Question about benefits of WMQ Clustering

Posted on July 16, 2008 by T.Rob

Here’s an email question I received today and my response:

Does IBM have any write up for the advantage of using mq clustering vs non clustering setup? I am trying to get our application teams on board with using clustering. I was going to setup all our test servers in a test cluster and add suffix to the queue names per the environments the queues resides on.

Application programmers are going to throw a fit having to make changes to their target queue names, etc. We use WMQ clients to our AIX servers and I know once they connect to a qmanager in the test cluster they can hit any clustered queue, so they will not have to make any changes to connect to a certain test environment qmanager to connect to its queue like they do today.

Continue reading

Posted in IBMMQ | Tagged , , , , , , , | Leave a comment

Fix Pack 6.0.0.6 for WebSphere MQ Extended Security Edition V6.0 is available

Posted on July 8, 2008 by T.Rob

See the IBM Flash announcement.

Significant new functionality was delivered in this Fix Pack.  According to the README file:

1.2.2 New support

1.2.2.1 Active Directory User Registry

This fix pack adds support for Tivoli Access Manager 6.0 environments where the Tivoli Access Manager Policy Server is configured against an Active Directory user registry. See section 8.0 of this README for further details.

1.2.2.2 Local Credential Cache

This fix pack adds additional functionality to the Tivoli Access Manager for Business Integration server to enable it to function while disconnected from the user registry and the PKI registry. This will allow for deployments where Tivoli Access Manager for Business Integration is only sporadically connected to these infrastructure pieces. See section 9.0 of this README for further details.

As many of you know, Tivoli Access Manager for Business Integration (TAMBI) is moving to the WebSphere family of products in both name and behind the scenes in the development labs.  This Fix Pack is the first delivery of the WebSphere-branded product and represents a significant milestone.  With all of the recent activity and interest in WebSphere MQ security, this could not have come at a better time.

Posted in IBMMQ, WMQ ESE, WMQ Security | Tagged , , , , , | 2 Comments

IBM announces WebSphere MQ File Transfer Edition

Posted on July 8, 2008 by T.Rob

Preview Announcement letter
New product Web site

Availability is projected as 4Q08.  The email announcement I received promised an upcoming webcast.  No link was provided at this time for the webcast but when one is announced, I’ll post it here.

I haven’t had a look at the security features and controls for this product yet but the announcement mentions audit logging, automation and instrumentation so I am optimistic.

Setting aside security for a moment though, this is sure to be received warmly by the WMQ community.  I know of many cases where WMQ is being used to move files with a homegrown application.  There are a number of challenges in moving files over a message-oriented protocol that need to be solved and it just seems like having hundreds of shops write custom solutions of varying quality is not the right answer.  Much better to have a vendor solve the thorniest problems, provide code that is tested in a wide variety of shops with vastly differing use cases, and guarantee forward compatibility for a small maintenance fee.

All in all, I’d say this is very good news.

Posted in IBMMQ | Tagged , , , , | Leave a comment

WebSphere MQ security heats up

Posted on July 8, 2008 by T.Rob

developerWorks article WebSphere MQ Security heats up from November 2007.

Are your MQ channels as secure as they should be? What you need to know about recent developments in IBM® WebSphere® MQ security and, more importantly, what you need to do — now.

WebSphere MQ had been in the market 14 years when this article was published.  During that time the two big changes to the product’s security posture were to set MCAUSER blank by default due to strong customer feedback, and the addition of SSL as a channel option.  The first made WMQ wide open by default and the second was only used by a relatively few customers.  Over the years, WMQ security was systematically ignored by users and hackers alike.

But Martyn Ruks presentation at Defcon 15 changed that.  WebSphere MQ was “outed” to the hacker community.  For me and at least a few WMQ shops out there, this signaled the start of an arms race.  In this article and in presentations at the conferences I made a case to start securing the messaging network now – before there is a breach reported.  Of course, for many shops out there it will take one or more publicly reported breaches of WMQ before they perceive a business case to secure WMQ.

The problem with that approach is that security is not something you just “turn on” and walk away.  As I discuss in my most recent article, WebSphere MQ, PCI DSS, and security standards, security is just as much about the human processes and policies as it is about configuration.  It is a discipline and as such it needs time to mature within an organization and it requires an ongoing commitment.  The idea that you can wait for a breach to occur (and hope it happens to someone else) and then just magically switch on security is unrealistic. Continue reading

Posted in Errata, IBMMQ, News, Publications, WMQ Security | Tagged , , , , , , , , | 29 Comments

What you didn't know you didn’t know about WebSphere MQ security

Posted on July 8, 2008 by T.Rob

developerWorks article What you didn’t know you didn’t know about WebSphere MQ security, published January 2007.

Most WebSphere MQ administrators have taken steps to secure their messaging network, but a surprising number of these installations are still wide open. Is yours among them?

Let me just say “thank you” for the great response to this article!  This was the first article I wrote on WMQ security and all the comments, feedback and inquiries that resulted helped me convince the folks I work for to let me focus more in this area.  Today most of my consulting practice consists of WMQ security and I am working to bring other consultants up to speed in this area.

Posted in Publications | Tagged , , , , , , , , | Leave a comment

Running a standalone Java application on WebSphere MQ V6.0

Posted on July 8, 2008 by T.Rob

In October 2006 I updated an article of Bobby Woolf’s articles Developing a standalone Java application for WebSphere MQ.  The article was updated to cover WMQ v6, JMS 1.1 and include a discussion of WMQ client vs. bindings mode connections.  The result was Running a standalone Java application on WebSphere MQ V6.0.  I don’t have any erratta to report on the article as yet but it is consistently one of the top read on developerWorks and generates a lot of email.  Perhaps some of that discussion can migrate over here.

The most frequently asked questions involve getting the sample code up and running.  The code comes with scripts that set up the CLASSPATH and define the managed objects but they include a number of defaults.  In particular, they expect a QMgr named JMSDEMO.  It is possible to use a different queue manager or to install the sample code somewhere other than C:\ but it is necessary to edit the values in the scripts.

Posted in Errata, Publications | Tagged , , , , , , , , , | Leave a comment

No MQ presentation at Defcon this year

Posted on July 8, 2008 by T.Rob

I’ve been keeping an eye on the Defcon speakers and schedule to see if any new WMQ presentations would be announced this year.  I know that Martyn Ruks who presented last year has a new WMQ security white paper and I was expecting him to be slotted in the schedule again this year.  But the schedule has finally been published, it appears to be final and there is no mention of MQ on it.

For users of WebSphere MQ, I would characterize this as a Good Thing.  If the increasing number of number of assessments and remediations is any indication, many of you are starting to take WMQ security seriously.  The lack of an MQ presentation at Defcon this year perhaps means that we have some more time to bolster our defenses.

This also means I don’t need to fly out to the middle of the desert in August.  When I’m in Vegas I like to get away from the casinos once in a while.  You know, get some fresh air and some sun.  I just don’t want to be like the Purifier guy in the The Chronicles of Riddick who walks out from the cave and instantly bursts into flame in the sunlight.

Posted in IBMMQ, WMQ Security | Tagged , , , , | Leave a comment

What's wrong with this picture?

Posted on July 8, 2008 by T.Rob

One of the reasons I started this blog was to give me a place to put updates things I publish elsewhere.  I have discovered that web-based journals can be almost as difficult to get updated as printed journals and yet I have no shortage of updates I need to make.  On the one hand, there are the usual typos and clarifications.  Other times readers send questions that would add to the discussion but the articles have no online feedback like a blog does.

The other reason I need this vehicle is that security practices are ever changing.  The developerWorks journal is a great place for the kind of articles that I write because of the very broad and deep readership it enjoys.  I am privileged to be able to contribute for that audience and within that community of authors.  But the articles published there capture security practices as a snapshot in time.  The more specific the article is in terms of providing technical configurations, the more likely it is to need updates sooner rather than later.  This is true of security in general but especially true in the case of WebSphere MQ security, simply because the field is changing so fast right now.

Going forward, I’ll post a blog entry for each new article.  Feel free to make comments or ask questions about the articles through the blog.   As I have updates, I will update the blog post rather than make a new one and in this way we will capture the history and discussion in one place.

If you wish to subscribe to these posts, I will use the categories “Publications“.  When and if there are any errata to report, I will add the category “Errata” when I update the post.  I will be creating placeholder posts for past articles shortly.

Posted in Errata, Publications | Tagged , , | Leave a comment

My latest WMQ Security article hits the stands

Posted on June 19, 2008 by T.Rob

OK well maybe “hits the stands” is not exactly accurate since developerWorks WebSphere Technical Journal is an online format.  But “hits the browser” just doesn’t roll off the tongue as nicely.  OK well maybe “roll off the tongue” is not exactly accurate… [STACK OVERFLOW ERROR]

My latest developerWorks article WebSphere MQ, PCI DSS and security explores what it might look like if we were to apply the PCI Data Security Standard to WebSphere MQ.  In fact, some customers are already looking at doing just this, although it is not clear yet how or if PCI DSS impacts WebSphere MQ.  The premise of the article then is to ask “what is considered reasonable care or due diligence in the absence of a formal security standard?”  I conclude that the common practice of using prevailing practices as the standard is pretty much worthless in the WMQ community because the prevailing practices almost always allow anonymous administrative access.  If there is no formal standard and prevailing practices are of no use then it might be reasonable to use PCI DSS as a guideline, even for industries that do not handle card payments and where PCI DSS clearly has no formal regulatory authority.  The article then goes on to explore what it might look like if we did in fact apply PCI DSS to WebSphere MQ.

As always, I welcome thoughts and feedback.  The developerWorks article includes a feedback form on the bottom, you can contact me through my web site or add comments to this blog entry.

Posted in IBMMQ, Publications, WMQ Security | Tagged , , | Leave a comment

Comparing snail mail to WebSphere MQ

Posted on June 17, 2008 by T.Rob

Actual snail mailAs you know, I’m constantly on the lookout for new messaging technologies that compete or interact with with WebSphere MQ. I recently came across the web site of Boredom Research where they are testing out a new Snail Mail system based on…well…actual snails.

Continue reading

Posted in Humor | Tagged | 2 Comments