Comments for Store and Forward https://t-rob.net A blog about securing and using WebSphere MQ Sat, 30 Jan 2010 03:25:20 +0000 http://wordpress.org/?v=2.9.2 hourly 1 Comment on Deep Queue #14 – The Elephant Under the Bed by T.Rob https://t-rob.net/2009/11/27/deep-queue-14-the-elephant-under-the-bed/comment-page-1/#comment-8505 T.Rob Sat, 30 Jan 2010 03:25:20 +0000 https://t-rob.net/?p=354#comment-8505 Hi Nikhil, Among other things, locking out the old SVRCONN. This is too deep a subject to cover in this format. Frankly, there aren't any widely accepted best practices for PCI and WMQ yet, as far as I know. In fact, I believe PCI is only now beginning to look into what used to be called "the trusted internal network" at middleware in general. That said, you might have a look at this article for some additional thoughts on PCI and WMQ: http://bit.ly/63eIux Hi Nikhil,

Among other things, locking out the old SVRCONN. This is too deep a subject to cover in this format. Frankly, there aren’t any widely accepted best practices for PCI and WMQ yet, as far as I know. In fact, I believe PCI is only now beginning to look into what used to be called “the trusted internal network” at middleware in general. That said, you might have a look at this article for some additional thoughts on PCI and WMQ: http://bit.ly/63eIux

]]> Comment on Deep Queue #14 – The Elephant Under the Bed by Nikhil https://t-rob.net/2009/11/27/deep-queue-14-the-elephant-under-the-bed/comment-page-1/#comment-8451 Nikhil Fri, 15 Jan 2010 00:46:45 +0000 https://t-rob.net/?p=354#comment-8451 Hi Rob, I'm working for a Retail Client and we have to implement PCI requirements on MQ Servers. As part of this, we asked the app folks to use new svrconn with MCAUSER instead of default one. I would like to know what are the other things has to be changed to meet the requirements. MQ versions - 6.0.2.2 & above OS - Solaris 10 & Win 2003 Thank You Hi Rob,

I’m working for a Retail Client and we have to implement PCI requirements on MQ Servers. As part of this, we asked the app folks to use new svrconn with MCAUSER instead of default one. I would like to know what are the other things has to be changed to meet the requirements.

MQ versions – 6.0.2.2 & above
OS – Solaris 10 & Win 2003

Thank You

]]> Comment on WMQ Humor by Marimuthu Udayakumar https://t-rob.net/2009/04/14/wmq-humor/comment-page-1/#comment-8224 Marimuthu Udayakumar Sun, 13 Dec 2009 07:11:32 +0000 http://t-rob.net/?p=279#comment-8224 Its very awesome and playful. Its very awesome and playful.

]]> Comment on WebSphere MQ security heats up by chetan https://t-rob.net/2008/07/08/websphere-mq-security-heats-up/comment-page-1/#comment-7812 chetan Thu, 12 Nov 2009 10:07:46 +0000 http://t-rob.net/blog/?p=11#comment-7812 Good to hear Rob. Thanks. Good to hear Rob.

Thanks.

]]> Comment on WebSphere MQ security heats up by T.Rob https://t-rob.net/2008/07/08/websphere-mq-security-heats-up/comment-page-1/#comment-7775 T.Rob Wed, 11 Nov 2009 04:33:47 +0000 http://t-rob.net/blog/?p=11#comment-7775 Hi chetan, I'm not sure I see the distinction you are making. It's the same exposure as a RCVR or RQSTR channel with default settings and with the same mitigation - a low-privileged MCAUSER. Believe it or not, this actually is documented. But the degree to which it is not understood tells me the documentation is not as accessible or perhaps explicit as it could be. I've been submitting changes and suggestions through the Infocenter feedback links at the bottom of each page and I've seen quite a number of them implemented. So I agree the docs still have room for improvement but I'm encouraged by the progress we've made so far and I'll continue submitting suggestions. Of course, all readers are invited to submit their own suggestions through the Feedback links in the Infocenter so if you see something amiss, don't wait for me to catch it! Hi chetan,

I’m not sure I see the distinction you are making. It’s the same exposure as a RCVR or RQSTR channel with default settings and with the same mitigation – a low-privileged MCAUSER.

Believe it or not, this actually is documented. But the degree to which it is not understood tells me the documentation is not as accessible or perhaps explicit as it could be. I’ve been submitting changes and suggestions through the Infocenter feedback links at the bottom of each page and I’ve seen quite a number of them implemented. So I agree the docs still have room for improvement but I’m encouraged by the progress we’ve made so far and I’ll continue submitting suggestions. Of course, all readers are invited to submit their own suggestions through the Feedback links in the Infocenter so if you see something amiss, don’t wait for me to catch it!

]]> Comment on WebSphere MQ security heats up by T.Rob https://t-rob.net/2008/07/08/websphere-mq-security-heats-up/comment-page-1/#comment-7773 T.Rob Wed, 11 Nov 2009 03:51:28 +0000 http://t-rob.net/blog/?p=11#comment-7773 Hi Ray, It would be pretty unusual that a remote QMgr would need to put messages into the event queues. I make an exception for B2B QMgrs because I sometimes route their events to the internal QMgrs for off-the-box monitoring. No channel should be putting messages into SYSTEM or user-defined initiation queues. Point-to-point channels should not have access to the cluster command queue. Of course, this might mean setting up two different MCAUSER values for P2P and cluster channels. There are several I'm not sure about like the SYSTEM.SELECTION.* and SYSTEM.JMS.* queues. I doubt any channel legitimately needs access to the selection queues. I think only SVRCONN channels would need access to the SYSTEM.JMS.* queues. It might be worth opening a PMR to get the official answer as to which ones legitimately should be accessed by adjacent QMgrs or client apps. If you do this, please send me the PMR number. Hi Ray,

It would be pretty unusual that a remote QMgr would need to put messages into the event queues. I make an exception for B2B QMgrs because I sometimes route their events to the internal QMgrs for off-the-box monitoring.

No channel should be putting messages into SYSTEM or user-defined initiation queues.

Point-to-point channels should not have access to the cluster command queue. Of course, this might mean setting up two different MCAUSER values for P2P and cluster channels.

There are several I’m not sure about like the SYSTEM.SELECTION.* and SYSTEM.JMS.* queues. I doubt any channel legitimately needs access to the selection queues. I think only SVRCONN channels would need access to the SYSTEM.JMS.* queues. It might be worth opening a PMR to get the official answer as to which ones legitimately should be accessed by adjacent QMgrs or client apps. If you do this, please send me the PMR number.

]]> Comment on Fix Pack 6.0.0.6 for WebSphere MQ Extended Security Edition V6.0 is available by T.Rob https://t-rob.net/2008/07/08/fix-pack-6006-for-websphere-mq-extended-security-edition-v60-is-available/comment-page-1/#comment-7772 T.Rob Wed, 11 Nov 2009 03:38:21 +0000 http://t-rob.net/blog/?p=13#comment-7772 That's a good question, chetan. I don't have access to that level of product strategy but I would imagine the answer would have to do with the level of interest in security overall. The good news is that interest is indeed rising. The bad news is that the drivers of this rising interest include breaches on the internal network. The Consumability team was formed to encourage input from customers and other stakeholders so the product teams are more directly linked to customer needs. If you'd like to provide some feedback, there's a link on the WMQ page and you are more than welcome to take the survey. The last version I saw had a free-form field for comments so if the survey misses something important you can let them know. That’s a good question, chetan. I don’t have access to that level of product strategy but I would imagine the answer would have to do with the level of interest in security overall. The good news is that interest is indeed rising. The bad news is that the drivers of this rising interest include breaches on the internal network. The Consumability team was formed to encourage input from customers and other stakeholders so the product teams are more directly linked to customer needs. If you’d like to provide some feedback, there’s a link on the WMQ page and you are more than welcome to take the survey. The last version I saw had a free-form field for comments so if the survey misses something important you can let them know.

]]> Comment on Fix Pack 6.0.0.6 for WebSphere MQ Extended Security Edition V6.0 is available by chetan https://t-rob.net/2008/07/08/fix-pack-6006-for-websphere-mq-extended-security-edition-v60-is-available/comment-page-1/#comment-7415 chetan Fri, 06 Nov 2009 12:21:27 +0000 http://t-rob.net/blog/?p=13#comment-7415 When will IBM make ESE a part of MQ base product itself? When will IBM make ESE a part of MQ base product itself?

]]> Comment on WebSphere MQ security heats up by chetan https://t-rob.net/2008/07/08/websphere-mq-security-heats-up/comment-page-1/#comment-7414 chetan Fri, 06 Nov 2009 09:34:09 +0000 http://t-rob.net/blog/?p=11#comment-7414 Hi Rob, Thanks , it worked. What this means is We must always secure the cluster receiver channels. Simply setting up a cluster is a wide open backdoor. I think IBM needs to document this. Most documentation is regarding remote administration in cluster is vague or does not address this fact. Hi Rob,

Thanks , it worked.

What this means is We must always secure the cluster receiver channels.

Simply setting up a cluster is a wide open backdoor.
I think IBM needs to document this. Most documentation is regarding remote administration in cluster is vague or does not address this fact.

]]> Comment on WebSphere MQ security heats up by RKPowers https://t-rob.net/2008/07/08/websphere-mq-security-heats-up/comment-page-1/#comment-7368 RKPowers Wed, 04 Nov 2009 21:56:02 +0000 http://t-rob.net/blog/?p=11#comment-7368 Hi T-Rob, I was reviewing our implementation of these today, and noticed the following in mqmmca.aut: # Consider restricting access to all SYSTEM.** queues and then adding back # access to those that are legitimately required such as broker queues # or SYSTEM.CLUSTER.COMMAND.QUEUE Since I don't understand what all the SYSTEM.** queues do, I am not comfortable doing this. However, I believe that there are some queues that can and should be universally restricted, that I don't see in the script. You have mentioned (in other settings) that there are queues that nobody should be modifying (other than internal WMQ code). The one I noticed was: SYSTEM.AUTH.DATA.QUEUE So, in our mqmmca.aut script, I am adding: setmqaut -m QMGR -g mqmmca -n SYSTEM.AUTH.DATA.QUEUE -t queue -all +none Are there any others? Hi T-Rob,

I was reviewing our implementation of these today, and noticed the following in mqmmca.aut:

# Consider restricting access to all SYSTEM.** queues and then adding back
# access to those that are legitimately required such as broker queues
# or SYSTEM.CLUSTER.COMMAND.QUEUE

Since I don’t understand what all the SYSTEM.** queues do, I am not comfortable doing this. However, I believe that there are some queues that can and should be universally restricted, that I don’t see in the script.

You have mentioned (in other settings) that there are queues that nobody should be modifying (other than internal WMQ code).

The one I noticed was:
SYSTEM.AUTH.DATA.QUEUE

So, in our mqmmca.aut script, I am adding:
setmqaut -m QMGR -g mqmmca -n SYSTEM.AUTH.DATA.QUEUE -t queue -all +none

Are there any others?

]]>