IBM MQ Advanced Message

Security

Gwydion Tudur

IBM MQ for z/OS Development

01/11/2016

Session FC

Agenda

Message Level Security

Digital Cryptography 101 (Keys, hashes, Alice & Bob)

IBM MQ Advanced Message Security Introduction

Administration

Enhancements in V9 release

Architecture

Message Level Security

“Valuable” messages

– In flight on the network

– At rest, on disk

– Monitoring and control messages

Large networks, difficult to prove security of messages

– Injection

– Modification

– Unauthorized viewing

Data subject to standards compliance (PCI, HIPAA, etc)

– Credit card data protected by PCI

– Confidential government data

– Personal information e.g. healthcare

– Data at rest, administrative privileges, etc

Message Level Security – Requirements

Assurance that messages have not been altered in transit

– When issuing payment information messages, ensure the payment

amount does not change before reaching the receiver

Assurance that messages originated from the expected source

– When processing control messages, validate the sender

Assurance that messages can only be viewed by intended recipient(s)

– When sending confidential information

Cryptography Choices

Symmetric Key

– Single secret key

– Relatively fast

– Poses key distribution challenges when faced with large numbers of

senders/receivers

– The key has to be known by the sender and receiver

Asymmetric Keys

– Private & Public key pairing

– Message encrypted with one key can only be decrypted by the other one

– Slower than symmetric key cryptography

– Asymmetric Keys can be used to solve the key distribution challenges associated

with symmetric keys

Symmetric Key Cryptography

DecryptionEncryption

plaintext

ciphertext plaintext

Asymmetric Key Cryptography

DecryptionEncryption

plaintext plaintext

Bob

Bob's Public Key Bob's Private Key

ciphertext

Hash Functions

Hash Function

– Computes the message MAC (Message Authentication Code)

– Easy to compute

– Very difficult to reverse

– Computationally infeasible to find two messages that hash to the same

value

Hash Function

hhhhhhhhMessage of length nMessage of length n

Fixed Fixed

length, length,

short short

numbernumber

Fixed Fixed

length, length,

short short

numbernumber

Fixed Fixed length, length, short short numbernumber

Fixed Fixed length, length, short short numbernumber

Digital Signatures

Alice Alice's

plaintext

hhhhHash

Functionhhhh

Alice "signs" the

hash (encrypts the

hash with her

private key)

Bob

Bob decrypts the

signed hash with

Alice's public key

hhhh hhhh

hhhhHash

Function

Bob hashes the plaintext

to derive the hash

If hashes match:

ƒOnly Alice could

have signed

ƒPlaintext didn't

change in transit

IBM MQ Advanced Message Security

Sending

App

Receiving

App

MQ Msg

&@Ja^!&@Ja^!

MQ Msg

IBM MQ Advanced Message Security – Key points

Provides additional security to that provided by base MQ

End-to-end security, message level protection

– A security policy defines what protection should be applied to messages

– AMS intercepts messages at “endpoints” and applies the policy

– Well suited to point to point, can also protect publish/subscribe but...

– … have to know the identity of the intended recipients ahead of operation

Asymmetric cryptography used to protect each message

– Integrity policies prove message origin, content not changed

– Privacy policies as per integrity plus each message encrypted with unique key

– Confidentiality policies encrypt messages, with option to reuse key (new in V9)

Non-invasive

– No code changes or re-linking of applications

Administrative interfaces for policy management

– Command line (batch on z/OS)

– MQ Explorer

IBM MQ Advanced Message Security – Security

Features

AMS is an optional component of MQ, not a replacement to base MQ

security

IBM MQ base

– Authentication (local OS user id, SSL peer and CHLAUTH for channels)

– Authorization (OAM on distributed, RACF on z/OS)

– Integrity (SSL for channels)

– Privacy (SSL for channels)

IBM MQ Advanced Message Security

– Integrity (End-to-end digital signing of messages)

– Confidentiality (End-to-end message encryption)

– Privacy (End-to-end digital signing and encryption of messages)

IBM MQ Advanced Message Security –

Commands

Command line tools

– setmqspl – Set message protection policy

• -m Queue manager

• -p Policy name (matches queue name used in application)

• -s Signing algorithm (MD5, SHA1, SHA256, SHA384, SHA512)

• -a Authorised signers (Signed messages - DN list)

• -e Encryption algorithm (RC2, DES, 3DES, AES128, AES256)

• -r Message recipients (Encrypted messages - DN list)

• -c Key reuse count (Encrypted messages – eliminate asymmetric key

operations)

– dspmqspl – Display message protection policies

• -m Queue manager

• [-export]

• [-p Policy name]

IBM MQ Advanced Message Security

Security Policies in MQ Explorer

AMS Enhancements in IBM MQ 9

AMS Java client now uses BouncyCastle provider

No longer restricted to using IBM JRE

AMS Java client now included in WebSphere Application Server V9

MQ resource adapter

New Encryption only QoS

Confidentiality policies

Halves amount of asymmetric key operations

Improved performance

Can optionally reuse encryption keys for multiple messages going to

same recipient

2nd and subsequent messages incur no asymmetric key operations

Similar performance to plaintext/unprotected message throughput

Performance – AMS Confidentiality vs Privacy

IBM MQ Advanced Message Security –

Architecture

MCA

Queue

Manager

OK?

y/n

MQ

Application

AMS Intercept

Key

Store

Object

Authority

Manager

IBM MQ Advanced Message Security –

Architecture

MCA Interception

MCA

Queue

Manager

OK?

y/n

MQ Client

Application

AMS InterceptKey

Store

Object

Authority

Manager

IBM MQ AMS – Signed (Integrity Policy)

Message Data

Message

Data

PDMQv1 Header

PKCS #7

Signature

Original MQ Message AMS Signed Message

Message PropertiesMessage Properties

IBM MQ AMS – Signed & Encrypted (Privacy

Policy)

Message Data

Message

Data

PDMQv1 Header

PKCS #7

Signature

Message PropertiesMessage Properties

Key encrypted with certificate

Data encrypted with key

Original MQ Message AMS Signed & Encrypted Message

IBM MQ AMS – Encrypted (Confidentiality

Policy)

Message Data

PDMQv2 Header

PKCS #7

Message PropertiesMessage Properties

Key encrypted with certificate

Symmetric Key

Message Data

Original MQ Message AMS Encrypted Message

How to secure an existing MQ application – No

protection

STOCKSending

App

Receiving

App

ORDERSAlice Bob

How to secure an existing MQ application –

SPLCAP(ENABLED)

STOCKSending

AppReceiving

App

ORDERSAlice Bob

1.Install IBM MQ AMS Component on server

How to secure an existing MQ application –

Assign Certificates

STOCKSending

App

Receiving

App

ORDERSAlice Bob

Keystore

Alice Private

Alice Public

Keystore

Bob Private

Bob Public

1.Install IBM MQ AMS Component on server

2.Create certificates (public / private key pairs)

How to secure an existing MQ application –

Exchange Public Key

STOCKSending

AppReceiving

App

ORDERSAlice Bob

Keystore

Alice Private

Alice Public

Bob Public

Keystore

Bob Private

Bob Public

Alice Public

1.Install IBM MQ AMS Component on server

2.Create certificates (public / private key pairs)

3.Exchange public keys

How to secure an existing MQ application – Set

security policy

STOCKSending

App

Receiving

App

ORDERSAlice Bob

Keystore

Alice Private

Alice Public

Bob Public

Keystore

Bob Private

Bob Public

Alice Public

Policy

ORDERS

Privacy

Recipient : Bob

Signer : Alice

1.Install IBM MQ AMS Component on server

2.Create certificates (public / private key pairs)

3.Exchange public keys

4.Define security policy for the queue

How to secure an existing MQ application –

Privacy & Integrity

STOCKSending

App

Receiving

App

ORDERSAlice Bob

Keystore

Alice Private

Alice Public

Bob Public

Keystore

Bob Private

Bob Public

Alice Public

Policy

ORDERS

Privacy

Recipient : Bob

Signer : Alice

1.Install IBM MQ AMS Component on server

2.Create certificates (public / private key pairs)

3.Exchange public keys

4.Define security policy for the queue

5.Messages can only be viewed by Bob, Bob will only accept messages from Alice

Send/Rcv

App

Charlie

Where do I get more information?

• IBM MQ Knowledge Center

http://www.ibm.com/software/integration/wmq/library/

• IBM Messaging developerWorks

developer.ibm.com/messaging

• IBM Messaging Youtube

https://www.youtube.com/IBMmessagingMedia

• LinkedIn

ibm.biz/ibmmessaging

• Twitter

@IBMMessaging

• IBM MQ Facebook

facebook.com/IBM-MQ-8304628654/

Session feedback

• Please submit your feedback at

http://conferences.gse.org.uk/2016/feedback/FC

• Session is FC