Over the years I have often been asked for security templates and other canned assets to help make MQ security planning, implementation, and operation easier. These often become the source material for conference presentations, articles and videos. Some of these assets focus directly on configuration. The benefit of these is to take a lot of the heavy lifting off the hands of the MQ administrator. That leaves the administrator free to focus on the more business-specific task of designing the appropriate security architecture. The question then is whether we can take some of the heavy lifting from that task as well. I don’t believe that is easy to do safely, but the good news is that we can at least take much of the randomness out.
One of the best best tools I have ever created for helping design the MQ security architecture isn’t a script, or a set of procedures, or anything prescriptive. It is simply a long list of open-ended questions to consider in the design.
For example, when someone says “MQ Security” what comes to mind? Very likely it is certificates, setmqaut commands, exits, CHLAUTH rules and so on. These are all examples of intrusion prevention controls, which is just one category under the larger “security” umbrella. If someone managed to get past the defenses, how would you know? This is called intrusion detection. When (not if) there is a breach, you will hopefully also considered forensic analysis and recovery.
It’s a big topic.
It needs a a big list of questions.
So by all means, automate everything possible (or call me to do that for you!) with regard to implementing and operating your security architecture. That leaves you free to focus on the more critical task of designing the best security architecture for your specific requirements. If you want a template to help with that, I may have just the thing!
You can download my IBM MQ Security Requirements Questionnaire directly, but as with all my other documents, it’s permanent home is on the Links page. Please let me know if you use the document and send me any comments good or bad so I can improve the document over time.
Hi , I was going through your Redbook sg248069.
can you please clarify the below question?
For the below setup:
QMGR A:
sndr chl: QMGRA.TO.QMGRB
Remote queue: TEST.RQ
QMGR B:
Receiver chl: QMGRA.TO.QMGRB
Local Queue: TESTA.RQ
TARG Q: APP.TESTA
Now, when I put a message from application A on QMGR A to Remote queu: TEST.RQ, it should be received by Local Queue on QMGRB: APP.TESTA . I want to give only put access specific to this queue and not more than that. (Which is similar to serverconn channel). I tried this with setting up MCAUSER id on receiver channel and providing connect access to QMGR and put access to Local queue. However, it appears that it’s expecting more privileged access like +setall, which is not recommended.
How should I fix this? I want to keep it as simple as possible for OAM without going to any message exits like that..and also I do have SSL between 2 qmgrs.
Pingback: MQGem Monthly (June 2015) | MQGem Software