Pub/Sub security

Posted on December 3, 2012 by T.Rob

One of the recurring questions I receive is about the differences between queue security and pub/sub security. The email below is typical:

Continue reading

Posted in IBMMQ, Security | Tagged , , , , , , , | Leave a comment

Sure, its always an MQ problem. Why is that a bad thing?

Posted on November 2, 2012 by T.Rob
I don't always have problems, but when I do I blame them on MQ

It’s always an MQ problem

One recurring theme in the MQ community is that all problems are MQ problems.  Never mind that they almost always turn out to be application, network, firewall, SAN, account maintenance, resource constraints, human error or even sabotage, it’s an MQ problem.  If all the problem tickets have “MQ problem” in the title and are all assigned to the MQ team, the team and MQ itself can get a bad reputation within the organization.  I’ve been working with MQ since the mid 90’s and it has always been thus.  The complaint was raised again today.

I used to try and correct the record and language used for EVERY incident. This worked for a while but then with a lot of turnover, we are back to where we were a couple of years ago. I have had very little success trying to re-educate the current development staff.

Question, how do you deal with an organizational and cultural issue like this?

By the time I started an MQ admin team at my former employer, MQ had a terrible reputation.  In fact, the only reason I was assigned to it full time was that there were frequent outages and management decided it needed a lot of care and feeding.  One of the developers had become the resident MQ expert and after the first app went into production he provided the MQ support.  After two and then three apps were in production he spent as much time supporting MQ as writing code.  Since I wasn’t qualified to write C code (I was a COBOL programmer then) and since everyone knew a trained monkey could watch over MQ, he got to go back and coding full time and I was given 4 queue managers and a banana.  I quickly discovered that every problem was an MQ problem.  After a while they weren’t just MQ problems, they were T.Rob problems since my name was on every trouble ticket.  I began to think taking on the MQ admin role would ruin my career.

Continue reading

Posted in IBMMQ | Tagged , , , , | 3 Comments

Thoughts on Disaster Recovery

Posted on October 24, 2012 by T.Rob

I’m often amazed by the amount of synchronicity in the world.  Most recently I’ve been flooded from all sides with discussions about disaster recovery and of those, almost all wanted to achieve a zero recovery point without sacrificing performance.  Since this requirement violates the laws of physics I’ve had the opportunity to write up my response several times and refine it a bit.  I’m posting it here for posterity.

Continue reading

Posted in General | 6 Comments

Books, webinars and conferences, oh my!

Posted on September 5, 2012 by T.Rob

The new WMQ Security book is into the review stage now and coming slowly along.  The four weeks we were all together in Raleigh flew by so fast it is amazing how much we were able to get done.  The down side to this is that now we are all back at our regular jobs and have lots of text to review and edit.  It’s progressing slowly but surely.  The next step is to get it published for public review and edit before finalizing the content.  I’ll post more when we get to that stage.

Unfortunately, I’ve been a bit of a roadblock on the project.  I had a slight bout with kidney stones that resulted in some laser surgery.  The surgery went great but one of the side effects of the meds is to lower your blood pressure.  Mine is already well controlled, and since losing a lot of weight its actually a bit on the low side anyway.  Combined with the meds, it tanked and I spent a couple weeks feeling unbelievably fatigued without knowing why.  Eventually I thought to check my blood pressure and figured it out.  Fortunately, I live in Charlotte and own a very fast sport bike.  Noting gets your blood pressure up faster than riding a bike that will easily do 140mph, on a highway posted at 65mph, stuck in traffic doing 30mph.  Problem solved.

So now I’m back to work on the book and splitting time with other projects.  Among those is a webinar tomorrow called Lessons learned for WebSphere MQ V7.1 and V7.5 security from the upcoming Secure Messaging Scenarios with WebSphere MQ IBM Redbook.  Click the link to register.  The presentation begins at 8am PDT / 11am EDT which should be 4pm UTC (assuming I got my daylight saving time calculations correct).

What are the topics?  Well let’s just say that during the residency we stumbled across a couple of things that surprised the team.  Considering who else was on the team – Glenn Baddeley, Neil Casey, Long Nguyen, Jørgen Pedersen and Morten Sætra – the fact that we were surprised by some of our findings was a bit unexpected.  I forget what the exact count was but between the six of us we have something like a century of WMQ experience, much of it in security.  We are a tough group to surprise so it occurred to me the things that tripped us up might make a good preview for the book.  Thus was born tomorrow’s webinar.

I’m also planning for the upcoming WebSphere MQ Administration seminars, also hosted by WebSphere MQ Insights.  The next one will be in Chicago in October, followed closely by another one in London.  Since these are in person, attendance is limited so register early.  I really like these because it is sized like a conference breakout session but it is all in one room for several days.  That makes for a much more participatory event and the ability to tailor content to the attendees.  Tag-teaming across three presenters also keeps the sessions fresh and brings more breadth of experience to bear on any questions or issues raised.  I wasn’t sure if I’d like this format as much as the conferences but it turns out it is better as a speaker and, based on feedback from the first one, as an attendee as well.

A rather unusual situation this year is that I won’t be attending WebSphere Technical Convention in Berlin.  I’ve tried to attend these for the last six years but this year it happens to coincide with the Hursley Connectivity Days event and it looks like I’ll be there instead.  Think of it as Hursley Comes to You in reverse.  On the one hand, I’ll still be able to meet with customers and also colleagues in the Hursley Lab.  On the other hand, I’ll not only miss WSTC, I’ll miss the Halestorm concert in Berlin on the 14th.  Damn!

OK, to sum up: Security book on the way, preview it in the webinar tomorrow @ 11am, WSMQ Admin seminars in Chicago and London in October, driving 30 in a 65 on a 140mph vehicle causes blood pressure to rise, Halestorm rocks.

 

Posted in General | Leave a comment

Cluster security

Posted on July 10, 2012 by T.Rob

Well, the residency to write the new WebSphere MQ Security book is past the halfway point and we are working diligently to finish up on time. I’m happy to say that one of my favorite new security topics is covered in the book: cluster security.

With point-to-point networks there was always had a separate inbound channel for each remote queue manager and that allowed you to authorize each one to a different subset of queues. But convert that network to use clustering and there is only one inbound channel so the granularity of point-to-point channels was lost. Sure, you could use a security exit and a channel auto-definition exit but very few people went to the trouble of writing the exits. For better or for worse, most shops fell back to a monolithic security model for their cluster. Continue reading

Posted in Events, IBMMQ, News, Publications, WMQ Security | Tagged , , , , , , , , , , | 1 Comment

New MO71 Beta

Posted on June 29, 2012 by T.Rob

Paul Clarke has been working on MO71, a.k.a. mqmon, and has released a beta version of the program. He mentioned that some people have problems getting attachments in email so I offered to host a download.  Whether you are a regular user of MO71 or have never tried it, Paul would appreciate your feedback. Something broken? Not quite right? Confusing? Let him know. But also let him know if you absolutely love it. Contact info is in the instructions.

MO71 Beta PDF only
MO71 Beta exe and pdf

(Last updated 9 July, 2012)

Posted in IBMMQ | Tagged , , , | Leave a comment

Thoughts on certificate sharing

Posted on June 9, 2012 by T.Rob

The topic of certificate sharing keeps popping up as of late so I wanted to address it here.  The main objection to certificate-based crypto seems to be the administrative overhead.  After having scripted up certificate management for several customers, I have come to believe that the administrative burden is overstated in many cases.  That said, the discussion of key sharing has merit.  In some use cases, such as a web app server farm, a single entity is distributed across multiple instances.  If the administrative scope of that entity contains all those instances (in other words if the compromise of any one node compromises all other nodes) then little or no no additional security is gained from them having many unique certificates.  So what are the considerations in all those nodes sharing the same certificate?

Continue reading

Posted in IBMMQ, MQ AMS, WMQ Security | Tagged , , , , , , , , , , , | Leave a comment

Sharpening the saw

Posted on May 15, 2012 by T.Rob

I am fortunate this year to participate in many seminars and conferences.  I just finished IMPACT and on June 5th I’ll be in New York for the WSMQAdmin seminar there.  The following week I’ll be in Zurich for the TI&M WebSphere Messaging and Web Services Security seminar.  Later this year are four more WQMQAdmin seminars and IBM’s WebSphere Technical Convention in Berlin.  Sometimes when I ask people whether they will attend one of these events the response back is “I’m just too busy.  I can’t find the time.”  If this describes you, then I urge you to reconsider.  Please let me explain why.

Continue reading

Posted in Events, General | Tagged , , | Leave a comment

IMPACT 2012 WMQ Sessions

Posted on April 27, 2012 by T.Rob

Here are the MQ sessions at IMPACT for the week. Asterisk indicates repeat sessions. sessions where I am presenting or participating are in Red.

Mon 10:45 – 12:00  1577 – WebSphere MQ: Securing your Queue Manager*
Mon 14:00 – 15:15  1576 – Introduction to WebSphere MQ*
Mon 14:00 – 15:15  1597 – Roundtable: WebSphere MQ Feedback*
Mon 15:45 – 17:00  2255 – WebSphere Connectivity and Integration Feature Session with Q&A Panel
Mon 17:15 – 18:30  1575 – What’s New in the WebSphere MQ Family of Products

Tue 10:45 – 12:00  1579 – WebSphere MQ for Managed File Transfer
Tue 10:45 – 12:00  1592 – WebSphere MQ: Machine 2 Machine Communications using Telemetry
Tue 13:30 – 14:45  1593 – WebSphere MQ: Publish/Subscribe Messaging
Tue 13:30 – 16:30  1595 – Hands-on Lab: WebSphere MQ
Tue 15:15 – 16:30  1581 – Extending WebSphere MQ and WebSphere Message Broker to the Cloud
Tue 15:15 – 16:30  1597 – Roundtable: WebSphere MQ Feedback*
Tue 16:45 – 18:00  1576 – Introduction to WebSphere MQ*

Wed 9:00 – 10:15  1589 – WebSphere MQ: What is your system up to?*
Wed 10:45 – 12:00  1578 – WebSphere MQ: Securing your Messages*
Wed 10:45 – 12:00  1591 – WebSphere MQ for zOS Internals
Wed 13:30 – 14:45  1596 – Meet the Experts: WebSphere MQ*
Wed 13:30 – 14:45  1585 – WebSphere MQ: Connecting to the Internet of Things
Wed 13:30 – 14:45  1586 – Using IBM WebSphere Application Server and IBM WebSphere MQ Together*
Wed 13:30 – 16:30  1594 – Hands-on Lab: WebSphere MQ Security (Distributed Platforms)
Wed 15:15 – 16:30  1584 – WebSphere MQ: Highly Scalable Publish Subscribe using Multicast
Wed 16:45 – 18:00  1588 – WebSphere MQ for Distributed Platforms Performance
Wed 16:45 – 18:00  1597 – Roundtable: WebSphere MQ Feedback*

Thu 8:45 – 10:00  1590 – WebSphere MQ for Distributed Platforms Internals
Thu 8:45 – 10:00  1587 – WebSphere MQ for z/OS Performance
Thu 8:45 – 10:00  1597 – Roundtable: WebSphere MQ Feedback*
Thu 10:30 – 11:45  1596 – Meet the Experts: WebSphere MQ*
Thu 10:30 – 11:45  1586 – Using IBM WebSphere Application Server and IBM WebSphere MQ Together*
Thu 13:30 – 14:45  1589 – WebSphere MQ: What is your system up to?*
Thu 13:30 – 14:45  1580 – WebSphere MQ: Simplifying Migration
Thu 15:15 – 16:30  1582 – WebSphere MQ for z/OS Shared Queues (Advanced)
Thu 16:45 – 18:30  1583 – WebSphere MQ: Clustering update

Fri 08:45 – 10:00  1577 – WebSphere MQ: Securing your Queue Manager*
Fri 10:15 – 11:30  1578 – WebSphere MQ: Securing your Messages*

Posted in Events | Leave a comment

No such thing as a persistent queue!

Posted on April 27, 2012 by T.Rob

The widespread usage of the phrase “persistent queue” has a negative impact because people believe that queue attribute actually does something. It’s always worth taking time to stamp out usage of that phrase wherever we find it and I’ll attempt to explain why.

Continue reading

Posted in IBMMQ | Tagged , , , , , , | 5 Comments