Вы находитесь на странице: 1из 209

WebSphere MQ

Security

Version 6.0

SC34-6588-02

WebSphere MQ

Security

Version 6.0

SC34-6588-02

Note! Before using this information and the product it supports, be sure to read the

Note! Before using this information and the product it supports, be sure to read the general information under notices at the back of this book.

information and the product it supports, be sure to read the general information under notices at

Third edition (March 2007)

This edition of the book applies to the following products:

v

IBM WebSphere MQ, Version 6.0

v

IBM WebSphere MQ for z/OS, Version 6.0

and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1996, 2007. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

Figures

.

.

.

.

.

.

.

.

.

.

.

.

.

.

vii

Tables .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

ix

About this book .

 

.

.

.

.

.

.

.

.

.

.

xi

Who this book is for

 

.

.

.

.

.

.

.

.

.

.

. xi

What you need to know to understand this book .

. xi

Terms used in this book .

.

.

.

.

.

.

.

.

. xi

How to use this book .

.

.

.

.

.

.

.

.

.

. xii

Summary of changes .

.

.

.

.

.

.

.

xiii

||

Changes in this edition (SC34-6588-02)

.

 

. xiii

Changes in the previous edition (SC34-6588-01) .

. xiii

Part 1. Introduction .

.

.

.

.

.

.

.

.

1

Chapter 1. Security services .

.

.

.

.

.

3

Identification and authentication .

.

.

.

.

.

.

.

3

Access control . Confidentiality Data integrity .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 4

.

.

. 4

.

.

.

5

Non-repudiation .

.

.

.

.

.

.

.

.

.

.

.

.

5

Chapter 2. Planning for your security

 

requirements

.

.

.

.

.

.

.

.

.

.

.

.

7

Basic considerations .

. Authority to administer WebSphere MQ .

.

. Authority to work with WebSphere MQ objects

Channel security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

7

7

7

8

. Additional considerations . Queue manager clusters

.

. WebSphere MQ Publish/Subscribe . WebSphere MQ internet pass-thru .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

8

.

.

.

.

.

.

8

9

.

.

.

9

Link level security and application level security .

 

. 10

Link level security .

.

.

.

.

.

.

.

.

.

.

.

. 10

Application level security

.

.

.

.

. 11

Comparing link level security and application

.

level security

.

.

.

.

.

.

.

. 11

. Obtaining more information .

.

.

.

.

.

.

. 13

Chapter 3. Cryptographic concepts

 

.

.

15

Cryptography

.

.

.

.

.

.

.

.

.

.

.

.

. 15

.

.

.

.

.

.

.

.

.

.

.

. 17

Message digests . Digital signatures

. Digital certificates .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. What is in a digital certificate .

. Requirements for personal certificates .

.

.

.

.

.

.

.

.

.

.

.

. 17

. 18

. 19

. 19

Certification Authorities Distinguished Names .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 19

. 20

How digital certificates work

.

.

.

.

. 20

Public Key Infrastructure (PKI) .

.

.

.

.

. 22

Chapter 4. The Secure Sockets Layer

(SSL)

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

23

Transport Layer Security (TLS) concepts Secure Sockets Layer (SSL) concepts . An overview of the SSL handshake How SSL provides authentication . How SSL provides confidentiality .

.

.

.

.

 

.

.

. 23

 

.

.

.

. 23

.

.

.

. 24

.

.

.

. 25

.

.

.

. 26

 

.

.

.

.

.

.

. 26

How SSL provides integrity . CipherSuites and CipherSpecs .

. The Secure Sockets Layer in WebSphere MQ .

.

.

.

.

 

.

.

. 27

. 27

Part 2. WebSphere MQ security

 

provision .

.

.

.

.

.

.

.

.

.

.

.

.

29

Chapter 5. Access control

.

.

.

.

.

.

31

Authority to administer WebSphere MQ

 

. 31

Authority to administer WebSphere MQ on

 

UNIX and Windows systems

.

.

.

.

.

.

. 31

Authority to administer WebSphere MQ on

. Authority to administer WebSphere MQ on z/OS 33

. 35

When authority checks are performed

Alternate user authority .

. Authority to work with WebSphere MQ objects on i5/OS, UNIX systems, and Windows systems . 39

Message context

. 37

. 36

i5/OS .

. 32

.

.

.

.

.

.

.

.

.

.

.

.

Authority to work with WebSphere MQ objects .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 38

Authority to work with WebSphere MQ objects

on z/OS

.

.

.

.

.

.

.

.

.

.

.

. 41

Channel security

.

.

.

.

.

.

.

. 43

Chapter 6. WebSphere MQ SSL support 45

Channel attributes .

.

.

.

.

.

.

.

.

.

.

. 45

.

.

.

.

.

.

.

.

. 46

Channel status attributes . Queue manager attributes

. The authentication information object (AUTHINFO)

.

.

.

.

.

.

.

. 46

47

The SSL key repository

.

.

.

.

.

.

.

.

.

. 48

Protecting WebSphere MQ client key repositories

49

Refreshing a key repository .

.

.

.

.

.

.

. 49

Resetting SSL secret keys .

. Federal Information Processing Standards (FIPS) .

.

.

.

.

.

.

 

. 50

. 50

WebSphere MQ client considerations

 

.

.

.

. 50

Working with WebSphere MQ internet pass-thru

(IPT) .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

. 51

. Support for cryptographic hardware .

.

.

.

.

. 52

Chapter 7. Other link level security

 

services

.

.

.

.

.

.

.

.

.

.

.

.

53

Channel exit programs

.

.

.

.

.

.

.

.

.

. 53

Security exit .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 54

Message exit .

Send and receive exits .

Obtaining more information .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 54

. 55

. 56

The SSPI channel exit program .

.

.

.

.

.

.

. 56

SNA LU 6.2 security services

.

.

.

.

.

.

.

. 57

.

.

.

.

.

.

. 57

Session level cryptography . Session level authentication .

. Conversation level authentication .

.

 

.

.

.

.

.

.

.

.

. 58

. 60

Chapter 8. Providing your own link

 

level security

.

.

.

.

.

.

.

.

.

65

Security exit .

.

.

.

.

.

.

.

.

.

.

.

.

. 65

Identification and authentication .

 

.

.

.

.

. 65

Access control

.

.

.

.

.

.

.

.

.

.

.

. 66

.

.

.

.

.

.

.

.

.

. 68

Confidentiality Message exit .

.

. Identification and authentication .

.

.

.

.

.

.

 

.

.

.

.

.

.

.

.

. 68

. 69

Access control Confidentiality Data integrity .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

. 69

.

.

.

.

.

. 70

.

.

.

.

.

. 70

. Other uses of message exits .

Non-repudiation .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 70

. 70

Send and receive exits .

.

.

.

.

.

.

.

.

.

. 71

.

.

.

.

.

.

.

.

.

. 71

Confidentiality Data integrity .

. Other uses of send and receive exits .

.

.

.

.

.

.

.

 

.

.

.

.

.

.

. 71

. 72

Chapter 9. Access Manager for

 

Business Integration

.

.

.

.

.

.

.

73

Introduction .

.

.

.

.

.

.

.

.

.

.

.

.

. 73

Access control

.

.

.

.

.

.

.

.

.

.

.

.

. 74

Identification and authentication .

.

.

.

.

.

. 75

Data integrity .

.

.

.

.

.

.

.

.

.

.

.

.

. 76

Confidentiality .

.

.

.

.

.

.

.

.

.

.

.

. 76

. Obtaining more information .

Non-repudiation .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 77

. 78

Chapter 10. Providing your own application level security

The API exit .

.

.

.

.

.

.

.

.

 

.

.

.

79

. 79

. The API-crossing exit .

.

.

.

.

.

.

.

.

.

. 81

The role of the API exit and the API-crossing exit in

security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 81

Identification and authentication .

 

.

.

.

.

. 82

Access control Confidentiality Data integrity .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

 

.

.

.

.

.

. 83

.

.

.

.

.

. 83

.

.

.

.

.

. 84

Non-repudiation .

.

.

.

.

.

.

.

.

.

.

. 84

Other ways of providing your own application level

security .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 84

Part 3. Working with WebSphere

 

MQ SSL support

.

.

.

.

.

87

Chapter 11. Setting up SSL

communications

.

.

.

.

.

.

.

.

.

.

89

Task 1: Using self-signed certificates . The steps required to complete task 1

.

 

.

.

.

. 90

.

.

.

. 90

. Verifying task 1 .

Result of task 1

.

.

.

.

.

.

. Task 2: Using CA-signed certificates . The steps required to complete task 2

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 92

. 92

.

.

.

. 93

.

.

.

. 93

iv Security

Result of task 2

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 95

Verifying task 2

Extensions to this task .

Task 3: Anonymous queue managers .

The steps required to complete task 3 .

.

.

.

.

.

.

.

.

. 95

. 96

. 96

. 96

Result of task 3

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 97

Verifying task 3

Extensions to this task .

.

.

.

.

. 98

. 99

Chapter 12. Working with the Secure

 

Sockets Layer (SSL) on i5/OS

.

.

.

.

101

Digital Certificate Manager (DCM) .

.

.

.

.

. 101

Accessing DCM

.

.

.

.

.

.

.

.

.

.

. 102

Assigning a certificate to a queue manager

.

.

. 102

Setting up a key repository

.

.

.

.

.

.

.

.

.

. 103

Creating a new certificate store

.

.

. 103

Stashing the certificate store password .

. Locating the key repository for a queue .

manager .

.

Working with a key repository

.

.

.

.

.

.

.

.

.

.

. Changing the key repository location for a .

queue manager

.

.

.

.

.

.

.

.

.

.

.

.

. 104

. 104

. 104

. 104

When changes become effective .

.

.

.

.

. 105

Obtaining server certificates

. Creating CA certificates for testing .

.

.

.

.

.

.

.

.

.

.

. 105

. 105

Requesting a server certificate

.

.

. 107

Adding server certificates to a key repository

. 107

Managing digital certificates

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 108

Transferring certificates .

.

.

. 108

Removing certificates

.

.

. 109

Configuring cryptographic hardware

.

.

.

.

. 110

Mapping DNs to user IDs .

.

.

.

.

.

.

.

. 110

Chapter 13. Working with the Secure Sockets Layer (SSL) on UNIX and Windows systems

111

Using iKeyman, IKEYCMD, and GSKCapiCmd .

. 111

Setting up a key repository

.

.

.

.

.

.

. 112

Accessing your key database file .

.

.

.

.

. 114

Working with a key repository

.

.

.

.

.

.

. Locating the key repository for a queue .

. Changing the key repository location for a .

queue manager

Locating the key repository for a WebSphere

manager .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 115

. 115

. 116

MQ client

.

.

.

.

.

.

.

.

.

.

.

.

. 116

Specifying the key repository location for a

WebSphere MQ client .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 116

When changes become effective .

.

. 117

Obtaining personal certificates

.

. 117

Creating a self-signed personal certificate .

.

. 117

Requesting a personal certificate .

.

.

.

.

. 119

Receiving personal certificates into a key repository 120

Managing digital certificates

.

.

.

.

.

.

.

. 122

Transferring certificates .

.

.

.

.

.

.

.

. 122

Deleting a personal certificate from a key

repository

.

.

.

.

.

.

.

.

.

.

.

. 129

. Configuring for cryptographic hardware .

 

.

.

. 130

Managing certificates on PKCS #11 hardware

131

Mapping DNs to user IDs .

.

.

.

.

.

.

.

. 133

Migrating SSL security certificates in WebSphere

MQ for Windows .

.

.

.

.

.

.

.

.

.

.

. 133

Chapter 14. Working with the Secure

 

Sockets Layer (SSL) on z/OS

.

.

.

.

135

Setting the SSLTASKS parameter .

 

.

.

.

.

.

. 135

Setting up a key repository

 

.

.

.

.

.

.

. 135

Ensuring CA certificates are available to a queue .

manager

. Locating the key repository for a queue .

manager

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. Working with a key repository

.

.

Specifying the key repository location for a .

queue manager

.

.

.

.

.

. 136

. 136

. 136

. 137

When changes become effective .

.

.

.

.

.

.

.

.

.

.

.

. 137

Obtaining personal certificates .

Creating a self-signed personal certificate .

. 138

. 138

. Creating a RACF signed personal certificate .

Requesting a personal certificate .

.

.

.

. 138

. 139

Adding personal certificates to a key repository

139

Managing digital certificates .

.

.

.

.

.

.

. 140

Transferring certificates .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 140

Removing certificates .

Working with Certificate Name Filters (CNFs)

. 141

. 141

Setting up a CNF .

.

.

.

.

.

.

.

.

.

. 142

Chapter 15. Working with Certificate Revocation Lists and Authority Revocation Lists

145

Setting up LDAP servers

.

.

.

.

.

.

.

.

. 145

Configuring and updating LDAP servers .

.

. 146

Accessing CRLs and ARLs

.

.

.

.

.

. Accessing CRLs and ARLs with a queue .

manager .

Accessing CRLs and ARLs with a WebSphere

.

.

.

.

.

.

.

.

.

.

.

. 147

. 147

MQ client

.

.

.

.

.

.

.

.

.

.

.

.

. 150

Accessing CRLs and ARLs with the Java client

and JMS .

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

. 150

Checking CRLs and ARLs .

. 150

Manipulating authentication information objects

with PCF commands .

.

.

.

.

.

.

.

.

.

. 150

 

Keeping CRLs and ARLs up to date .

 

.

.

.

.

.

151

|

Certificate validation and trust policy design on

 

||

UNIX and Windows systems .

 

.

.

.

.

.

.

. 151

||

.

.

.

.

.

.

.

.

. 151

||

||

Basic certificate policy Basic CRL policy .

. Basic path validation policy Standard policy (RFC-3280) .

.

.

 

.

.

.

.

.

.

.

.

.

.

.

.

. 152

. 153

||

.

.

.

.

.

.

. 156

||

||

. Standard path validation policy .

Standard CRL policy .

.

.

.

 

.

.

.

.

.

.

.

.

. 156

. 156

Chapter 16. Working with

 

CipherSpecs

.

.

.

.

.

.

.

161

Specifying CipherSpecs .

.

.

.

.

.

.

.

.

. 161

Obtaining information about CipherSpecs using

WebSphere MQ Explorer

.

.

.

.

.

.

. 163

. Alternatives for specifying CipherSpecs .

 

.

. 163

Specifying a CipherSpec for a WebSphere MQ

 

client .

.

.

.

.

.

.

.

.

.

.

.

.

.

. 164

Specifying a CipherSuite with the Java client

 

and JMS .

. Understanding CipherSpec mismatches

.

.

.

.

.

.

.

.

 

.

.

.

. 164

. 164

Chapter 17. WebSphere MQ rules for

 

SSLPEER values .

.

.

.

.

.

.

.

.

.

167

Chapter 18. Understanding authentication failures

 

169

Part 4. Appendixes .

.

.

.

.

.

.

.

171

Appendix A. Cryptographic hardware

 

173

Appendix B. Notices

.

.

.

.

.

.

.

.

177

Trademarks .

.

.

.

.

.

.

.

.

.

.

.

.

. 178

Index .

.

.

.

.

.

.

.