Presentation from today’s NY/NJ MQ User Group meeting

I will move this to SlideShare after making a few more edits per today’s comments and notes.  At that point I will link to it from the Links page, same as all the others.  But for now, please enjoy!

This is the version of the slides with the Notes pages printed:
20150602 Managing CA Certs – Notes

Posted in General | Leave a comment

IBM MQ JMS is non-compliant

One of the first things anyone learns about async messaging are the fundamental messaging patterns: Datagram, Request/Reply and report.  The textbook handling of reply messages calls for the server application to move the message ID to the correlation ID field so that the reply can be associated with the request.  One of the available MQGMO.MatchOptions values specifies retreival of messages based on the correlation ID specifically to facilitate request/reply.  The idea is that the requesting program puts a message, then performs a GET on the reply queue using the returned message ID to select the reply.

Continue reading

Posted in Fail, News, WMQ | Tagged , , , , , , , | 2 Comments

Managing CA-signed certificates

MQ Admins are getting serious about TLS channels these days, but it isn’t always easy because there’s a fairly steep learning curve.  Though there is plenty of documentation for the MQ aspects, and for X.509 and TLS itself, very little exists that translates these requirements into a procedure you could actually use to provision a certificate signed by a commercial CA.  The Certificate Authorities document the provisioning process for certs to be used in the various web servers, but the thing you need a certificate for isn’t a web server the CA-provided documentation is often lacking.  In particular, official documentation from the CAs about MQ certs is almost non-existent.

To address that gap I wanted something that showed the process, start to finish, of enabling TLS onto an existing pair of SDR/RCVR channels.  I don’t know about you but I personally need to understand a process from a high-level in order to best understand how all the pieces fit together and their up- and downstream dependencies.  This is that high-level overview.

Continue reading

Posted in Security, WMQ, WMQ Security | Tagged , , , , , , , | 9 Comments

Windows MQ Log Maintenance that really works

Do you run MQ with linear logs on Windows?  Do you want a log maintenance utility that really works on that platform with modern versions of MQ?  So do I.

One of my biggest pet peeves about IBM MQ is that even after 20 years there remains no IBM-supported tool for managing linear log extents or any provision to automatically delete them on Distributed platforms.  Recently while on assignment for a customer running MQ v8.0 on Windows we needed just such a tool and went to the SupportPacs landing page to review options.  We looked at MO73, MS0L and MS62.  None of them met my requirements and in some cases they don’t work at all.

Since I’m not at Interconnect this year I had some time on my hands so I wrote a script of my own.  I’m making it available here so it’ll be just like I was there with you in Vegas.  No, really, it will.  This post takes 45 minutes to read and there’s 15 minutes of Q&A at the end, followed by refreshments in the hall.

Continue reading

Posted in WMQ | Tagged , , , , , , , , | 17 Comments

MQ V8 Certification

Would it surprise you to know there’s an MQ V8 System Administration certification?  Normally I run down and take the test as soon as it’s available but this one has been out since January 14th and somehow I missed the announcement.  So yesterday I stopped by at my local Pearson Vue affiliate and sat for Test C2180-410: IBM MQ V8.0, System Administration to earn my certification.  Did I pass?  You betcha!  Was it what I was expecting?  Sort of.

Continue reading

Posted in News, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security | Tagged , , , , , , , , | 21 Comments

Avoiding reputational damage

Everyone knows that data breaches are expensive.  Security venders never tire of telling us exactly how expensive breaches are, on a per-incident or per-record basis.  In the case of a large retail brand, a breach can make a significant dent but it usually isn’t fatal.  In fact, for one large conglomerate in particular, recent events suggest that even a series of high-profile breaches won’t cripple a company.  It might be tempting to assume this experience applies across the board.  It might be tempting to assume that your business would fare as well.  Don’t make that assumption.

Continue reading

Posted in Security, WMQ, WMQ Security | Tagged , , , , , , | 2 Comments

Configuration backups: the forgotten WMQ security control

Update: IBM has reconsidered and has announced that dmpmqcfg will be fixed as a defect! Subscribe if you would like a notification when the fix is announced. But please do read the post, especially if you are using amqoamd for anything.

Most of the time when someone says “security” they are actually thinking of intrusion detection – the parts that keep unauthorized people out of the system.  But security is so much more than that.  We need to know if our security fails.  That part is intrusion detection.  After an incident we want to be able to determine how it happened and what to fix so it doesn’t happen again.  The logging and accountability functions are what support that forensic analysis.  Of course we also need to recover from an incident.  That’s the business continuity aspect.  All of these fall under the broad security umbrella and any security assessment that I perform includes aspects of all of these.

But there is an implicit assumption that that the tools to perform these functions are available.  In particular, the ability to back up a configuration for later recovery is something so fundamental that many people consider it part of the baseline functionality of any Enterprise-class product.  But what if it’s not?  Or worse, what if you think it is but the provided tools do not actually do what you are expecting?  Would you know?

If your shop is concerned about the security of the WebSphere MQ network, then chances are you consciously and deliberately configure your queue managers to prevent administration by adjacent queue managers in the network.  If you do not routinely do this, then by default compromise of any one queue manager on the network compromises the entire network.  Such a compromise would include any FTE, Broker, Advanced Message Security or other components or applications that can be administered by sending messages to their command queues.

The only problem is, IBM does not currently provide a tool in the product that back these security settings up accurately.  There are two tools documented in the WebSphere MQ Infocenter and a Technote which are describes as providing configuration backup functionality.  Assuming you want that backup to be complete, both are broken.  IBM has officially responded in both cases that they are working as designed.

Continue reading

Posted in Fail, General, IIB, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security | Tagged , , , , , , , | Leave a comment