{"id":157,"date":"2019-08-17T18:38:37","date_gmt":"2019-08-17T18:38:37","guid":{"rendered":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/?p=157"},"modified":"2024-07-05T11:40:39","modified_gmt":"2024-07-05T10:40:39","slug":"ibm-mq-basics-security-part-1-ssl-communications","status":"publish","type":"post","link":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/2019\/08\/17\/ibm-mq-basics-security-part-1-ssl-communications\/","title":{"rendered":"<span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> basics: security \u2014 part 1: <span class=\"caps\">SSL<\/span> communications"},"content":{"rendered":"<p>It is fre\u00adquent\u00adly neglect\u00aded. It is almost always over\u00adlooked. It is the ugly duck\u00adling of dis\u00adtrib\u00aduted appli\u00adca\u00adtion design. Yes, I am talk\u00ading about Infor\u00adma\u00adtion Security.<\/p>\n<p>Secu\u00adri\u00adty should be a com\u00adpul\u00adso\u00adry require\u00adment of any application.<\/p>\n<p><span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> has exten\u00adsive secu\u00adri\u00adty options for either pro\u00adtect\u00ading your <span class=\"caps\">MQ<\/span> infra\u00adstruc\u00adture and secur\u00ading the infor\u00adma\u00adtion that flows trough <span class=\"caps\">MQ<\/span> in the form of messages.<\/p>\n<p>Secu\u00adri\u00adty in <span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> is a some\u00adwhat com\u00adplex fea\u00adture, so this will be the first of a series of three arti\u00adcles about MQ\u2019s secu\u00adri\u00adty features.<\/p>\n<p>Secu\u00adri\u00adty fea\u00adtures were great\u00adly improved in <span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> 8.0. The most changed fea\u00adtures (user authen\u00adti\u00adca\u00adtion and chan\u00adnel secu\u00adri\u00adty) will be addressed in future posts.<\/p>\n<p>In the first part of this sub-series of arti\u00adcles about secur\u00ading your com\u00admu\u00adni\u00adca\u00adtions with&nbsp;<span class=\"caps\">SSL<\/span>.<\/p>\n<p>Com\u00admu\u00adni\u00adca\u00adtion between queue man\u00adagers and between clients and queue man\u00adag\u00ader can and should be encrypt\u00aded using <span class=\"caps\">SSL<\/span>. This assures that mes\u00adsages being trans\u00admit\u00adted over the net\u00adwork, if inter\u00adcept\u00aded, can\u00adnot be read by unwant\u00aded third-par\u00adties (or, at least, be very dif\u00adfi\u00adcult to&nbsp;read).<\/p>\n<p><!--more--><\/p>\n<p>To have your queue man\u00adag\u00ader com\u00admu\u00adni\u00adcate using <span class=\"caps\">SSL<\/span>, the fol\u00adlow\u00ading is needed:<\/p>\n<ul>\n<li><span class=\"caps\">SSL<\/span> cer\u00adtifi\u00adcates for both ends of a sender\/receiver chan\u00adnel&nbsp;pair.<\/li>\n<li><span class=\"caps\">SSL<\/span> options set for the chan\u00adnels (both sender and receiver)<\/li>\n<\/ul>\n<p>As for the <span class=\"caps\">SSL<\/span> cer\u00adtifi\u00adcates, you can use self-signed cer\u00adtifi\u00adcates or CA-signed cer\u00adtifi\u00adcates. Keep in mind that pub\u00adlic CA-signed cer\u00adtifi\u00adcates are quite expen\u00adsive. Self-signed ones are more than enough and offer the same lev\u00adel of con\u00adfi\u00adden\u00adtial\u00adi\u00adty as CA-signed ones.<\/p>\n<p>For now, I\u2019ll stick with self-signed certificates.<\/p>\n<p>In the fol\u00adlow\u00ading exam\u00adples, I\u2019ll be con\u00adnect\u00ading two queue man\u00adagers, <span class=\"caps\">MQ01<\/span> and <span class=\"caps\">MQ02<\/span> using an encrypt\u00aded channel.<\/p>\n<p>To cre\u00adate a self-signed cer\u00adtifi\u00adcate in <span class=\"caps\">MQ<\/span>, just issue the commands:<\/p>\n<p>First, cre\u00adate a keystore:<\/p>\n<p class=\"code-example\">cd \/var\/mqm\/qmgrs\/<span class=\"caps\">MQ01<\/span>\/ssl<br>\nrun\u00admqakm \u2011key\u00addb \u2011db key.kdb \u2011cre\u00adate \u2011gen\u00adpw \u2011stash<\/p>\n<p>The options used&nbsp;are:<\/p>\n<ul>\n<li><span style=\"font-family: andale mono, monospace;\">-key\u00addb<\/span>: spec\u00adi\u00adfy keys data\u00adbase commands<\/li>\n<li><span style=\"font-family: andale mono, monospace;\">-db<\/span>: key data\u00adbase to create<\/li>\n<li><span style=\"font-family: andale mono, monospace;\">-gen\u00adpw<\/span>: gen\u00ader\u00adate pass\u00adword for the key database<\/li>\n<li><span style=\"font-family: andale mono, monospace;\">-stash<\/span>: gen\u00ader\u00adate stash file (file with encrypt\u00aded pass\u00adword) for the key database<\/li>\n<\/ul>\n<p>Cre\u00adate a self-signed certificate:<\/p>\n<p class=\"code-example\">run\u00admqakm \u2011cert \u2011cre\u00adate \u2011db key.kdb \u2011label ibmwebspheremqmq01 \u2011dn \u201c<span class=\"caps\">CN<\/span>=<span class=\"caps\">MQ01<\/span>,<span class=\"caps\">OU<\/span>=Testing,O=MyOrg,L=Lisbon,C=<span class=\"caps\">PT<\/span>\u201d<br>\n\u2011size 2048 \u2011default_cert \u2011expire 10950 \u2011stashed<\/p>\n<p>Then, extract the pub\u00adlic key of the certificate:<\/p>\n<p class=\"code-example\">run\u00admqakm \u2011cert \u2011extract \u2011db key.kdb \u2011label ibmwebspheremqmq01 \u2011file ibmwebspheremqmq01.pem \u2011stashed<\/p>\n<p>Copy the file ibmwebspheremqmq01.pem to the oth\u00ader queue man\u00adager\u2019s server.<\/p>\n<p>Do the same for the oth\u00ader queue manager.<\/p>\n<p>Then add the pub\u00adlic key from the remote queue man\u00adag\u00ader to the local queue man\u00adager\u2019s keystore:<\/p>\n<p class=\"code-example\">run\u00admqakm \u2011cert \u2011add \u2011db key.kdb \u2011stashed \u2011file ibmwebspheremqmq02.pem \u2011label ibmwebspheremqmq02<\/p>\n<p>Do the same for the oth\u00ader queue manager.<\/p>\n<p>Next, con\u00adfig\u00adure sender and receiv\u00ader channels.<\/p>\n<p>For the sake of this exam\u00adple, I will define a sender and a receiv\u00ader in each queue man\u00adag\u00ader, name <span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ01<\/span> and <span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>, which will enable com\u00admu\u00adni\u00adca\u00adtion between both queue man\u00adagers in both ways. Remem\u00adber that the receiv\u00ader has to have the same name as the remote sender. Note that one-way com\u00admu\u00adni\u00adca\u00adtions requires only a sender chan\u00adnel in the local queue man\u00adag\u00ader and a receiv\u00ader chan\u00adnel in the remote queue manager.<\/p>\n<p class=\"code-example\">run\u00admqsc&nbsp;<span class=\"caps\">MQ01<\/span><br>\n<span class=\"caps\">DEFINE<\/span> <span class=\"caps\">QLOCAL<\/span>(<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">USAGE<\/span>(<span class=\"caps\">XMITQ<\/span>) <span class=\"caps\">TRIGGER<\/span> <span class=\"caps\">TRIGDATA<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">TRIGTYPE<\/span>(<span class=\"caps\">FIRST<\/span>) <span class=\"caps\">INITQ<\/span>(<span class=\"caps\">SYSTEM<\/span>.<span class=\"caps\">CHANNEL<\/span>.<span class=\"caps\">INITQ<\/span>)<br>\n<span class=\"caps\">DEFINE<\/span> <span class=\"caps\">CHANNEL<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">CHLTYPE<\/span>(<span class=\"caps\">SDR<\/span>) <span class=\"caps\">SSLCIPH<\/span>(<span class=\"caps\">TLS_RSA_WITH_AES_256_GCM_SHA384<\/span>) <span class=\"caps\">XMITQ<\/span>(<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">CONNAME<\/span>(\u2018ubuntuvm2(1414)\u2019)<\/p>\n<p>On the remote queue man\u00adag\u00ader, cre\u00adate the cor\u00adre\u00adspond\u00ading receiv\u00ader channel:<\/p>\n<p class=\"code-example\">run\u00admqsc&nbsp;<span class=\"caps\">MQ02<\/span><br>\n<span class=\"caps\">DEFINE<\/span> <span class=\"caps\">CHANNEL<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">CHLTYPE<\/span>(<span class=\"caps\">RCVR<\/span>) <span class=\"caps\">SSLCIPH<\/span>(<span class=\"caps\">TLS_RSA_WITH_AES_256_GCM_SHA384<\/span>) <span class=\"caps\">SSLCAUTH<\/span>(<span class=\"caps\">REQUIRED<\/span>)<\/p>\n<p>To turn on <span class=\"caps\">SSL<\/span> on the chan\u00adnel, you only have to spec\u00adi\u00adfy the cipher, using the <span class=\"caps\">SSLCIPH<\/span> para\u00adme\u00adter. The <span class=\"caps\">SSLCAUTH<\/span> para\u00adme\u00adter, when set, enables two-way client cer\u00adtifi\u00adcate authen\u00adti\u00adca\u00adtion, that is, the sender\u2019s cer\u00adtifi\u00adcate is used to encrypt com\u00admu\u00adni\u00adca\u00adtions and the receiver\u2019s cer\u00adtifi\u00adcate is used to val\u00adi\u00addate that the remote <span class=\"caps\">MQ<\/span> is using a cer\u00adtifi\u00adcate know to the sender side.<\/p>\n<p>If every\u00adthing is cor\u00adrect\u00adly con\u00adfig\u00adured, you can now start the sender and dis\u00adplay its status:<\/p>\n<p class=\"code-example\">run\u00admqsc&nbsp;<span class=\"caps\">MQ01<\/span><br>\n<span class=\"caps\">START<\/span> <span class=\"caps\">CHANNEL<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>)<br>\n<span class=\"caps\">DISPLAY<\/span> <span class=\"caps\">CHSTATUS<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">ALL<\/span><br>\n4 : <span class=\"caps\">DISPLAY<\/span> <span class=\"caps\">CHSTATUS<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">ALL<\/span><br>\n<span class=\"caps\">AMQ8417I<\/span>: Dis\u00adplay Chan\u00adnel Sta\u00adtus details.<br>\n<span class=\"caps\">CHANNEL<\/span>(<span class=\"caps\">TO<\/span>.<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">CHLTYPE<\/span>(<span class=\"caps\">SDR<\/span>)<br>\n<span class=\"caps\">BATCHES<\/span>(0) <span class=\"caps\">BATCHSZ<\/span>(50)<br>\n<span class=\"caps\">BUFSRCVD<\/span>(1) <span class=\"caps\">BUFSSENT<\/span>(1)<br>\n<span class=\"caps\">BYTSRCVD<\/span>(268) <span style=\"font-family: book antiqua, palatino, serif;\"><span class=\"caps\">BYTSSENT<\/span>(268)<\/span><br>\n<span class=\"caps\">CHSTADA<\/span>(2019\u201312-05) <span class=\"caps\">CHSTATI<\/span>(11.37.28)<br>\n<span class=\"caps\">COMPHDR<\/span>(<span class=\"caps\">NONE<\/span>,<span class=\"caps\">NONE<\/span>) <span class=\"caps\">COMPMSG<\/span>(<span class=\"caps\">NONE<\/span>,<span class=\"caps\">NONE<\/span>)<br>\n<span class=\"caps\">COMPRATE<\/span>(0,0) <span class=\"caps\">COMPTIME<\/span>(0,0)<br>\n<span class=\"caps\">CONNAME<\/span>(192.168.133.21(1414)) <span class=\"caps\">CURLUWID<\/span>(<span class=\"caps\">65C6D65D014F1F12<\/span>)<br>\n<span class=\"caps\">CURMSGS<\/span>(0) <span class=\"caps\">CURRENT<\/span><br>\n<span class=\"caps\">CURSEQNO<\/span>(0) <span class=\"caps\">EXITTIME<\/span>(0,0)<br>\n<span class=\"caps\">HBINT<\/span>(300) <span class=\"caps\">INDOUBT<\/span>(<span class=\"caps\">NO<\/span>)<br>\n<span class=\"caps\">JOBNAME<\/span>(0000161600000001) <span class=\"caps\">LOCLADDR<\/span>(192.168.133.20(49270))<br>\n<span class=\"caps\">LONGRTS<\/span>(999999999) <span class=\"caps\">LSTLUWID<\/span>(0000000000000000)<br>\n<span class=\"caps\">LSTMSGDA<\/span>( ) <span class=\"caps\">LSTMSGTI<\/span>(&nbsp;)<br>\n<span class=\"caps\">LSTSEQNO<\/span>(0) <span class=\"caps\">MCASTAT<\/span>(<span class=\"caps\">RUNNING<\/span>)<br>\n<span class=\"caps\">MONCHL<\/span>(<span class=\"caps\">OFF<\/span>) <span class=\"caps\">MSGS<\/span>(0)<br>\n<span class=\"caps\">NETTIME<\/span>(0,0) <span class=\"caps\">NPMSPEED<\/span>(<span class=\"caps\">FAST<\/span>)<br>\n<span class=\"caps\">RQMNAME<\/span>(<span class=\"caps\">MQ02<\/span>) <span class=\"caps\">SHORTRTS<\/span>(8)<br>\n<span class=\"caps\">SECPROT<\/span>(<span class=\"caps\">TLSV12<\/span>)<br>\n<span class=\"caps\">SSLCERTI<\/span>(<span class=\"caps\">CN<\/span>=<span class=\"caps\">MQ02<\/span>,<span class=\"caps\">OU<\/span>=Testing,O=MyOrg,L=Lisbon,C=<span class=\"caps\">PT<\/span>)<br>\n<span class=\"caps\">SSLCIPH<\/span>(<span class=\"caps\">TLS_RSA_WITH_AES_256_GCM_SHA384<\/span>)<br>\n<span class=\"caps\">SSLKEYDA<\/span>( ) <span class=\"caps\">SSLKEYTI<\/span>(&nbsp;)<br>\n<span class=\"caps\">SSLPEER<\/span>(<span class=\"caps\">SERIALNUMBER<\/span>=<span class=\"caps\">3C<\/span>:<span class=\"caps\">D4<\/span>:52:01:<span class=\"caps\">E8<\/span>:<span class=\"caps\">A2<\/span>:<span class=\"caps\">BE<\/span>:<span class=\"caps\">E6<\/span>,<span class=\"caps\">CN<\/span>=<span class=\"caps\">MQ02<\/span>,<span class=\"caps\">OU<\/span>=Testing,O=MyOrg,L=Lisbon,C=<span class=\"caps\">PT<\/span>)<br>\n<span class=\"caps\">SSLRKEYS<\/span>(0) <span class=\"caps\">STATUS<\/span>(<span class=\"caps\">RUNNING<\/span>)<br>\n<span class=\"caps\">STOPREQ<\/span>(<span class=\"caps\">NO<\/span>) <span class=\"caps\">SUBSTATE<\/span>(<span class=\"caps\">MQGET<\/span>)<br>\n<span class=\"caps\">XBATCHSZ<\/span>(0,0) <span class=\"caps\">XMITQ<\/span>(<span class=\"caps\">MQ02<\/span>)<br>\n<span class=\"caps\">XQTIME<\/span>(0,0) <span class=\"caps\">RVERSION<\/span>(09010300)<br>\n<span class=\"caps\">RPRODUCT<\/span>(<span class=\"caps\">MQMM<\/span>)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is fre\u00adquent\u00adly neglect\u00aded. It is almost always over\u00adlooked. It is the ugly duck\u00adling of dis\u00adtrib\u00aduted appli\u00adca\u00adtion design. Yes, I am talk\u00ading about Infor\u00adma\u00adtion Secu\u00adri\u00adty. Secu\u00adri\u00adty should be a com\u00adpul\u00adso\u00adry require\u00adment of any appli\u00adca\u00adtion. <span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> has exten\u00adsive secu\u00adri\u00adty options \u2026 <a href=\"https:\/\/trindade.myphotos.cc\/lazysysadmin\/2019\/08\/17\/ibm-mq-basics-security-part-1-ssl-communications\/\">Con\u00adtin\u00adue read\u00ading <span class=\"meta-nav\">\u2192<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[20,2,3,21],"tags":[5,12,4,8,24,13],"class_list":["post-157","post","type-post","status-publish","format-standard","hentry","category-basics","category-middleware","category-mq","category-security","tag-ibm","tag-ibmmq","tag-mq","tag-mqseries","tag-ssl","tag-webspheremq"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Ant\u00f3nio Trindade","author_link":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/author\/trindade\/"},"_links":{"self":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":7,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":187,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts\/157\/revisions\/187"}],"wp:attachment":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}