IBM MQ JMS is non-compliant

One of the first things anyone learns about async messaging are the fundamental messaging patterns: Datagram, Request/Reply and report.  The textbook handling of reply messages calls for the server application to move the message ID to the correlation ID field so that the reply can be associated with the request.  One of the available MQGMO.MatchOptions values specifies retreival of messages based on the correlation ID specifically to facilitate request/reply.  The idea is that the requesting program puts a message, then performs a GET on the reply queue using the returned message ID to select the reply.

Continue reading

Posted in Fail, News, WMQ | Tagged , , , , , , , | 2 Comments

Managing CA-signed certificates

MQ Admins are getting serious about TLS channels these days, but it isn’t always easy because there’s a fairly steep learning curve.  Though there is plenty of documentation for the MQ aspects, and for X.509 and TLS itself, very little exists that translates these requirements into a procedure you could actually use to provision a certificate signed by a commercial CA.  The Certificate Authorities document the provisioning process for certs to be used in the various web servers, but the thing you need a certificate for isn’t a web server the CA-provided documentation is often lacking.  In particular, official documentation from the CAs about MQ certs is almost non-existent.

To address that gap I wanted something that showed the process, start to finish, of enabling TLS onto an existing pair of SDR/RCVR channels.  I don’t know about you but I personally need to understand a process from a high-level in order to best understand how all the pieces fit together and their up- and downstream dependencies.  This is that high-level overview.

Continue reading

Posted in Security, WMQ, WMQ Security | Tagged , , , , , , , | 4 Comments

Windows MQ Log Maintenance that really works

Do you run MQ with linear logs on Windows?  Do you want a log maintenance utility that really works on that platform with modern versions of MQ?  So do I.

One of my biggest pet peeves about IBM MQ is that even after 20 years there remains no IBM-supported tool for managing linear log extents or any provision to automatically delete them on Distributed platforms.  Recently while on assignment for a customer running MQ v8.0 on Windows we needed just such a tool and went to the SupportPacs landing page to review options.  We looked at MO73, MS0L and MS62.  None of them met my requirements and in some cases they don’t work at all.

Since I’m not at Interconnect this year I had some time on my hands so I wrote a script of my own.  I’m making it available here so it’ll be just like I was there with you in Vegas.  No, really, it will.  This post takes 45 minutes to read and there’s 15 minutes of Q&A at the end, followed by refreshments in the hall.

Continue reading

Posted in WMQ | Tagged , , , , , , , , | 8 Comments

MQ V8 Certification

Would it surprise you to know there’s an MQ V8 System Administration certification?  Normally I run down and take the test as soon as it’s available but this one has been out since January 14th and somehow I missed the announcement.  So yesterday I stopped by at my local Pearson Vue affiliate and sat for Test C2180-410: IBM MQ V8.0, System Administration to earn my certification.  Did I pass?  You betcha!  Was it what I was expecting?  Sort of.

Continue reading

Posted in News, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security | Tagged , , , , , , , , | 6 Comments

Avoiding reputational damage

Everyone knows that data breaches are expensive.  Security venders never tire of telling us exactly how expensive breaches are, on a per-incident or per-record basis.  In the case of a large retail brand, a breach can make a significant dent but it usually isn’t fatal.  In fact, for one large conglomerate in particular, recent events suggest that even a series of high-profile breaches won’t cripple a company.  It might be tempting to assume this experience applies across the board.  It might be tempting to assume that your business would fare as well.  Don’t make that assumption.

Continue reading

Posted in Security, WMQ, WMQ Security | Tagged , , , , , , | 2 Comments

Configuration backups: the forgotten WMQ security control

Update: IBM has reconsidered and has announced that dmpmqcfg will be fixed as a defect! Subscribe if you would like a notification when the fix is announced. But please do read the post, especially if you are using amqoamd for anything.

Most of the time when someone says “security” they are actually thinking of intrusion detection – the parts that keep unauthorized people out of the system.  But security is so much more than that.  We need to know if our security fails.  That part is intrusion detection.  After an incident we want to be able to determine how it happened and what to fix so it doesn’t happen again.  The logging and accountability functions are what support that forensic analysis.  Of course we also need to recover from an incident.  That’s the business continuity aspect.  All of these fall under the broad security umbrella and any security assessment that I perform includes aspects of all of these.

But there is an implicit assumption that that the tools to perform these functions are available.  In particular, the ability to back up a configuration for later recovery is something so fundamental that many people consider it part of the baseline functionality of any Enterprise-class product.  But what if it’s not?  Or worse, what if you think it is but the provided tools do not actually do what you are expecting?  Would you know?

If your shop is concerned about the security of the WebSphere MQ network, then chances are you consciously and deliberately configure your queue managers to prevent administration by adjacent queue managers in the network.  If you do not routinely do this, then by default compromise of any one queue manager on the network compromises the entire network.  Such a compromise would include any FTE, Broker, Advanced Message Security or other components or applications that can be administered by sending messages to their command queues.

The only problem is, IBM does not currently provide a tool in the product that back these security settings up accurately.  There are two tools documented in the WebSphere MQ Infocenter and a Technote which are describes as providing configuration backup functionality.  Assuming you want that backup to be complete, both are broken.  IBM has officially responded in both cases that they are working as designed.

Continue reading

Posted in Fail, General, IIB, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security | Tagged , , , , , , , | Leave a comment

Webinar: Security Defenses that Withstand the Test of Time

IIB-Security-Webinar-Banner

Please join AJ Aronoff and me for a Prolifics webinar: IIB: Security Defenses that Withstand the Test of Time

For the last 7 years my security focus has mainly been intrusion prevention.  That’s all the controls you use to keep unauthorized people out of the messaging network.  I’m happy to report that things have improved on that front.  IBM has greatly improved the software and customers are enabling the security controls in record numbers.  (Not that the secured systems are yet in the majority, but it’s MUCH better than before.)

Unfortunately, intrusion prevention is only one part of the story.  A comprehensive security design also includes intrusion detection, forensic capability and incident recovery.  One reason that these are needed is that the state of the art is a moving target.  Attack technology always gets better, defensive technology moves to keep up or stay ahead.  Over time the configuration you implement today gets weaker as the state of the art continues to advance.

This webinar will focus less on the specific controls and more on how to maintain security effectiveness over time.  We will be addressing IBM Information Broker (the software formerly known as WebSphere Message Broker) but since it is built on top of WebSphere MQ the content will also be useful for WMQ admins who do not have IIB.  I hope to “see” you there!

Much thanks to my friends at Prolifics for sponsoring the webinar.

Posted in General | Leave a comment