I have worked over the last decade with many customers who were consolidating their MQ footprint. It’s a familiar pattern – there are many queue managers, they tend to be lightly loaded, why not consolidate to a central hub? Now that many of the projects with which I have firsthand knowledge have been in Production for a few years some common patterns are emerging and they aren’t good.
A viewer of the Zero to Hello World video recently challenged me to do a similar video for SSL. Challenge accepted!
Posted in Security, WMQ, WMQ Security
Tagged Admin, Best Practices, Recommended Practices, security, SSL, TLS, tutorial, WebSphere MQ Security, WMQ Security
If you have ever attended one of my conference sessions, read my articles, or hired me to perform any kind of MQ work, then you know that I consider SupportPac MS0P to be an indispensable add-on for MQ Explorer. I recommend it to everybody. The folks at Hursley Lab are probably sick by now of my stirring up crowds at the conference by insisting it should be part of the base functionality in Explorer and fully supported. Given all that, you’d think I personally would have it installed in the MQ Explorer on my laptop. Until tonight, you would have been wrong.
Tonight I dropped everything else and concentrated on getting MS0P to run. I was eventually successful, but learned a lot about MQ along the way. I’m writing it all down to hopefully save others from the same ordeal.
Over the years I have often been asked for security templates and other canned assets to help make MQ security planning, implementation, and operation easier. These often become the source material for conference presentations, articles and videos. Some of these assets focus directly on configuration. The benefit of these is to take a lot of the heavy lifting off the hands of the MQ administrator. That leaves the administrator free to focus on the more business-specific task of designing the appropriate security architecture. The question then is whether we can take some of the heavy lifting from that task as well. I don’t believe that is easy to do safely, but the good news is that we can at least take much of the randomness out.
Posted in Security, WMQ, WMQ Security
Tagged Admin, Architecture, Best Practices, IBM MQ, Recommended Practices, security, WebSphere MQ, WebSphere MQ Security, WMQ Security
I will move this to SlideShare after making a few more edits per today’s comments and notes. At that point I will link to it from the Links page, same as all the others. But for now, please enjoy!
This is the version of the slides with the Notes pages printed:
20150602 Managing CA Certs – Notes
One of the first things anyone learns about async messaging are the fundamental messaging patterns: Datagram, Request/Reply and report. The textbook handling of reply messages calls for the server application to move the message ID to the correlation ID field so that the reply can be associated with the request. One of the available MQGMO.MatchOptions values specifies retreival of messages based on the correlation ID specifically to facilitate request/reply. The idea is that the requesting program puts a message, then performs a GET on the reply queue using the returned message ID to select the reply.
MQ Admins are getting serious about TLS channels these days, but it isn’t always easy because there’s a fairly steep learning curve. Though there is plenty of documentation for the MQ aspects, and for X.509 and TLS itself, very little exists that translates these requirements into a procedure you could actually use to provision a certificate signed by a commercial CA. The Certificate Authorities document the provisioning process for certs to be used in the various web servers, but the thing you need a certificate for isn’t a web server the CA-provided documentation is often lacking. In particular, official documentation from the CAs about MQ certs is almost non-existent.
To address that gap I wanted something that showed the process, start to finish, of enabling TLS onto an existing pair of SDR/RCVR channels. I don’t know about you but I personally need to understand a process from a high-level in order to best understand how all the pieces fit together and their up- and downstream dependencies. This is that high-level overview.