The Deep Queue – Episode #2: Security Best Practices and FIPS

Posted on September 14, 2008 by T.Rob

I just uploaded the second episode of The Deep Queue.  This episode expands on my recent Mission:Messaging column and also discusses some nuances of working with FIPS compliance in WebSphere MQ.  The next episode is scheduled for October 6th.  Between now and then I have a large Extended Security Edition gig, a security assessment and design project and some more work on the FIPS project so I’m sure to have plenty of topics to choose from.

As always, subscribe or download the podcast from Feed Buner at http://feeds.feedburner.com/t-rob/deepqueue

Posted in DeepQueue, Podcast, WMQ Security | Tagged , , | 3 Comments

Mission:Messaging: Embracing cultural change in the WebSphere MQ community

Posted on September 7, 2008 by T.Rob

Mission:Messaging: Embracing cultural change in the WebSphere MQ community
developerWorks WebSphere Technical Journal
03 September, 2008

In this article I argue that many of the best practices in the WebSphere MQ community are no longer “best” and may even have become anti-patterns over time.  But once these practices become entrenched in the culture, it is very difficult to change them.

The world of WebSphere MQ is experiencing quite a bit of change at this moment in time and in the article I suggest this is a good opportunity to reexamine and update our best practices.  The article takes a look at several examples and The Deep Queue Episode #2 will discuss this topic as it applies to WebSphere MQ security.

Posted in Errata, IBMMQ, Publications | Tagged , , , , , , | Leave a comment

DQ #2 delayed

Posted on September 7, 2008 by T.Rob

As those who follow me on Twitter already know, I was in the hospital for several days last week with a really high fever.  That has pushed almost everything on my calendar back a week, including episode #2 of The Deep Queue.  I tried to work on it tonight but I’m not entirely recovered yet and just ran out of steam.  I really appreciate all of the feedback and subscriptions the show has received and wanted people to know that I am still committed to keeping the schedule that I announced on the first episode.  There were some extenuating circumstances this week but I’ll be geting back on track soon.

Posted in General, News | Tagged , | Leave a comment

The Deep Queue – Episode #1: PCI-DSS and WMQ

Posted on August 25, 2008 by T.Rob

The first episode of the new Deep Queue podcast is online!  In this episode I introduce the podcast for a few minutes and then talk about a discussion that I had with some guys from the IBM Retail group.  The Retail group does a lot of work with PCI compliance and I wanted to talk with them because they are much more familiar with it than I am.  I focus on securing WMQ and PCI is just a small part of that practice.  On the other hand, the Retail team is normally focused on the customer-facing parts of the system more so than the messaging network so I thought they might learn something fro me as well.  I discuss all this in the podcast so I won’t go into it here other than to say it was a very productive discussion for all involved and I hope to work more with that team soon.

The podcast feed is: http://feeds.feedburner.com/t-rob/deepqueue

 

Posted in DeepQueue, WMQ Security | Tagged , , | Leave a comment

Upcoming publications

Posted on August 22, 2008 by T.Rob

I haven’t blogged much lately because I’m on deadline for a new developerWorks Mission:Messaging column.  The next installment discusses changing culture to embrace SOA and how SOA impacts WebSphere MQ prevailing practices.  The premise is that migration to SOA is not just a configuration change or a development style but rather a cultural shift at the organizational level.  All the stakeholders need to “get it” and this includes the WebSphere MQ architects and administrators.  Some WMQ admin practices which made sense in the point-to-point world are less useful, even to the point of becoming anti-patterns, in an SOA environment.  I expect the article to appear roughly the second week of September.

In other news, watch this space for a new podcast on WebSphere MQ Security.  The first episode will be for August 25th and should be posted Sunday night or Monday morning Eastern time.  I plan to produce at least one a month for six months and then decide where to go with it based on feedback.  This will give me a way to expand on topics I cover in developerWorks as well as to discuss topics that might not fit in the developerWorks format.  I should point out here that the podcast will be a personal project and, like this web site, will reflect my own opinions and experiences and not those of IBM.

On a completely different topic, I’ve noticed that my Google alerts turn up several posts a day for WMQ jobs.  The subscription is supposed to catch news items but they are almost lost amongst the job postings.  While I am pleased at the notion of so much work out there in my specialty, it has turned my in-box into an extended game of Whack-A-Mole.  I’m beginning to think Louis Suarez has the right idea about email.

Posted in General, News | Tagged , , | Leave a comment

Massive web site overhaul

Posted on August 19, 2008 by T.Rob

Apologies to those of you who are following the blog if the changes have been bumpy. Today the site underwent a massive overhaul as the old static pages were tossed and the blog was moved up from a subdirectory to become the main site. In addition, I’ve also migrated the content to the Cutline theme to add a little eye appeal. I’ve tried to make the updates as transparent as possible by redirecting the old php pages to their new WordPress equivalents. Continue reading

Posted in Change Log | Tagged , , , , , | Leave a comment

See you in Barcelona!

Posted on August 1, 2008 by T.Rob

I just found out my travel has been approved for IBM’s Transaction & Messaging Technical Conference coming up this November in Barcelona!  I seem to have inherited ownership of the High Availability presentation which I certainly do not mind.  I am also expanding the WebSphere MQ Security presentation into separate Basic and an Advanced sessions.  The Basic session still covers securing administrative access to the queue manager.  The Advanced session will look at user and application security and include such things as application isolation, message-level authentication, B2B interfaces and so on.  I had to agree to present three sessions to get approval, but after two years it really was time for an update to the security slides anyway. Continue reading

Posted in Events, IBMMQ | Tagged , , , , , , | 3 Comments

WebSphere MQ is twittering?

Posted on August 1, 2008 by T.Rob

Yes, believe it or not.  http://twitter.com/WebSphere_MQ

Posted in IBMMQ | Tagged , , | Leave a comment

WMQ meta news

Posted on August 1, 2008 by T.Rob

Good to see Ben Mann has a new blog.  You may know Ben as the Product Manager for WebSphere MQ but his blog is all about the new Managed File Transfer product being developed in Hursley Labs.  For years people have been asking about moving files over WMQ and many have built applications to do just that.  But it is not as simple a task as it sounds.  If you put one file per message there is no reassembly required but you are limited to 100mb files.  On the other hand you can choose to segment the file into multiple messages but then you have to reassemble the segments and they may arrive out of order or some may not arrive at all.  Either way there are questions of how to deal with all the OS-level issues such as file permissions, path traversal, whether to delete the source file or overwrite the target, etc.  Agents on either end have to deal with these issues and then somehow float exceptions from the remote node back up to the local end user in a time frame and format that .

Continue reading

Posted in IBMMQ, MQMFT | Tagged , , , , , , , , | Leave a comment

SSL certificate irony

Posted on July 30, 2008 by T.Rob

I happened across Doug Munsinger’s post about refreshing WMQ SSL certificates.  On the one hand, it’s good to know someone else out there is using SSL with WMQ.  On the other hand, the certificate problem on Doug’s web site overshadows the content of the post itself.

Ironically, the post about SSL certificates (the entire site, in fact) is only available over HTTPS but when you try to go to dougmunsinger.com, the certificate presented is actually for damgoodespresso.com.  This is exactly the kind of thing that you would expect with all talk of of the DNS exploits lately and you have to wonder if this is in fact a cache poisoning problem.

In order to read the post safely, I fired up a read-only image in a VMWare player, disabled scripting and configured an exception so the browser would ignore the certificate mismatch.  By the time I got to the post itself, I had almost forgotten why I went there in the first place.

In the end, it turns out that Doug had some minor problems refreshing expired SSL certificates but ultimately got through it.  The post reminds us to use REFRESH SECURITY TYPE(SSL) instead of the plain REFRESH SECURITY command as they do completely different things.  Good advice for those of us who have been doing this long enough that we’ve stopped reading the manuals.  Done that?  You betcha.  Now if Doug can only remember how to refresh the certificates under Apache…

Posted in IBMMQ, WMQ Security | Tagged , , , , , | 5 Comments