GWC Webinar posted

Posted on January 19, 2012 by T.Rob

The WebSphere MQ Security Deeper Dive slides from the  Global WebSphere Community webinar last month are now posted on this site.  You can get them from the Links page or just click here.  If you want the screencast and recording they are available form the Global WebSphere Community’s site here.  Thanks go to the great folks at Global WebSphere Community who were excellent to work with in planning, producing and executing the webinar!

Posted in News, Publications, WMQ, WMQ AMS, WMQ Security | Leave a comment

Previous security lab reposted

Posted on November 9, 2011 by T.Rob

I acted a bit too hastily in removing the old WMQ Security Lab download when the new one was posted.  Several readers reminded me that the new lab is for v7.1 and that isn’t even out yet!  Everyone who needs these materials is obviously still on v6.0 or v7.0 so mea culpa.  The download is restored to it’s rightful place on the Links page.

Posted in Publications, WMQ, WMQ Security | Leave a comment

Credit card security fail

Posted on November 2, 2011 by T.Rob

I suppose it says something about my travel schedule when a local purchase at Best Buy triggers a card security alert, but charges across country or overseas do not.  When I arrived home after picking up one of the new 3TB disk drives there was a voice mail from my bank informing me that I needed to call right away regarding a suspicious card transaction.  The number they provided was not the same customer service number on the back of the credit card. This pegged my mental fraud detector so I called the number on the back of the card instead.  The Customer Service Rep politely informed me that “we don’t handle those here” and that I would need to call the number provided in the voice mail and no she could not verify that the number in the voice mail belonged to the bank. “But it must be the right number or they wouldn`t have called you, right?”  Sigh… Amateur. Continue reading

Posted in Fail, News | 1 Comment

Encrypting passwords in config files – secure or not?

Posted on October 24, 2011 by T.Rob

Not long ago a colleague told me he wished that he could use a .kdb format keystore for his Java applications.  When I inquired as to why, he said he liked that the .kdb includes the ability to stash an encrypted version of the password, whereas with his Java application he was obliged to store the password in a configuration file and, more importantly to his mind, in plain text.  My initial reaction was that encrypting the Java passwords would probably be a good thing.  Judging by the frequency with which this requirement comes up, I’m guessing most people would agree.  Intuitively, it makes sense – an encrypted password must be more secure than one in plain text, right?  The more I think about it, the more I’m convinced that the opposite is the case.  I’ll explain why after the break. Continue reading

Posted in General, WMQ Security | 2 Comments

WMQ Security in v7.1

Posted on October 18, 2011 by T.Rob

For those of you who missed it, Morag presented the WMQ Security session at this year’s WebSphere Technical Conference last week.  This was exciting for a few reasons, not the least of which was – did I mention MORAG presented? So good to have her back at the conference.

Of course, for this iteration she had written all new content for the conference.  There are so many changes related to security in v7.1 that almost all of the session was devoted to the new features!  There is almost nothing left of my content from the deck but hey, it was pushed out by new features and that’s a problem I love to have.  This blog post is a very high level overview of those new features.

Continue reading

Posted in News, WMQ, WMQ Security | 1 Comment

Posted WMQ v7.1 “What’s New” presentation

Posted on October 11, 2011 by T.Rob

The much-awaited “What’s New in WMQ v7.1″ session has been surrounded by technical issues.  On the first day of the conference it was completely omitted from the agenda.  The repeat is listed on the agenda with the wrong title.  Today I found that the presentation is not available for download from the conference site.  Sigh.  At least that last one is something I can do something about.  You can now go to the Links page to download the What’s New in WMQ v7.1 presentation.

Posted in General | Leave a comment

WSTC 2011 WMQ/WMB presentations

Posted on October 6, 2011 by T.Rob

The WebSphere MQ and WebSphere Message Broker presentations scheduled for the 2011 WebSphere Technical Conference in Berlin next week are listed after the break.

When I’m not presenting or meeting you can probably find me in one of the security-related sessions in the list below.  This is an exciting year for WMQ and Broker, with many new features and delivery of some long-standing feature requests.  WSTC and IMPACT are your best bets for early education on all the changes and I hope to see you at one of these events!

Note: Updated with corrected times as of 10 October.

Continue reading

Posted in Events, General | Leave a comment

Guest blogger @ WebSphere User Group

Posted on August 11, 2011 by T.Rob

Ben Wen and I were invited to be guest bloggers at WebSphere User Group this month so the post I was planning for this space was hijacked! You can read it at WebSphere User Group posted as The Invisible Threat.

Posted in News, Publications, WMQ, WMQ Security | Tagged , , , , , , , , | Leave a comment

Blog and podcast to resume

Posted on April 23, 2011 by T.Rob

I’ve spent the last five years since joining IBM as a consultant in Software Services for WebSphere. This has been the most rewarding and happiest time in my career and I’ve made many new friends from my customer assignments and my IBM colleagues. But my mission in life is to make sure all the WebSphere MQ out there in the world is secured and there are limits to how many customers I can reach working one at a time. That’s one reason I love presenting at the conferences and writing articles – I get a chance to meet and influence many customers at a time. I can spend 40 hours on a customer engagement and help one customer, or I can spend half that time on an article or a few hours at the podium and help many customers. That’s leverage and I’m going to need a lot of it to reach as many MQ users as I want to.

One down side to consulting was that I was focused so narrowly on customer assignments that there was little time for anything else. That was especially true in the last year due to a sharp increase in demand for security services. The net result was that as consulting work ramped up, extracurricular activities such as the developerWorks column, the blog and the podcast ground to a halt. This meant that the activities which had the most leverage were the ones that fell by the wayside.

All that is about to change. As of August 1, I’ll be moving to the WebSphere messaging family product management team. Actually, I have always worked with the lab and product management teams but up to now it was as a customer or as an IBMer in my “spare” time. Beginning next month it will be my primary role and I won’t be consulting anymore. In addition to things like fully participating in the Early Access Programs, I’ll have time (in fact, be expected) to resume blogging, writing articles and podcasting. My conference schedule will likely expand as well, although at the moment all I know of is a possibility of staffing some of the IMPACT Comes to You events here in the US. More on that as it develops.

Over the next few weeks as I transition, I’ll try to get the blog caught up with some of the WMQ security news you might have missed, then resume the blog and podcast in earnest. The recent Fix Pack included security-relevant APARs for which there’s a CVE published. I’ll put the details in the next post but if you have compliance concerns be thinking about applying the Fix Pack if you have not already done so.

Posted in News | Tagged | Leave a comment

Hang on – switching hosting providers

Posted on April 23, 2011 by T.Rob

After a long and happy relationship with Webzpro, I am afraid I need to switch hosting providers.  In their never-ending battle with spam, Webzpro has changed their email policy to no longer support some features which I require.  Other than this policy change, I’ve been quite happy there but unfortunately, this is a deal-breaker for me.

Please bear with me while I relocate.  I’ve found a new host with the features that I require and, they say, the ability to transfer my existing content seamlessly.  If you can still read this tomorrow, then perhaps all that is true.

Finally, I’m not investing in SSL at the new host until I’ve fully moved in there and tested the blog and podcasting functions.  Hopefully this won’t present any major issues.  Wish me luck!  Here goes…

Posted in News | Tagged | 2 Comments