Академический Документы
Профессиональный Документы
Культура Документы
IBM Corporation
Agenda
Problem statement Introduction and product overview Architecture review Implementation details Product administration Conclusion
Customer Application
QM
QM
Customer Application
001110010100001 01110011
001110010100001
B ad G uy
Centrally managed
6
SSL channels
Protects messages in transit Messages at rest are in the clear
WebSphere MQ - native
Customer Apps
MQCONN MQOPEN MQPUT MQGET
B a d G uy
MQI Stub
SSL here
Queues
OK?
Queues
Queue Manager
MCA
MCA
OAM
y/n
Authorisation
Users can be granted or denied access to put and get to queues Users can be granted access to client connect to the queue manager Policies centrally managed
Auditing
User access to queues can be audited The user, object name and success or failure of the access attempt are logged
10
11
Methods of interception
WMQ ESE needs to intercept the application API calls to subject them to security The different interfaces are:
1. WMQ applications binding locally to a distributed queue manager 2. WMQ applications binding to a z/OS queue manager 3. WMQ Client and JMS applications client side interception 4. WMQ Client and JMS applications server side interception
12
ACLs
Policy Replica
MQCONN
MQGET
LDAP Server
GSKit/ ACME
Certs
Queue Manager
MCA
OAM
y/n
Code Exits
13
14
3. (C or JMS) MQ Client Security WMQ Server WMQ Client Exit Client side
WMQ Client Apps WMQ Apps TAMBI Interceptor MQI C / JMS MQI TAMBI interceptor
User Key/Cert
MCA
MQI
4. (C or JMS) MQ Client Security WMQ Server WMQ Client Exit Server side
WMQ Apps TAMBI Interceptor MQI MQIC / JMS TAMBI Interceptor WMQ Client Apps
MCA
MQI
SSL
17
18
19
Access Control Lists E Grant (ACL) Put Permissionmessages onto the queue Application can place
ACL checked on MQOPEN (in PUT mode) D Grant Get Permission Application can retrieve messages from the queue ACL checked on MQOPEN (in GET mode) User is allowed to connect to the queue manager remotely
Type User Group ACL Entry Group Any-other Unauthenticated jon sales admin ID Trx Trm[PDMQ]E Using WBI Trxmcd[PDMQ]DE Broker plug-in Tr T
20
Permissions
10
21
Auditing
Events recorded when specified auditable events occur at:
MQOPEN, MQPUT, MQPUT1, MQGET, MQCLOSE
22
11
Queue
jon
Trx
admin Trxmcd[PDMQ]DE Tr T
23
Summary
WMQ data needs to be protected at rest and in flight No need to update or modify existing deployed WMQ applications.
ESE is transparent
Centralised administration of both access control to queues, data protection and security audit policies WMQ ESE provides end to end security for WMQ networks
24
12
25
26
13
Hi Bob Alice
b2cea738a209065
Hi Bob Alice
aN!3q *nB5+
E8*5%er
Digest
q!T4@xJ**G
Alice
Alice
27
aN!3q *nB5+
E8*5%er
Hi Bob Alice
q!T4@xJ**G
Alice
Hi Bob Alice
CA
Digest
q!T4@xJ**G Alice
b2cea738a209065
Bob
=
b2cea738a209065 CA
Hi Bob Alice
Bob
28
14