IBM Software Group
© 2004 IBM Corporation
MQ Security
IBM Software Group | WebSphere software
© 2004 IBM Corporation2
Agenda
IBM Software Group | WebSphere software
© 2004 IBM Corporation3
setmqaut (set or reset authority)
IBM Software Group | WebSphere software
© 2004 IBM Corporation4
Authorizations
IBM Software Group | WebSphere software
© 2004 IBM Corporation5
Specify authorities for different object types
IBM Software Group | WebSphere software
© 2004 IBM Corporation6
Examples
1. specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. run : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladm
2. In this example, the authorization list specifies that user group foxy:Cannot issue any calls from the MQI to the specified queueCan perform all administration operations on the specified queuerun : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm
3. This example gives user1 full access to all queues with names beginning a.b on queue manager qmgr1. The profile is persistent, and will apply to any object with a name that matches the profile name.run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all
4. This example deletes the specified profile.run :setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove
5. This example creates a profile with no authority.run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none
IBM Software Group | WebSphere software
© 2004 IBM Corporation7
Related Commands
dspmqaut -m WBRK_QM -t qmgr -p dmwang
IBM Software Group | WebSphere software
© 2004 IBM Corporation8
SSL The Secure Sockets Layer (SSL) provides an industry standard protocol for
transmitting data in a secure manner over an insecure network. The SSL
protocol is widely deployed in both Internet and Intranet applications. SSL
defines methods for authentication, data encryption, and message integrity
for a reliable transport protocol, usually TCP/IP. SSL uses both asymmetric and symmetric cryptography techniques. Refer to
the following web site for a complete description of the SSL protocol:
http://home.netscape.com/eng/ssl3/. An SSL connection is initiated by the caller application, which becomes the
SSL client. The responder application becomes the SSL server. Every new
SSL session begins with an SSL handshake, as defined by the SSL protocol.
IBM Software Group | WebSphere software
© 2004 IBM Corporation9
SSL HandShake
Agree on the version of the SSL protocol to use. Select cryptographic algorithms Authenticate each other by exchanging and validating digital
certificates. Use asymmetric encryption techniques to generate a shared secret
key, which avoids the key distribution problem. SSL subsequently
uses the shared key for the symmetric encryption of messages,
which is faster than asymmetric encryption.
IBM Software Group | WebSphere software
© 2004 IBM Corporation10
SSL HandShake
IBM Software Group | WebSphere software
© 2004 IBM Corporation11
SSL in WebSphere MQ Message channels and MQI channels can use the SSL protocol to provide
link level security. A caller MCA is an SSL client and a responder MCA is an SSL server.
WebSphere MQ supports Version 3.0 of the SSL protocol. You specify the cryptographic algorithms that are used by the SSL protocol
by supplying a CipherSpec as part of the channel definition. During the SSL handshake, the MCA sends the digital certificate of the
queue manager to its partner MCA at the other end of the channel. The
WebSphere MQ code at the client end of an MQI channel acts on behalf of
the user of the WebSphere MQ client application. During the SSL
handshake, the WebSphere MQ code sends the user’s digital certificate to
the MCA at the server end of the MQI channel.
IBM Software Group | WebSphere software
© 2004 IBM Corporation12
SSL in WebSphere MQ
Digital certificates are stored in a key repository. The queue manager attribute SSLKeyRepository specifies the
location of the key repository that holds the queue manager’s digital certificate.
On a WebSphere MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user’s digital certificate.
Alternatively, a WebSphere MQ client application can specify its location in the KeyRepository field of the SSL configuration options structure, MQSCO, on an MQCONNX call.