SSL and channel exits (was Compatibility of Channel Encryption Methods)
Based on the answer to question 2 in the attached note, i.e., that channel
"exits do not get called until after the SSL handshake has
taken place," is it safe to assume that any data passed through the channel on
behalf of the channel exits would be encrypted? (This is assuming the
SSLCIPH is coded to use a cipherspec that provides encryption.) For
example, if a SVRCONN channel is defined with SSLCAUTH set to OPTIONAL so
that the clients to not need to provide a certificate, SSL could be used
to encrypt the client channel, but a security exit could be used to pass a
userid and password for authentication.In such a case, could we rely
on SSL to encrypt values passed for the security exit, such as the
password?
Hoping someone from development can provide an answer to this.
thanks,
Tom
==
Tom Schneider / IBM Global Services
(513) 533-3644
[EMAIL PROTECTED]
==
Morag Hughson <[EMAIL PROTECTED]>
Sent by: MQSeries List <[EMAIL PROTECTED]>
01/27/2003 06:59 AM
Please respond to MQSeries List
To: [EMAIL PROTECTED]
cc:
Subject: Re: Compatibility of Channel Encryption Methods?
Bill,
A1) The code to run SSL channels (i.e. WebSphere MQ V5.3) must be
available
at both end of the channel in order for the channel to be able to use SSL.
So, yes, both queue managers must be at V5.3.
A2) You cannot write a channel exit to communicate with the SSL code in
V5.3 since the exits do not get called until after the SSL handshake has
taken place. So unless you have V5.3 at both ends, the channel will fail
to
start if SSL is specified on only one end, and you will never get as far
as
calling the exits.
A3) As I understand it, MQSecure is written using Channel Exits, so the
answer to Q2) applies. You can use V5.3 SSL on both ends to do the
handshake and specify no encryption on the channel using one of the NULL_*
CipherSpecs, then what you do in an exit to the data flowed is up to you.
So they can interact in this way.
Hope this helps
Cheers
Morag
Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]
Bill A
Lee/CanWest/[EMAIL PROTECTED]To: [EMAIL PROTECTED]
BMCA cc:
Sent by: MQSeriesSubject: Compatibility of
Channel Encryption Methods?
List
<[EMAIL PROTECTED]
N.AC.AT>
24/01/2003 18:19
Please respond to
MQSeries List
Company ABC will be connecting their OS/390 queue managers (yet to be
installed) to those of their customer DEF via SSL encrypted channels, PKI
digital certificates, etc. DEF is their first customer to connect in this
manner, but others are anticipated.
Some of the ways to do this are:
1. Install WebSphere MQ for OS/390 v5.3 and its SSL channels.
2. Write custom channel exits using RSA Security's BSAFE toolkit.
3. Install a product like Candle's MQSecure (latest version is now called
PathWAI Secure for WebSphere MQ) and use the channel exits it provides.
What are the compatibility issues for these encrypted channels?
1. If ABC is running v5.3 and wants to use its SSL channels, is it
mandatory that DEF also run v5.3 to be compatible?
2. Can custom channel exits be written by ABC using the BSAFE toolkit so
they will be compatible with another encryption method, such as the SSL
channels in v5.3, or in MQSecure?
3. Can MQSecure be configured to be compatible with v5.3's SSL channels,
etc.?
In general, ABC is hoping to avoid installing and supporting a different
encryption method for each of their connected customers. Is there a way to
do this?
All responses are much appreciated!
Thanks, ..Bill..
Heisenberg may have slept here.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Compatibility of Channel Encryption Methods?
Bill, A1) The code to run SSL channels (i.e. WebSphere MQ V5.3) must be available at both end of the channel in order for the channel to be able to use SSL. So, yes, both queue managers must be at V5.3. A2) You cannot write a channel exit to communicate with the SSL code in V5.3 since the exits do not get called until after the SSL handshake has taken place. So unless you have V5.3 at both ends, the channel will fail to start if SSL is specified on only one end, and you will never get as far as calling the exits. A3) As I understand it, MQSecure is written using Channel Exits, so the answer to Q2) applies. You can use V5.3 SSL on both ends to do the handshake and specify no encryption on the channel using one of the NULL_* CipherSpecs, then what you do in an exit to the data flowed is up to you. So they can interact in this way. Hope this helps Cheers Morag Morag Hughson WebSphere MQ for z/OS Development Internet: [EMAIL PROTECTED] Bill A Lee/CanWest/IBM@ITo: [EMAIL PROTECTED] BMCA cc: Sent by: MQSeriesSubject: Compatibility of Channel Encryption Methods? List 24/01/2003 18:19 Please respond to MQSeries List Company ABC will be connecting their OS/390 queue managers (yet to be installed) to those of their customer DEF via SSL encrypted channels, PKI digital certificates, etc. DEF is their first customer to connect in this manner, but others are anticipated. Some of the ways to do this are: 1. Install WebSphere MQ for OS/390 v5.3 and its SSL channels. 2. Write custom channel exits using RSA Security's BSAFE toolkit. 3. Install a product like Candle's MQSecure (latest version is now called PathWAI Secure for WebSphere MQ) and use the channel exits it provides. What are the compatibility issues for these encrypted channels? 1. If ABC is running v5.3 and wants to use its SSL channels, is it mandatory that DEF also run v5.3 to be compatible? 2. Can custom channel exits be written by ABC using the BSAFE toolkit so they will be compatible with another encryption method, such as the SSL channels in v5.3, or in MQSecure? 3. Can MQSecure be configured to be compatible with v5.3's SSL channels, etc.? In general, ABC is hoping to avoid installing and supporting a different encryption method for each of their connected customers. Is there a way to do this? All responses are much appreciated! Thanks, ..Bill.. Heisenberg may have slept here. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Compatibility of Channel Encryption Methods?
Company ABC will be connecting their OS/390 queue managers (yet to be installed) to those of their customer DEF via SSL encrypted channels, PKI digital certificates, etc. DEF is their first customer to connect in this manner, but others are anticipated. Some of the ways to do this are: 1. Install WebSphere MQ for OS/390 v5.3 and its SSL channels. 2. Write custom channel exits using RSA Security's BSAFE toolkit. 3. Install a product like Candle's MQSecure (latest version is now called PathWAI Secure for WebSphere MQ) and use the channel exits it provides. What are the compatibility issues for these encrypted channels? 1. If ABC is running v5.3 and wants to use its SSL channels, is it mandatory that DEF also run v5.3 to be compatible? 2. Can custom channel exits be written by ABC using the BSAFE toolkit so they will be compatible with another encryption method, such as the SSL channels in v5.3, or in MQSecure? 3. Can MQSecure be configured to be compatible with v5.3's SSL channels, etc.? In general, ABC is hoping to avoid installing and supporting a different encryption method for each of their connected customers. Is there a way to do this? All responses are much appreciated! Thanks, ..Bill.. Heisenberg may have slept here.
