
STOCKSending
App
Receiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Bob Public
Keystore
Bob Private
Bob Public
Alice Public
Policy
ORDERS
Privacy
Recipient : Bob
Signer : Alice
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
3.Exchange public keys
4.Define security policy for the queue
How to secure an existing MQ application –
Privacy & Integrity
STOCKSending
App
Receiving
App
ORDERSAlice Bob
Keystore
Alice Private
Alice Public
Bob Public
Keystore
Bob Private
Bob Public
Alice Public
Policy
ORDERS
Privacy
Recipient : Bob
Signer : Alice
1.Install IBM MQ AMS Component on server
2.Create certificates (public / private key pairs)
3.Exchange public keys
4.Define security policy for the queue
5.Messages can only be viewed by Bob, Bob will only accept messages from Alice
Send/Rcv
App
Charlie
Where do I get more information?
• IBM MQ Knowledge Center
http://www.ibm.com/software/integration/wmq/library/
• IBM Messaging developerWorks
developer.ibm.com/messaging
• IBM Messaging Youtube
https://www.youtube.com/IBMmessagingMedia
ibm.biz/ibmmessaging
@IBMMessaging
• IBM MQ Facebook
facebook.com/IBM-MQ-8304628654/
Session feedback
• Please submit your feedback at
http://conferences.gse.org.uk/2016/feedback/FC
• Session is FC