Secure Your Messages with IBM MQ Advanced Message Security
46
© 2015 IBM Corporation @MoragHughson Session AME-2286 Secure Your Messages with IBM MQ Advanced Message Security Morag Hughson - [email protected] IBM Hursley - UK
-
Upload
morag-hughson -
Category
Software
-
view
595 -
download
9
Transcript of Secure Your Messages with IBM MQ Advanced Message Security
© 2015 IBM Corporation@MoragHughson
Session AME -2286
Secure Your Messages with IBM MQ Advanced Message SecurityMorag Hughson - [email protected]
IBM Hursley - UK
@MoragHughson
Agenda
� Message Level Security
� Digital Cryptography 101 (Keys, hashes, Alice & Bob)
� WebSphere MQ Advanced Message Security Introduction
� Administration
� Enhancements in V7.5 & V8 releases
� Architecture
� Availability
@MoragHughson
Message Level Security
� “Valuable” messages� In flight on the network�At rest, on disk�Monitoring and control messages
� Large networks, difficult to prove security of messages� Injection�Modification�Unauthorized viewing
� Data subject to standards compliance (PCI, HIPAA, etc)�Credit card data protected by PCI�Confidential government data�Personal information e.g. healthcare�Data at rest, administrative privileges, etc
@MoragHughson
Message Level Security - Requirements
� Assurance that messages have not been altered in transit�When issuing payment information messages, ensure the payment amount does
not change before reaching the receiver
� Assurance that messages originated from the expected source �When processing control messages, validate the sender
� Assurance that messages can only be viewed by intended recipient(s)�When sending confidential information
@MoragHughson
Cryptography Choices
� Symmetric Key�Single secret key
�Relatively fast
�Poses key distribution challenges when faced with large numbers of
senders/receivers
�The key has to be known by the sender and receiver
� Asymmetric Keys�Private & Public key pairing
�Message encrypted with one key can only be decrypted by the other one
�Slower than symmetric key cryptography
�Asymmetric Keys can be used to solve the key distribution challenges associated
with symmetric keys
@MoragHughson
Symmetric Key Cryptography
DecryptionEncryption
plaintext
���������
�� ��� ���
ciphertext plaintext
@MoragHughson
Asymmetric Key Cryptography
DecryptionEncryption
plaintext plaintext
Bob
Bob's Public Key Bob's Private Key
���������
�� ��� ����������
ciphertext
@MoragHughson
Hash Functions
� Hash Function�Computes the message MAC (Message Authentication Code)
�Easy to compute
�Very difficult to reverse
�Computationally infeasible to find two messages that hash to the same value
Hash Function
hhhhhhhhMessage of length nMessage of length n
Fixed Fixed length, length, short short numbernumber
Fixed Fixed length, length, short short numbernumber
Fixed Fixed length, length, short short numbernumber
Fixed Fixed length, length, short short numbernumber
@MoragHughson
Digital Signatures
Alice Alice's plaintext
hhhhHash
Function hhhh
Alice "signs" the hash (encrypts the hash with her private key)
Bob
Bob decrypts the signed hash with Alice's public key
hhhh hhhh
hhhhHash
Function
Bob hashes the plaintext to derive the hash
If hashes match:
ƒOnly Alice could have signed
ƒPlaintext didn't change in transit
@MoragHughson
IBM MQ Advanced Message Security
10
SendingApp
ReceivingApp
MQ Msg
&@Ja^!
MQ Msg
A
M
S
A
M
S
MQ network
N
O
T
E
S
IBM MQ Advanced Message Security – Notes
� Advanced Message Security (AMS) provides message protection policies to allow message content to be signed and encrypted. The application is unaware of the service and so the application programmer need not worry about coding it into his application, however, before the message is even placed on the queue it can be encrypted, thus ensuring that it's contents are never exposed. The message is encrypted while is resides on the queue, while it is transported across the network -the channels are unaware that the content is encrypted since they are content agnostic anyway - and is still encrypted when it is placed on the target queue. At the point where the receiving application gets the message off the queue the application level security service decrypts the data and presents it to the application.
� Configuration of these policies is done using the setmqspl (set MQ security policy) command, or via equivalent function in the MQ Explorer GUI. Once defined these policies are stored in a special queue called the SYSTEM.PROTECTION.POLICY.QUEUE. The policies can also be displayed, using the dspmqspl command, or again, via the MQ Explorer GUI.
@MoragHughson
IBM MQ Advanced Message Security – Key points
� Provides additional security to that provided by base MQ
� End-to-end security, message level protection�A security policy defines what protection should be applied to messages�AMS intercepts messages at “endpoints” and applies the policy�Well suited to point to point, can also protect publish/subscribe but...�… have to know the identity of the intended recipients ahead of operation
� Asymmetric cryptography used to protect each message� Integrity Policies prove message origin, content not changed� Privacy policies as per integrity plus each message encrypted with unique key
� Non-invasive�No code changes or re-linking of applications
� Administrative interfaces for policy management� Command line�MQ Explorer (Security Policies - now a default plugin)
@MoragHughson
IBM MQ Advanced Message Security – Security Features
� AMS is an optional component of IBM MQ,
not a replacement to base MQ security
� IBM MQ base �Authentication (User ID & Password, DN Matching and CHLAUTH for channels)
�Authorization (OAM on distributed, SAF on z/OS)
� Integrity (SSL/TLS for channels)
�Privacy (SSL/TLS for channels)
� IBM MQ Advanced Message Security� Integrity (End-to-end digital signing of messages)
�Privacy (End-to-end message content encryption)
@MoragHughson
IBM MQ Advanced Message Security – Commands
� Command line tools�setmqspl : Set message protection policy
� -m Queue manager
� -p Policy name (matches queue name used in application)
� -s Signing algorithm (MD5, SHA1, SHA256, SHA384, SHA512)
� -a Authorised signers (Signed messages - DN list)
� -e Encryption algorithm (RC2, DES, 3DES, AES128, AES256)
� -r Message recipients (Encrypted messages - DN list)
�dspmqspl : Display message protection policies
� -m Queue manager
� [-export]
� [-p Policy name]
@MoragHughson
IBM MQ Advanced Message Security –Security Policies in MQ Explorer
@MoragHughson
AMS Enhancements in WebSphere MQ 7.5 onwards (1)
� Installation�Base MQ & AMS available to install from same media�AMS capabilities shipped in base MQ runtime�AMS Installation packages reduced from 6 to just 1� Common maintenance - MQ fixpacks provide maintenance for both base MQ & AMS
� Configuration� SYSTEM queues created when creating or starting queue manager at 7.5�No need to configure interceptors, no API exits, no replacement dlls, no new jar files
� Queue manager SPLCAP attribute indicates security policy capability
� Installation of AMS on the server allows all supported application environments to use AMS capabilities
� Enablement of digital signing & encryption through setting policies is unchanged
� Ease of use� Error messages written to MQ logs (AMQERR01.LOG)� Common Infocenter with base MQ� Common servicing/trace as base MQ
@MoragHughson
AMS Enhancements in WebSphere MQ 7.5 onwards (2)
� New Features�AMS 7.0.1.1 & 7.0.1.2 enhancements all included
� PKCS#11 Crypto H/W, SHA-2, CRL/OCSP checking, Command/Config events...
�Client MCA Interception allows platforms that don't support AMS natively to use
protected queues
� Back-level clients, DataPower appliance, Non-IBM Java clients, ...
� External partners who don’t have AMS
� Performance�Enablement of interceptors has no measurable performance impact to
applications that do not access protected queues
�Policy checking at MQOPEN time has no measurable performance impact
� Policy data returned with MQOPEN request
� Policy caching ensures fast response on subsequent policy checks
@MoragHughson
AMS Enhancements in WebSphere MQ 7.5 onwards (3)
� Policy administration�MQ Explorer now has Security Policies as a default plugin to manage policies
�Consistency with MQ access control for managing policies
�Require +dsp authority to queue manager for dspmqspl & MQ Explorer
�Require +chg authority to queue manager for setmqspl & MQ Explorer
�Security of SYSTEM.PROTECTION.POLICY.QUEUE enhanced
� All changes to policy data must pass through auditable interfaces (Security, Command
and Configuration events)
� MQ administrators cannot tamper with contents of queue through MQI/PCF/MQSC
�Applications that have a queue open when an applicable policy change is made
will be told to reopen queue
� MQRC_OBJECT_CHANGED on next call on the affected hObj
�Applications attempting to put unprotected messages to a protected queue
without a policy will fail
� Catches previous releases of AMS where client interceptors have not been enabled
@MoragHughson
AMS Enhancements in WebSphere MQ 8
� Platform Coverage�AMS is now available for IBM i platform
�COBOL, RPG, C, Java client and server applications fully supported
� Platform Enhancements�z/OS simplification
�Main and data tasks
� Moved into single task
� Started and stopped with queue manager
� Improved performance
@MoragHughson
Advanced Message Security (AMS) on z/OS
� Pre-V8.0 (two started tasks)�Main Task: ssidAMSM
� Runs API interceptor
� Enforces policies
�Data Services task: ssidAMSD
� Performs signature and encryption
� Calls System SSL PKCS#7 Services
(uses SAF keyrings)
QMGR (ssidMSTR)
Application
MQ API“Private” API Exit
AMS main (ssidAMSM)
AMS Data Services
(ssidAMSD)
@MoragHughson
Advanced Message Security (AMS) on z/OS
� Pre-V8.0 (two started tasks)�Main Task: ssidAMSM
� Runs API interceptor
� Enforces policies
�Data Services task: ssidAMSD
� Performs signature and encryption
� Calls System SSL PKCS#7 Services
(uses SAF keyrings)
� WebSphere MQ V8�Single task: ssidAMSM
� Started/stopped with QMgr
� “Private” API Exit code is now
embedded in the productQMGR (ssidMSTR)
Application
MQ API
8.0 Interception is built-in
AMS main (ssidAMSM)
N
O
T
E
S
Advanced Message Security (AMS) on z/OS - Notes
� On z/OS before MQ V8, the MQ Server interceptor for local (bindings mode) is implemented as a “private” API exit on z/OS.
� In V8, similar to the change made on Distributed in V7.5, AMS is pulled into the base WebSphere MQ product. It’s documentation is also pulled into the WebSphere MQ Information Center.
� This provides a better integration with the queue manager including tie-in of the start/stop of the AMS address space with start-up and shut-down of the queue manager. Calling the AMS address space to do the encryption/decryption work is more efficient and due to no longer using the vendor API call intercept method (the “private” API exit), it is less likely to conflict with other OEM products.
� The previous two separate AMS address spaces, ssidAMSM (main) and ssidAMSD (data services) are now combined into a single address space, ssidAMSM. Any authorities that were previously required by ssidAMSD are now needed on ssidAMSM instead. ssidAMSM now consumes the encryption CPU. The utility that is used on z/OS to setup policies is renamed from DRQUTIL to CSQ0UTIL.
� There are no changes to the keyring names, and the hardened version of the policies which are stored as messages on the SYSTEM.PROTECTION.POLICY.QUEUE have the same shape, so existing policies just work.
� AMS is still priced separately as OTC and has a separately installed FMID which is an enablement module for AMS.
@MoragHughson24
MQIC
No changes required to existing applications
Server/Client JMS
QMGRQMGR QMGR
Channel Agent Channel Agent
Application Application JMS Application
Renamed MQIC
JMS
JMQI
MQ API (mqm lib)
Pre 7.1 ClientServer
@MoragHughson
AMS Interceptors
25
MQIC
No changes required to existing applications
Server/Client JMS
QMGRQMGR QMGR
Channel Agent Channel Agent
Application Application JMS Application
Replacement mqic lib
Renamed MQIC
JMS
JMQI
JMQI InterceptMQ API (mqm lib)
API Exit
Pre 7.1 ClientServer
API Exit Library Replacement JMQI Intercept
@MoragHughson
AMS Interceptors
26
Server/Client JMS
QMGR QMGR
Channel Agent
Application JMS Application
JMS
JMQI
JMQI InterceptMQ API (mqm lib)
API Exit
7.1 Clients Use API Exits
API Exit JMQI Intercept
@MoragHughson
AMS Interceptors
27
Server/Client JMS
QMGR QMGR
Channel Agent
Application JMS Application
JMS
JMQI
MQ API (mqm lib)
Server
API Exit JMQI Intercept
7.5 Interception is built-in 7.5 Interception is built-in
N
O
T
E
S
Interceptors - Environments supported
� MQ AMS functionality is implemented in “interceptors”– There are no long running processes or daemons (except in z/OS®)
– Existing MQ applications do not require changes
� These interceptors have evolved over the last few releases.� Before MQ V7.1
– Three interceptors are provided:
1. MQ Server interceptor for local (bindings mode) MQI API and Java™ applications -Implemented as standard API exit on distributed, and “private” API exit on z/OS
2. MQ Client API interceptor for remote (client mode) MQ API applications –Implemented as a library replacement
3. MQ Java client interceptor for remote (client mode) MQ JMS and MQ classes for java applications (J2EE and J2SE).
� With WebSphere MQ V7.1 MQI clients gain the ability to use API exits, so the MQ Client API interceptor becomes the same API exit as the MQ Server interceptor.
� With WebSphere MQ V7.5, AMS is no longer a separate product and becomes a feature of WebSphere MQ with the interceptor code becoming embedded in the product. No need to configure API exits anymore.
@MoragHughson
Logical Architecture Design
@MoragHughson
WebSphere MQ AMS configuration file
� WebSphere MQ AMS interceptors require a configuration file,
eg. KEYSTORE.CONF, which contains:�Type of keystore: CMS, JKS, JCEKS
�Location of the keystore.
�Label of the personal certificate.
�Passwords to access keystore and private keys
(or .sth stash for CMS format)
� Interceptors locate the configuration file using one of the following
methods:�Environment variable MQS_KEYSTORE_CONF=<path to conf file>.
�Checking default locations and file names.
� Platform dependent. For example in UNIX®: “$HOME/.mqs/keystore.conf”
Location : ProducerKeystore
Label : MyDN
KEYSTORE . CONF
@MoragHughson
Keystores and X.509 certificates
� An application protected by AMS needs:-�On distributed - a keystore
� Types: CMS, JKS and JCEKS
�On z/OS - a SAF keyring
� Named “drq.ams.keyring”
� The keystore contains�A personal X.509 certificate and associated private key� trusted certificates
� to validate message signers
� to obtain the public keys of encrypted message recipients
� Create using:-� iKeyman GUI�Command line – runmqakm�SAF commands, e.g. RACDCERT in RACF®�3rd party key management software
Alice's Digital Certificate
CA Sig
APrivate
APublic
YourDNTrusted Cert
Public Keys
MyDNPersonal Cert
Private keys
ProducerKeystore
N
O
T
E
S
Keystores and X.509 certificates
� Each MQ application producing or consuming protected messages requires access to a keystore that contains a personal X.509 (v2/v3) certificate and the associated private key.
� The keystore and certificate is accessed by the MQ AMS interceptors.
� The keystore must contain trusted certificates to validate message signers or to obtain the public keys of encrypted message recipients
� Keystore can be the same as that used for MQ SSL
� Several types of keystore are supported (Distributed): CMS, JKS and JCEKS.
� On Distributed MQ, the IBM Key Management (iKeyman, part of GSKit) is provided to create and do simple management of local keystores
� On z/OS, standard SAF product (eg. RACF) used to create certificates which are SAF-managed and must be on a keyring named “drq.ams.keyring”
� 3rd party software is available from IBM (or others) to provide more robust, industrialisation of keystore maintenance. For the IBM Tivoli® Key Lifecycle Manager, see: http://www.ibm.com/software/tivoli/products/key-lifecycle-mgr/
@MoragHughson
IBM MQ Advanced Message Security - Architecture
MCA
QueueManager
OK?
y/n
Pre V7.5MQ Client Application
AMS InterceptKey
Store
ObjectAuthority Manager
MCA
QueueManager
OK?
y/n
MQ Application
AMS Intercept
KeyStore
ObjectAuthority Manager
MCA Interception
Application
Queue Manager
@MoragHughson
IBM MQ AMS – Signed Message Format(Integrity Policy)
Message Data
Message Data
PDMQ Header
PKCS #7 Envelope
Signature
Original MQ Message AMS Signed Message
Message PropertiesMessage Properties
@MoragHughson
IBM MQ AMS – Encrypted Message Format(Privacy Policy)
Message Data
Message Data
PDMQ Header
PKCS #7 Envelope
Signature
Original MQ Message AMS Encrypted Message
Message PropertiesMessage Properties
Key encrypted with certificate
Data encrypted with key
@MoragHughson
How to secure an existing MQ application –No protection
STOCKSending
AppReceiving
App
ORDERSAlice Bob
@MoragHughson
How to secure an existing MQ application –SPLCAP(ENABLED)
STOCKSending
AppReceiving
App
ORDERSAlice Bob
1.Install WebSphere MQ AMS Component on server
@MoragHughson
How to secure an existing MQ application –Assign Certificates
STOCKSending
AppReceiving
App
ORDERSAlice Bob
Keystore
Alice PrivateAlice Public
Keystore
Bob PrivateBob Public
1.Install WebSphere MQ AMS Component on server2.Create certificates (public / private key pairs)
@MoragHughson
How to secure an existing MQ application –Exchange Public Key
STOCKSending
AppReceiving
App
ORDERSAlice Bob
Keystore
Alice PrivateAlice Public
Bob Public
Keystore
Bob PrivateBob Public
Alice Public
1.Install WebSphere MQ AMS Component on server2.Create certificates (public / private key pairs)3.Exchange public keys
@MoragHughson
How to secure an existing MQ application –Set security policy
STOCKSending
AppReceiving
App
ORDERSAlice Bob
Keystore
Alice PrivateAlice Public
Bob Public
Keystore
Bob PrivateBob Public
Alice Public
Policy
ORDERSPrivacyRecipient : BobSigner : Alice
1.Install WebSphere MQ AMS Component on server2.Create certificates (public / private key pairs)3.Exchange public keys4.Define security policy for the queue
@MoragHughson
How to secure an existing MQ application –Privacy & Integrity
STOCKSending
AppReceiving
App
ORDERSAlice Bob
Keystore
Alice PrivateAlice Public
Bob Public
Keystore
Bob PrivateBob Public
Alice Public
Policy
ORDERSPrivacyRecipient : BobSigner : Alice
1.Install WebSphere MQ AMS Component on server2.Create certificates (public / private key pairs)3.Exchange public keys4.Define security policy for the queue5.Messages can only be viewed by Bob, Bob will only accept messages from Alice
Send/RcvApp
Charlie
@MoragHughson
IBM MQ Advanced Message Security Availability
� IBM MQ 8�Release Date : May 2014
� WebSphere MQ 7.5�Release Date : June 2012
� WebSphere MQ Advanced Message Security 7.0.1�Release Date : Oct 2010� 7.0.1.1 Released : April 2011
� Added support for crypto hardware to store keys
� 7.0.1.2 Released : January 2012
� Added support for SHA-2, CRL/OCSP checking,
� 90 day Trial version available to download
� Platform support�All IBM MQ V8 server platforms
� Excluding IMS Bridge, IMS programs running in SRB mode
� Excluding Fully managed .NET applications
© 2015 IBM Corporation@MoragHughson
Questions?
@MoragHughson
For Additional Information
http://ibm.co/1zZNpf8
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has beenreviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or representor warrant that its services or products will ensure that the customer is in compliance with any law.
@MoragHughson
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly
available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document Management System™, Global
Business Services ®, Global Technology Services ®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®,
OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®,
pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®, urban{code}®, Watson,
WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks
is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Session AME-2286
Access the InterConnect 2015 Conference CONNECT Attendee Portal to complete your session surveys from your smartphone,
laptop or conference kiosk.
