developerWorks Technical Exchange is hosting a WebSphere MQ Open Mic on the topic of security September 16 from 11am – 12pm EDT. The panel will include Tom Schneider, Morag Hughson, Paul O’Donnell and myself. The deadline for be pre-submitted questions is September 7th. There will be an open Q&A at the end but I expect this to be a very busy session and I would not count on having time for all the ad-hoc questions so pre-submit your question if possible!
The agenda so far is:
- I put SSL on my application channels, is there anything else I need to do?
- How do I apply authorization to a topic?
- What security considerations exist for WebSphere MQ File Transfer Edition (WMQ FTE)?
- How can I find the cause of a not authorized error on z/OS?
- How can I list security profiles used by WebSphere MQ on z/OS?
- Open lines for live question and answer period
There will be a replay available within a few days after the session. Full details are available on the event page. We are looking forward to meeting with you!
Tags:
Wow, the last 24 hours has been…interesting…here at Store and Forward. Friday night I noticed all of my blog posts after October 2009 had disappeared! My hosting provider’s front page lists daily backups as one of their services so I contacted them and asked for a restore. After the restore, the site looked exactly the same – like a time capsule from October of last year.
Obviously the site had been like this long enough to have gotten picked up in the latest backups so I asked how far back the backups go. One week. One lousy week. Sigh… I guess if these are going to be meaningful, I’m going to have to take my own backups. But wait – how is the site completely intact from 8 months ago if the hosting provider doesn’t keep backups? Had someone hacked the site and…and carefully deleted all the content after a specific date? Highly unlikely.
I signed onto the server using SCP to see if I could find any files with recent dates. Oddly, the server gave me a different certificate fingerprint. Was there a man-in-the-middle here? A little more research and I found that the host I was pointing to was the one my site lived on before I added the SSL certificate, which had required a move. Ahhh…so I wasn’t hacked and the hosting provider hadn’t restored from an incredibly old backup. They had updated DNS and pointed me to the old server which, rather inconveniently, had the old version of my site still there. Whoops!
So DNS has been restored and it seems to have propagated across the net. The site has all the current posts and I’m taking my own backups now. Thanks to a few people who emailed to let me know. I happened to find this about 6 hours before the first email arrived but it’s nice to know I would have been alerted.
Tags: Events · meta · rant
It’s nice to have been around long enough to be able to watch the WMQ community grow over the years. You can watch the postings on the Vienna List Server or MQSeries.net work though themes as the community goes through its growing pains. When I first came to MQSeries, the community was still wrapping it’s collective brain around messaging and there was a lot of discussion on how to design messaging applications, naming standards and even on what symbols to use to diagram a messaging network. Later, discussion moved to things of a more technical nature such as how to keep channels up and running. Over the years the community has worked through many story arcs, including performance & tuning, version compatibility, product family name changes, JMS, clustering and WebSphere family interoperability. Security has been trending upward over the last year or so and I’m seeing this both in the online communities and at customer engagements.
The current topics of community interest give us an indication of what activity is going on in WMQ shops. Security is a hot topic because people out there are getting serious about implementing it. In the universe of Good Things, this is floating quite near the top, as far as I’m concerned. But there is a hidden pothole that I want to warn you about and that is verification. Let me explain further by given an example from my conference presentation.
[Read more →]
Tags:
The link I gave out earlier http://bit.ly/WMQSecurityLab is actually a good link, the problem was that after uploading the files, I neglected to update the index page to point to them. That’s been fixed now and the session materials have been posted. Feel free to give out the short link above or from this page, just click on the “links” tab above. The WMQ Security presentation and the WMQ Security Hands-On Lab materials are there now. Sorry for any confusion and much thanks to everyone who emailed or told me in the sessions today about the problem.
Thanks also to all of you who attended the lab here at #ibmimpact and stuck it out through the text file editing issues in Module 2. Based on feedback from today’s session I have a few changes that will be made in both the lab guide and the scripts. Check back here in a couple of weeks for the updated versions. Your feedback is essential and VERY much appreciated!
Tags:
Wow, I can’t believe how many WebSphere Client Experience Program sessions are at IMPACT this year! IBM has been working for quite some time to build stronger partnerships between the folks using WebSphere software and the folks developing it. One of the visible signs of that effort has been the growing presence of the of WebSphere Client Experience Program at IMPACT over the past few years.
In case you are not familiar with the program, CEP offers many ways to interact with the product lab such as early design reviews, scenario and usage exercises, usability evaluations, surveys, and more. The activities can come from any product / initiative in WebSphere and can be run in-person or over a teleconference and Web conference. I have reposted the current schedule after the break. Be sure to check the online agenda and the eratta sheets at breakfast for any schedule changes during the week.
Join the social media revolution! Visit WebSphere CEP online at http://bit.ly/WebSphereCEP and don’t forget to add the #ibmimpact hashtag your tweets and blog posts so they show up in the social aggregator.
[Read more →]
Tags:
As promised, here are the WMQ Security Lab materials. These include the lab guide and the scripts. To run the lab you will need a Linux server with WMQ v7.0 installed, as well as WMQ Explorer with SupportPac MS0P, the SupportPac MA01 Q program, and of course the SSL Wizard SupportPac.
The URL for the download is: http://bit.ly/WMQSecurityLab
Also, here is the Security is a Journey presentation that I wrote up for Guide Share Europe: http://bit.ly/SecurityJourney
Both of these will be posted permanently to the Links page shortly as well. Please send feedback in the comments below or contact me via email or at the IMPACT 2010 conference to let me know what you think of these.
Remember to register and add the #ibmimpact hashtag to get your posts picked up at the IMPACT social media site!
Tags:
Regular followers of this blog won’t want to miss tomorrow’s WebSphere Technical Exchange “WMQ SSL & TLS Open Mic“. Panelists scheduled are Alex Fehners, Andrew Akehurst, Calista Stevens, Jonathan Rumsey, Mike Horan, Rhys Francis, Tameka Woody, Mark Womack and Tiffanie Pearson so it promises to be an extremely informative event blessed by both experience from the trenches and deep knowledge of the code.
Tags:
It’s been far too long since I’ve posted here but I finally came up for air and even managed to take a week off. I was supposed to be in Germany last week at the Guide Share Europe WMQ Working Group talking about security but those plans went up in smoke – volcanic ash, to be precise. I was extremely disappointed because one of the reason’s I dropped out of sight for a while was to prepare a new security slide deck for GSE called Security is not a destination, it’s a journey. I’ve been wanting to tackle this subject for a while now and the folks at GSE were kind enough to let me run with it. I just wish I could have been there to deliver it. Thanks to Hubert Kleinmanns for stepping in at the last minute to do the presentation. I’ll post the deck here shortly in case anyone is interested.
Next week I’ll be at IMPACT 2010, or #ibmimpact for those of you following the event in the aggregator. Preparing the new WMQ Hands-On Security Lab materials was the other reason I’ve been out of sight lately. It was a huge effort which nearly cost me my current client, my marriage and some IRS late filing penalties, but it was totally worth it. There are several modules in the lab which will walk you through all of the tasks to do basic admin hardening. These include setting up SSL between two QMgrs, between WMQ Explorer and two QMgrs, and then setting up BlockIP2 to filter connections and dynamically set MCAUSER. The lab makes good use of several SupportPacs including the Ian Vanstone’s SSL Wizard and Mark Taylor’s WMQ Explorer configuration and Display Plug-In.
[Read more →]
Tags:
This episode of The Deep Queue celebrates the first birthday of the podcast with some discussion of the SSL protocol vulnerability that was recently discovered. Although there has been no announcement with regard to WebSphere MQ, I try to put the whole discussion into a larger context and ask if this is really the thing we need to worry about considering what else is going on. More on that in the podcast or transcript.
[Read more →]
Tags:
The PCI community has suffered a great loss with the passing of Dave Taylor recently. Dave had a vision of helping companies achieve not just the letter of PCI compliance, but the spirit of PCI compliance through better understanding and an open dialog amongst practitioners, auditors, users, business leaders and all other stakeholders. That vision and passion became the PCI Knowledgebase, billed as “the largest PCI research community.”
I first met Dave when I was invited to present a webinar on WebSphere MQ security to the PCI Knowledgebase community. By Dave’s standards the webinar was barely attended but as a conference speaker the numbers were about what I’m used to. I presented that webinar twice and have since heard back from many of the attendees that they are now including WebSphere MQ in their PCI assessments and that they are finding – and fixing – configuration issues. This is exactly the kind of thing Dave was trying to achieve and, although he was initially skeptical about the attendance rates, I know he was happy with the results.
The PCI Knowledgebase has pledged to continue in Dave’s absence and carry on his mission. If you are a PCI DSS stakeholder, please stop by the PCI Knowledgebase web site and check it out. It’s a great resource for anyone involved with PCI DSS and your participation is the best way I can think of to honor Dave’s memory.
Tags:
