Академический Документы
Профессиональный Документы
Культура Документы
Services
Securing a WebSphere MQ
infrastructure
A white paper on modern cryptographic
techniques applied to WebSphere MQ
By Cesare San Martino (Primeur Security Consultant) and David C. Partridge (Primeur Security Services
Technical Director)
www.primeur.com sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Contents
Introduction ..............................................................................................................................2
Cryptographic techniques .................................................................................................................................... 2
The two basic aims of security ........................................................................................................................... 2
Security services and cryptographic algorithms.............................................................................................. 3
The importance of standards .............................................................................................................................. 4
Symmetric and asymmetric ciphers ................................................................................................................... 4
Hybrid encryption systems .................................................................................................................................. 5
Certification of Public Keys ................................................................................................................................. 6
Certification Authorities ...................................................................................................................................... 6
PKIs, Public Key Infrastructures ......................................................................................................................... 7
Certification infrastructure: 2 diametrically opposed models..................................................................... 7
The cost of security; tactical and strategic cryptography............................................................................. 8
Conclusions .............................................................................................................................23
www.primeur.com 1
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Introduction
The word security can mean many things. Even narrowing the context to the
world of information technology, Security still has a wide range of meanings,
sometimes totally unrelated. A brief (incomplete!) list of such meanings could
include: Access Control, Intrusion Detection, Single Sign-On, Firewalls,
Cryptography, Certification, Security Auditing and Management, Virus Protection
and Physical Security. In the specific context of WebSphere MQ, to narrow the
discussion even further, it makes sense to talk about security from the three distinct
viewpoints:
Access control
Propagation of contexts
Application of cryptographic techniques (which can be broken down into End-
to-End and link-oriented solutions)
This article will deal specifically with the last point: the application of cryptographic
techniques in the context of a WebSphere MQ network.
Cryptographic techniques
Perhaps the most important element driving the development of modern
cryptographic security techniques is Electronic Commerce. In the realm of E-
Commerce, security is a basic requirement, a sine qua non. Many international
studies recognise lack of security as one of the main factors inhibiting the
development of electronic commerce. Security is an extremely technical area in
which specialists are relatively hard to come by compared to other professionals.
Furthermore, in the IT context, security must be tightly integrated with already
complex architectures, and at many levels.
PRIVACY: The data can be read only by those for whom it is intended.
AUTHENTICITY: The data is authentic; it has not been modified; it really comes
from the sender; the sender is who he/she claims to be.
www.primeur.com 2
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Both aspects (especially the second) are and will become increasingly important in
an open society. This is especially true in the global context of the Internet, where
security seeks to preserve, on the one hand, certainty over economic transactions,
and on the other, the rights of the user. In this way cryptography, initially destined
for specialised and limited uses, has become the technical area where it is possible to
guarantee the rights and duties of users and of organisations operating in the global
context.
PRIVACY: Privacy is the first and most obvious service offered by security.
Only the legitimate target receiver of the communication can understand the
data sent.
INTEGRITY: The data that arrives has not been changed, and is exactly the same
as the data originally sent (also called No Tampering or Tamper Evidence).
www.primeur.com 3
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
PEA is a protocol that takes place in real time each time a dialogue is opened or re-
opened between two communicating entities. At the end of the protocol each entity
is sure of the others identity. (Authenticity, on the other hand, is a property of an
object that persists indefinitely, unless the message is changed).
The secrecy of encrypted text cannot rely on the secrecy of the algorithm used. Quite
the opposite is true the algorithm must be WIDELY known. In practice, it is
mandatory to use STANDARD algorithms. The part that makes the text secret resides
solely in the key: This is known as Kerckhoffs Principle. This basic cryptographic
principle has two driving factors:
www.primeur.com 4
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The cryptographic operations dealing with secrecy and authenticity are physically
separated (the private key is used for authenticity; the public for secrecy).
Key management is greatly simplified, since only the public part of the pair is
distributed; the number of distributions increases in a linear fashion, instead of
geometrically, as the number of participants in the secure communication grows.
However, before being able to use asymmetric encryption in practice, two of its
main disadvantages must be overcome:
The computational burden is around three to ten times greater, which means
that it is not practical to process large data volumes or files.
The origin of public keys must be assured and certified. This point, the real
Achilles Heel of public key cryptography according to Phil Zimmermann,
author PGP, raises the problem of key management once more, even if in a
more simple form, which, perhaps, seemed to have been overcome by the
abandoning of the management of shared keys.
The solution to the problems arising from the use of public key cryptography is
normally to be found in the use of hybrid systems.
{
msg( A B) : { file} ,{K}
K
}
Key_ Pub_ A
www.primeur.com 5
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The problem of symmetric key management does not arise: The symmetric key is
generated dynamically at the moment it is needed, and transmitted securely since it
is encrypted. It is valid only for the duration of a single transmission session, thus
increasing security (since it is not reused for further sessions).
Certification Authorities
The role played by a CA within the trust infrastructure based on asymmetric
cryptography is the guarantor of the identity of each user to all the others. This is
obviously a delicate role that must be undertaken by subjects of proven
trustworthiness and of a level above all the parties, especially in an open context. In
a closed context, a company for example, the CA can be entirely internal, and be
part of an infrastructure dedicated to the internal security of the company itself.
The central element of a trust infrastructure constituted in this way is the public key
of the CA, which must be made known and accessible to everyone. The CA must be
universally worthy of trust. Alternatively, a CA can supply its own public key
attached to a certificate from a higher-level CA.
This is how the so-called CA hierarchies are made up. They may contain varying
levels, at the top of which there must be a CA capable of certifying all the others.
www.primeur.com 6
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Registration of public keys and issuing a new certificate for a public key
Revocation of certificates and managing CRLs
Distribution of the public keys of registered users
Determining the validity of a certificate and of the operations that it authorises
Services related to certificate requests
Here, the concept of PKI is almost analogous to that of the CA, putting the
emphasis more on services provided than on the authority necessary for rendering
them. Another way of looking at this concept could be this: the CA is the server
part of PKI, which itself however includes all the services necessary for managing
public key encryption.
The DECENTRALISED model, on the other hand, has been adopted by PGP and
by its many users, with its concept of a Web of Trust. In this model, certification
authorities have no role since each user is free to decide independently who he/she
wishes or does not wish to trust. Each user can, if he/she wishes, act as a CA for all
the other users, signing the public keys of those users that he/she wishes to
guarantee with his/her own private key. This scheme extends out generating a web
of trust, which implements a sort of transitive trust: if A trusts B and B trusts C,
then A can trust C.
www.primeur.com 7
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The two models are totally incompatible, and are therefore probably destined to
coexist side by side, but separately: the hierarchical model in corporate or
structured worlds, the decentralised model in the Internet user community, or in
communities of users linked by common interest that are not organised
hierarchically.
Some information has a life lasting minutes (for example, the order that an artillery
officer may give to fire at a certain position; a stock market order to be performed
immediately). These are types of information that have great value for a very limited
period of time; they are therefore suited to the use of cryptographic techniques that
are quick and easy to use, even though they may not be able to resist a crypto-
attack for very long. There are other types of information (for example, the
contents of your share portfolio) that have a much longer life and which require the
use of more robust (and therefore more processing-heavy) cryptographic techniques.
Currently, those ciphers considered secure over a sufficiently long duration (several
decades) are the symmetric ciphers T-DES (112-bit key) and RC4 in its 128-bit
version. Equally secure are 2048-bit asymmetric ciphers.
www.primeur.com 8
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
For applications with modest time requirements, DES and 512-bit RSA are
sufficiently secure. DES is no longer considered to be very secure. This is illustrated
by the following comment on the success against the latest challenge issued by RSA,
called DES III:
www.primeur.com 9
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
With link-oriented measures, the aim is to protect the communication channel and
to establish, as it were, a secure communication tube. This is also known as Point-
to-Point security, abbreviated as P2P.
This is the case, for example, with the IPSec or PPTP protocols, which operate at
the packet transport level in an IP network. In a different way, the same
considerations hold true for those products that use the exits of Middleware
products such as WebSphere MQ, even though in this case the level is above that of
the network. However, in both cases, the higher levels, and highest of all the
application level, remain unaware of the underlying processes, which are transparent
to them.
Link-oriented measures see the network as a series of nodes connected with links,
each of which can be protected independently. End-to-end measures (E2E for short),
on the other hand, see the network solely as a means for transporting information
reliably from source to destination. Violation of an intermediate node does not
compromise security. Therefore in E2E measures, what you wish to ensure is that
security reaches the desired level, typically that of the application. In this way the
application is no longer transparent to security. Instead, it explicitly commands the
security functionality, thus providing greater guarantees.
www.primeur.com 10
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
With E2E measures higher level entities are being secured, typically the application
or the application user.
An E2E solution, on the other hand, will typically intervene at an application level
and will concern this level or the higher level of the actual user.
If the application requires the user to enter his or her own private key (or to insert
his or her own smart card) the level of security will be extended to the highest
possible level, that of the user. It is possible also to get the application to implement
its own process signature, a situation typical of batch processing, for example.
The following diagram summarises the situation in the context of WebSphere MQ.
This diagram illustrates how the main architectural difference lies in the fact that in
the E2E solution messages are already protected in the queues, whereas for P2P
solutions the messages are unencrypted in the queues.
www.primeur.com 11
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
In the example are summarized different solutions that can be provided by Primeur:
A final note: in the E2E context the agent (the principal, in security speak) of the
secure communication is the end user or the application process; in the P2P context,
technically, it is the communication channel, even if, in fact, for the sake of
convenience this is often identified with the node in question. This last distinction
has obviously no effect in the not infrequent case where there is a single channel
corresponding to a node.
Functional differences between E2E and P2P security in the context of WebSphere MQ
We have already mentioned the functional implications arising from the choice of
where to apply cryptographic services in interfacing the system. This section explains
this statement in the context of WebSphere MQ. The applicability and the meaning
of the main cryptographic services in the two different contexts are presented
schematically below.
www.primeur.com 12
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
As a final consideration on the above table we should note that it makes sense to
use cryptographic techniques in both contexts. In this case, P2P is required only for
the PEA process, while all other processes are left up to the E2E context. This
combination guarantees the maximum level of functionality that can be implemented.
From which types of attackers do I wish to protect myself? Only external? Also
internal?
What assumptions can be made on the security of sites involved? Is this security
high enough?
Is non-repudiation required? Is it necessary to be able to answer any challenges
with proof that a particular document originated with and was sent by a specific
physical person or application process?
The answers to the above questions will be the essential deciding factor in choosing
one solution or the other.
In general, being able to respect the functional requirements, channel solutions are
for economic and ease-of-management reasons. The following table outlines the
reasons.
www.primeur.com 13
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The Security Exit is used once per session. It is therefore particularly useful for
implementing the PEA protocol.
The Message Exit is used once for each message crossing the channel. It is therefore
the ideal exit for implementing cryptographic services such as data encryption and
authentication.
The Send/Receive exit is a lower level exit where it is possible to handle the
individual physical blocks into which a message is broken down before being sent.
This is also useful for cryptographic operations on data. Compared with the message
exit, however, it poses performance problems, since the cryptographic functions are
more efficient if they operate on larger portions of data. It is, however, the only
practical solution where you wish to secure a Client Server relationship, since the
WebSphere MQ Client does not have a message exit, only a S/R exit.
Furthermore both S/R and message exits are suitable (with the aforementioned S/R
limitations) for performing compression operations.
www.primeur.com 14
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
If you also wish to perform compression, you must pay attention to the order in
which the operations are carried out. Compression must be carried out BEFORE
encryption, and therefore decryption will take place before decompression. The
following are the reasons for this:
At the moment that the session is established the Security Exit is invoked. In this
exit a module is called that performs mutual authentication according to one of
the supported standards, such as X.509 or Kerberos.
A by-product of the PEA phase is the generation of a first session key that the
participants exchange, protecting it with asymmetric techniques.
During the normal exchange of messages the message exit is invoked where the
message is first (optionally) compressed and then encrypted using the session
key.
After each message is exchanged (or after a certain configurable, but not
indefinite, number of messages have been exchanged) the two nodes recalculate
a new session key with which to continue the secure communication.
In the case of exceptions, the channel must be closed, since these exceptions
could indicate an attack in progress.
www.primeur.com 15
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The system must guarantee the highest level of flexibility of configuration: the
proposed functions (PEA, Encryption, Compression, and Integrity) must be
freely configurable on each of the links. Moreover, the system must guarantee a
minimal but reasonable choice of cryptographic standards and key-lengths, and
this choice must also be freely configurable. An implementation is recommended
that supports a choice among at least the following algorithms:
Symmetric encryption: DES, T-DES (with 2 or 3 keys), RC4 up to 128 bit
Asymmetric encryption: RSA configurable from 512 to 2048 bit.
Hash: SHA-1, MD5.
The system manager must be free to configure a link for example using only
PEA, another with weak encryption, and yet another with strong encryption.
Given the computational load of cryptographic systems, such flexibility is
imperative.
Sending Side:
Compression call (optional)
Cryptographic call
Message PUT
Receiving Side:
Message GET
Decryption
Decompression (if necessary)
Now, however, WebSphere MQ 5.3 has provided an API exit on the distributed
platforms that allows the implementation of a transparent solution to provide End-
to-End security without needing to modify applications. On the OS/390 (z/OS)
platform, it is still complex to implement, but has proven possible to use library
front-ending for batch applications (using STEPLIB), while for CICS applications, it is
possible to use the CICS API Crossing Exit.
This means that it is now possible to deliver an End-to-End security solution for
WebSphere MQ that is application transparent (i.e. does not require any application
code changes).
www.primeur.com 16
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Several cryptographical tools are available commercially, with which these functions
can be implemented. In general, all the modern tools allow a digital signature to be
implemented with a single high-level call. This single call in turn results in several
internal cryptographic calls. In the most complete case of encryption and signature,
these operations are:
The use of standard cryptographic tools guarantees that all the operations outlined
above can be performed with a single call.
On their own however, these techniques may not provide an adequate solution for
meeting regulatory requirements for after the event non-repudiation, the provision
of audit trails, or to support the use of a message broker.
Non-repudiation support
In situations where messages are being exchanged between parties who do not
necessarily trust one another, it can be useful for the recipient of a message to be
able to prove at a later date that the other party sent a particular message. By using
a digital signature on the message the identity of the sender and the authenticity of
the message can be confirmed, and therefore the sender of the message is unable to
deny (or repudiate) the sending of that message.
www.primeur.com 17
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
A suitable legal framework exists to allow the use of digital signatures for this
purpose. This may take the form a contract, or be part of national or supra-
national legislation.
If necessary, the communicating parties have agreed to the use of digital
signatures for this purpose.
If required by the legal framework (this is normally the case), the certificates
used for checking the signature should include key usage of non-repudiation.
Each customer will typically have unique requirements for message archival: Some
will want to archive messages to an external database, while others will wish to
write these messages to some other form of external storage. For this reason, it is
appropriate to write archive messages to an MQSeries queue (QLOCAL, QALIAS,
or QREMOTE) whose name is part of the product configuration. For example: We
might wish to archive all signed or signed and enveloped messages read from the
queue MYAPP.QUEUE. In this case we would modify the product configuration to
specify an archive queue name of MYAPP.ARCHIVE.QUEUE.
If this is done, then once the signature on the message has been successfully
validated, and if appropriate it has been confirmed that the message sender was
authorised, the message as it was read from the queue would be written to the
archive queue. Put in another way, the message written to the archive queue would
include the DSMD header and the payload will still be in the form of a PKCS#7
Signed or Signed and Enveloped data object or objects.
www.primeur.com 18
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The archive messages would be MQPUT to the archive queue with the same
syncpoint options that the user application was using to get the messages from the
application queue. The archive function would not issue any commits or rollbacks.
The messages may then be read from the archive queue by the same (or another)
application and saved to a database for non-repudiation purposes (where the
signature is re-validated after the event in the event of a dispute).
MQMD
Info
Df09@24
724jl89#
Df09@24
724jl89#
Clear text
DB
Archive Df09@24
724jl89#
Df09@24
724jl89#
Application or
Message Broker
Df09@24
Clear text (WBIMB?) Output
724jl89#
E2E
Input
www.primeur.com 19
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Audit log
Regulatory requirements, internal practices, or similar often require that an audit log
be kept of processing applied to data. This might only require that exception
conditions be logged, or that all processing be logged. It might be required for all
messages processed on all queues, or just for some queues.
The audit records could be written in a platform specific manner (such as for
example using SMF records on z/OS), or a platform neutral manner using a format
such as XML written to a flat file. We believe that a platform neutral solution such
as XML provides a portable solution which has the advantage that it can be read by
people without requiring any special processing, and also by programmes. An
example of an XML formatted audit record for a successful MQGET operation
might look like:
<E2EAuditRec>
<Timestamp>2005041415113269</Timestamp>
<location>
<hostname>giove.primeur.com</hostname>
<pid>0x162050</pid>
<tid>0x796009</tid>
<qmgr>DS</qmgr>
<userid>sriccio</userid>
<hconn>0x20212BD8</hconn>
</location>
<object>
<ObjectName>Q1</ObjectName>
<ObjectQMgrName>DS</ObjectQMgrName>
</object>
<data>
<operation>MQGET</operation>
<syncpoint>NO</syncpoint>
<result>
<mqcc>0</mqcc>
<mqrc>0</mqrc>
</result>
<policy>processedData</policy>
<mqmd>
<msgid>414D5120445354312020202020202020425CD0652002E30E</msgid>
<correlid>000000000000000000000000000000000000000000000000</correlid>
<putdate>20050414</putdate>
<puttime>15112477</puttime>
<expiry>0xFFFFFFFF</expiry>
<format />
<persistence>NO</persistence>
<putapplname />
<accountingtoken>03323138000000000000000000000000000000000000000000000000000000
06</accountingtoken>
<useridentifier>gala</useridentifier>
</mqmd>
<putaction>
<compression>none</compression>
<qop>PUTOptions.QOP_ENCRYPT_AND_SIGN</qop>
</putaction>
<authsenders />
<sender>CN=Helios, O=Primeur; C=GB</sender>
<archive>
<provider>EXTARC V1.0</provider>
www.primeur.com 20
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
<archivequeue>Q1.ARCH</archivequeue>
<archiveresult>0</archiveresult>
</archive>
</data>
</E2EAuditRec>
Organisations that rely upon their MQ infrastructure for the continuance of their
business need to have the ability to create configurations ahead of the time that they
are to be deployed, to store them in a change management system or source code
control system such as (for example) CVS, and to deploy those configurations during
a change control window.
For this reason it is considered desirable to be able to create the configuration for
an End to End security solution for a set of related queue managers (a domain) at a
central location. The configuration for a domain is created in the form of scripts
which can be held in the form of flat files and be stored in the change control
system of the customers choice.
Once the organisation has moved to the centrally administered model, it should be
possible to disable the use of local (GUI based) configuration tools.
Clearly the language chosen for the implementation of these scripts should be one
for which an interpreter is widely available on all the relevant platforms. If the
platforms involved were just UNIX systems, then the obvious candidates for the
implementation would be scripting languages such as Perl, Python, or Tcl as these
are widely known and understood, and available for all UNIX systems.
Unfortunately, given the wide range of platforms on which WebSphere MQ runs,
these do not appear at first glance to be suitable, as these languages are not typically
available on (for example) z/OS.
There is a suitable candidate in the form of Java: The Java interpreter can be found
on almost any platform, but Java of itself is not a scripting language but a
programming language. Python, on the other hand, is a suitable scripting language.
What is needed is a scripting language implemented in Java: Jython is an
implementation of the Python scripting language that is written in 100% Pure Java.
This leverages the broad platform availability of Java and adds the speed of
development of the Python scripting language without requiring a native Python
interpreter.
www.primeur.com 21
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
The configuration manager tool should be a command line tool which can handle:
The scripting language needs to allow for basic configuration settings for how E2E
processing should be performed on individual queue managers and queues within the
domain. It should also allow for defining higher level constructs based on common
MQ usage patterns such as the Request-Reply pattern, as this will simplify the
administrators task.
www.primeur.com 22
sales@primeur.com
Securing a WebSphere MQ Infrastructure
Services
Conclusions
First of all one, obviously needs to define the specific security objectives one is
aiming at.
Secondly, but not less importantly, one needs to take into account that deploying a
security solution implies designing a combined security/WebSphere MQ architecture;
the functional behaviour of the whole system will depend not only on the chosen
specific security functions but also largely on the implemented architecture.
www.primeur.com 23
sales@primeur.com