1 / 12

MQ Security

MQ Security. Agenda. setmqaut (set or reset authority). Authorizations. Specify authorities for different object types. Examples. specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager.

melvin-schmidt
Download Presentation

MQ Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MQ Security

  2. Agenda

  3. setmqaut (set or reset authority)

  4. Authorizations

  5. Specify authorities for different object types

  6. Examples • specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. • run : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladm • 2. In this example, the authorization list specifies that user group foxy: • Cannot issue any calls from the MQI to the specified queue • Can perform all administration operations on the specified queue • run : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm • 3. This example gives user1 full access to all queues with names beginning a.b on queue manager qmgr1. The profile is persistent, and will apply to any object with a name that matches the profile name. • run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all • 4. This example deletes the specified profile. • run :setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove • 5. This example creates a profile with no authority. • run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none

  7. Related Commands • dspmqaut -m WBRK_QM -t qmgr -p dmwang

  8. SSL • The Secure Sockets Layer (SSL) provides an industry standard protocol for transmitting data in a secure manner over an insecure network. The SSL protocol is widely deployed in both Internet and Intranet applications. SSL defines methods for authentication, data encryption, and message integrity for a reliable transport protocol, usually TCP/IP. • SSL uses both asymmetric and symmetric cryptography techniques. Refer to the following web site for a complete description of the SSL protocol: http://home.netscape.com/eng/ssl3/. • An SSL connection is initiated by the caller application, which becomes the SSL client. The responder application becomes the SSL server. Every new SSL session begins with an SSL handshake, as defined by the SSL protocol.

  9. SSL HandShake • Agree on the version of the SSL protocol to use. • Select cryptographic algorithms • Authenticate each other by exchanging and validating digital certificates. • Use asymmetric encryption techniques to generate a shared secret key, which avoids the key distribution problem. SSL subsequently uses the shared key for the symmetric encryption of messages, which is faster than asymmetric encryption.

  10. SSL HandShake

  11. SSL in WebSphere MQ • Message channels and MQI channels can use the SSL protocol to provide link level security. • A caller MCA is an SSL client and a responder MCA is an SSL server. WebSphere MQ supports Version 3.0 of the SSL protocol. • You specify the cryptographic algorithms that are used by the SSL protocol by supplying a CipherSpec as part of the channel definition. • During the SSL handshake, the MCA sends the digital certificate of the queue manager to its partner MCA at the other end of the channel. The WebSphere MQ code at the client end of an MQI channel acts on behalf of the user of the WebSphere MQ client application. During the SSL handshake, the WebSphere MQ code sends the user’s digital certificate to the MCA at the server end of the MQI channel.

  12. SSL in WebSphere MQ • Digital certificates are stored in a key repository. • The queue manager attribute SSLKeyRepository specifies the location of the key repository that holds the queue manager’s digital certificate. • On a WebSphere MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user’s digital certificate. • Alternatively, a WebSphere MQ client application can specify its location in the KeyRepository field of the SSL configuration options structure, MQSCO, on an MQCONNX call.

More Related