If you have ever attended one of my conference sessions, read my articles, or hired me to perform any kind of MQ work, then you know that I consider SupportPac MS0P to be an indispensable add-on for MQ Explorer. I recommend it to everybody. The folks at Hursley Lab are probably sick by now of my stirring up crowds at the conference by insisting it should be part of the base functionality in Explorer and fully supported. Given all that, you’d think I personally would have it installed in the MQ Explorer on my laptop. Until tonight, you would have been wrong.
Tonight I dropped everything else and concentrated on getting MS0P to run. I was eventually successful, but learned a lot about MQ along the way. I’m writing it all down to hopefully save others from the same ordeal.
Over the years I have often been asked for security templates and other canned assets to help make MQ security planning, implementation, and operation easier. These often become the source material for conference presentations, articles and videos. Some of these assets focus directly on configuration. The benefit of these is to take a lot of the heavy lifting off the hands of the MQ administrator. That leaves the administrator free to focus on the more business-specific task of designing the appropriate security architecture. The question then is whether we can take some of the heavy lifting from that task as well. I don’t believe that is easy to do safely, but the good news is that we can at least take much of the randomness out.
Posted in Security, WMQ, WMQ Security
Tagged Admin, Architecture, Best Practices, IBM MQ, Recommended Practices, security, WebSphere MQ, WebSphere MQ Security, WMQ Security
I will move this to SlideShare after making a few more edits per today’s comments and notes. At that point I will link to it from the Links page, same as all the others. But for now, please enjoy!
This is the version of the slides with the Notes pages printed:
20150602 Managing CA Certs – Notes
One of the first things anyone learns about async messaging are the fundamental messaging patterns: Datagram, Request/Reply and report. The textbook handling of reply messages calls for the server application to move the message ID to the correlation ID field so that the reply can be associated with the request. One of the available MQGMO.MatchOptions values specifies retreival of messages based on the correlation ID specifically to facilitate request/reply. The idea is that the requesting program puts a message, then performs a GET on the reply queue using the returned message ID to select the reply.
MQ Admins are getting serious about TLS channels these days, but it isn’t always easy because there’s a fairly steep learning curve. Though there is plenty of documentation for the MQ aspects, and for X.509 and TLS itself, very little exists that translates these requirements into a procedure you could actually use to provision a certificate signed by a commercial CA. The Certificate Authorities document the provisioning process for certs to be used in the various web servers, but the thing you need a certificate for isn’t a web server the CA-provided documentation is often lacking. In particular, official documentation from the CAs about MQ certs is almost non-existent.
To address that gap I wanted something that showed the process, start to finish, of enabling TLS onto an existing pair of SDR/RCVR channels. I don’t know about you but I personally need to understand a process from a high-level in order to best understand how all the pieces fit together and their up- and downstream dependencies. This is that high-level overview.
Do you run MQ with linear logs on Windows? Do you want a log maintenance utility that really works on that platform with modern versions of MQ? So do I.
One of my biggest pet peeves about IBM MQ is that even after 20 years there remains no IBM-supported tool for managing linear log extents or any provision to automatically delete them on Distributed platforms. Recently while on assignment for a customer running MQ v8.0 on Windows we needed just such a tool and went to the SupportPacs landing page to review options. We looked at MO73, MS0L and MS62. None of them met my requirements and in some cases they don’t work at all.
Since I’m not at Interconnect this year I had some time on my hands so I wrote a script of my own. I’m making it available here so it’ll be just like I was there with you in Vegas. No, really, it will. This post takes 45 minutes to read and there’s 15 minutes of Q&A at the end, followed by refreshments in the hall.
Would it surprise you to know there’s an MQ V8 System Administration certification? Normally I run down and take the test as soon as it’s available but this one has been out since January 14th and somehow I missed the announcement. So yesterday I stopped by at my local Pearson Vue affiliate and sat for Test C2180-410: IBM MQ V8.0, System Administration to earn my certification. Did I pass? You betcha! Was it what I was expecting? Sort of.
Posted in News, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security
Tagged Admin, Best Practices, certification, IBM MQ, MQ AMS, WebSphere MQ, WebSphere MQ Security, WMQ, WMQ FTE