subject:"MQSeries Client Security \- SSL"

Re: MQSeries Client Security - SSL

2002-07-15 Thread Steve Sacho

"The part that seems to be missing with regard to MQSeries SSL support (other than on MVS) is the
ability to associate a certificate with a userid."

If this is true (and I haven't explored the new SSL features in depth), then I would propose using a workflow layer that DOES do the user-cert association. There are many workflow products that do this natively (e.g. Lotus Notes), or you could use an LDAP directory that stores SSL certs per user. So yes, we're talking another application layer here to fill the gap, but then you're likely to have the architectural need for it anyway independently of the security issues with MQ, right?
___
Steve Sacho
CSSD - Enterprise Architecture
Tel: 805-577-3983
Internal: 92-598-3983

"Malamud, Mikhail" <[EMAIL PROTECTED]>
Sent by: "MQSeries List" <[EMAIL PROTECTED]>
07/15/2002 01:04 PM
Please respond to "MQSeries List"

To: [EMAIL PROTECTED]
cc:
Subject: Re: MQSeries Client Security - SSL

Bruce -
Depending what your business goals are, you could choose either one. SSL
solution might prove a lot more scalable in terms of managing security
issues and creating trust relationships. For example, if your clients
represent outside business partners, they are a lot more likely to adopt a
feature of the product rather than third party exit. There are many other
reasons why I belive SSL is a good solution. I am not sure what your
architecture is but perhaps instead of using a channel exit to associate a
client connection with the user id. You could could goup your clients into
profiles and then have separate channels that have MCAUSER ID already put in
to be accessed by those groups of clients. Further, you could make sure that
you clients are not using the access points - channel that they are not
supposed to access using DN matching or by having certain keys in your key
repository. If you use channel exits that associate user id with each client
connection, you will implement something that is called Identity based
access control. The solution I described resembles role based acess (RBAC).
Here are some guidelines to help you decide which one to go with simply from
the security perspective disregarding exits and certificates.

Identity Based Access Control
Pro's
Fine grained configs
Better Accountability
Perhaps a regulation compliance
Auditing
Con's
Administration overhead, each user needs to be handled separately.
Not very scalable.

Role Based AC.
Pro's
Easier Administration. You pretty much have preset profiles and their
permissions. Scalable up to a certina point. Easier to
import/export/maintain restrictions in the other envrionments. Fits businee
model better.
Con's are IB bases pro's.

If you can deal without the fact that each client session has to be
associated with the user id, I would still refrain from using a channel
exit.

Mikhail.

Mikhail,
I understand and agree with most of what you're saying. Where I
disagree
is your statement that all you can do from a security exit is say
whether
the connection will take place or not. The other thing you can do in
the
security exit is specify the userid that will be used by the OAM for
access
control once the connection does take place. The part that seems to be
missing with regard to MQSeries SSL support (other than on MVS) is the
ability to associate a certificate with a userid. It sounds like you
may
be able to make this association thru a security exit However, if this
were available as part of the base product, we could do away with the
security exit entirely.
- Bruce Giordano

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Malamud, Mikhail


Bruce -
Depending what your business goals are, you could choose either one. SSL
solution might prove a lot more scalable in terms of managing security
issues and creating trust relationships. For example, if your clients
represent outside business partners, they are a lot more likely to adopt a
feature of the product rather than third party exit. There are many other
reasons why I belive SSL is a good solution. I am not sure what your
architecture is but perhaps instead of using a channel exit to associate a
client connection with the user id. You could could goup your clients into
profiles and then have separate channels that have MCAUSER ID already put in
to be accessed by those groups of clients. Further, you could make sure that
you clients are not using the access points - channel that they are not
supposed to access using DN matching or by having certain keys in your key
repository. If you use channel exits that associate user id with each client
connection, you will implement something that is called Identity based
access control. The solution I described resembles role based acess (RBAC).
Here are some guidelines to help you decide which one to go with simply from
the security perspective disregarding exits and certificates.

Identity Based Access Control
Pro's
Fine grained configs
Better Accountability
Perhaps a regulation compliance
Auditing
Con's
Administration overhead, each user needs to be handled separately.
Not very scalable.

Role Based AC.
Pro's
Easier Administration. You pretty much have preset profiles and their
permissions. Scalable up to a certina point. Easier to
import/export/maintain restrictions in the other envrionments. Fits businee
model better.
Con's are IB bases pro's.

If you can deal without the fact that each client session has to be
associated with the user id, I would still refrain from using a channel
exit.

Mikhail.



Mikhail,
  I understand and agree with most of what you're saying.  Where I
disagree
is your statement that all you can do from a security exit is say
whether
the connection will take place or not.  The other thing you can do in
the
security exit is specify the userid that will be used by the OAM for
access
control once the connection does take place.  The part that seems to be
missing with regard to MQSeries SSL support (other than on MVS) is the
ability to associate a certificate with a userid.  It sounds like you
may
be able to make this association thru a security exit   However, if this
were available as part of the base product, we could do away with the
security exit entirely.
- Bruce Giordano

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Bruce Giordano


Mikhail,
  I understand and agree with most of what you're saying.  Where I disagree
is your statement that all you can do from a security exit is say whether
the connection will take place or not.  The other thing you can do in the
security exit is specify the userid that will be used by the OAM for access
control once the connection does take place.  The part that seems to be
missing with regard to MQSeries SSL support (other than on MVS) is the
ability to associate a certificate with a userid.  It sounds like you may
be able to make this association thru a security exit   However, if this
were available as part of the base product, we could do away with the
security exit entirely.
- Bruce Giordano

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Malamud, Mikhail

ch is one of the goals of link level security. Dont forget
that with SSL you also get message confidentiality and integirty.

HTH.

Mikhail.
Middleware Security Consultant.

-Original Message-
From: Bruce Giordano
To: [EMAIL PROTECTED]
Sent: 7/15/2002 9:01 AM
Subject: Re: MQSeries Client Security - SSL

Unless I'm missing something, I don't see that the SSL support is
providing
true authentication at least as I use the term.  It lets you know that
the
client or queue manager coming across has a valid certificate.  What it
doesn't do is let you know who this client or queue manager is.  That
means
you also can't use it to provide access control.  Access control still
seems dependent on the passed userid.  This still requires use of a
security exit on both sides since you can't really trust the passed
userid
otherwise.
Since I'm still digging thru the 5.3 documentation, I may be incorrect
on
this.  This is my take on what I've seen so far though.  Any other
comments?
 - Bruce Giordano
Prudential Insurance

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Bruce Giordano


Mike,
  Thanks.  Looking at the SSLPEER parameter I see that you can use this to
control access to the queue manager.  You still seem to be tied to the
userid in order to use the OAM to control what resources the client can
access once you let them in though.  As this can't really be trusted, it
still seems to require use of a security exit.
- Bruce Giordano



  Mike Horan <[EMAIL PROTECTED]>
  To:  
   [EMAIL PROTECTED]
  Sent by: MQSeries List  cc:
  <[EMAIL PROTECTED]>   Subject:   Re: MQSeries 
Client Security - SSL



  Monday July 15, 2002 11:49 AM
  Please respond to MQSeries List






Hi Bruce,

Well the certificate sent from the attaching peer contains the
Distinguished Name of the entity which sent it; so you know who the
attaching client or queue manager is. Using the SSLPEER channel parameter
you can reject attempts to connect from entities which you don't trust.

The  Distinguished Name can be automatically mapped to a userid on z/OS
only.

Cheers,

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  Bruce Giordano
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
          Client Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 02:01 PM
  Please respond to
  MQSeries List






Unless I'm missing something, I don't see that the SSL support is providing
true authentication at least as I use the term.  It lets you know that the
client or queue manager coming across has a valid certificate.  What it
doesn't do is let you know who this client or queue manager is.  That means
you also can't use it to provide access control.  Access control still
seems dependent on the passed userid.  This still requires use of a
security exit on both sides since you can't really trust the passed userid
otherwise.
Since I'm still digging thru the 5.3 documentation, I may be incorrect on
this.  This is my take on what I've seen so far though.  Any other
comments?
 - Bruce Giordano
Prudential Insurance

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Mike Horan


Hi Bruce,

Well the certificate sent from the attaching peer contains the
Distinguished Name of the entity which sent it; so you know who the
attaching client or queue manager is. Using the SSLPEER channel parameter
you can reject attempts to connect from entities which you don't trust.

The  Distinguished Name can be automatically mapped to a userid on z/OS
only.

Cheers,

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  Bruce Giordano
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries Client 
Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 02:01 PM
  Please respond to
  MQSeries List






Unless I'm missing something, I don't see that the SSL support is providing
true authentication at least as I use the term.  It lets you know that the
client or queue manager coming across has a valid certificate.  What it
doesn't do is let you know who this client or queue manager is.  That means
you also can't use it to provide access control.  Access control still
seems dependent on the passed userid.  This still requires use of a
security exit on both sides since you can't really trust the passed userid
otherwise.
Since I'm still digging thru the 5.3 documentation, I may be incorrect on
this.  This is my take on what I've seen so far though.  Any other
comments?
 - Bruce Giordano
Prudential Insurance

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Mike Horan


Tony,

All I can say is that I've not had any contact with nor heard mention of
MQSI control center in the context of the development of SSL on MQ base for
V5.3.

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  Tony Reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries Client 
Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 04:17 PM
  Please respond to
  MQSeries List






Mike,
   Thanks for that.  Do you know if the MQSI control center uses
them ?

Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com <http://www.alphacourt.com>

Alphacourt - "The Integration Practice"


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of Mike
Horan
Sent: 15 July 2002 16:11
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL


Tony,

You can use the SSL options on channels created within the Java/JMS client.

Cheers,

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  tony reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 09:02 AM
  Please respond to
  MQSeries List






Morag,
  I'll have to have a read of the security manual, but perhaps
you might know if I can use the SSL options on channels created within Java
programs ?  Also, will the MQSI control centre be able to use it ?

If I have to have a single svrconn channel that I can't protect, then I'm
back to square one.

Many thanks,

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com

Alphacourt - "The Integration Practice"


- Original Message -
From: "Morag Hughson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 9:52 AM
Subject: Re: MQSeries Client Security - SSL


> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication
has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>  ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   12/07/2002 08:59
>   Please respond to
>   MQSeries List
>
>
>
>
>
> James,
>  I haven't got my hands on 5.3 yet.  I know it adds SSL
but
> I thought this was only for encryption.  Does it help with authentication
> as
> well ?
>
> I'd be interested in retrying my testing with 5.3 in that case.
>
> Thanks,
> Tony.
>
> Tony Reddiough
> Certified MQSeries Specialist
> Tel:   +44 (0) 1793 616100
> Mobile:  +44 (0) 7711 264281
> www.alphacourt.com <http://www.alphacourt.com>
>
> Alphacourt - "The Integration Practice"
>
>
> -Original Message-
> From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
> Kingdon
> Sent: 12 July 2002 07:59
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security
>
>
> You may be interested in the announcement at
>
> http://www.ibmlink.ibm.com/usalets&parms=H_202-074
>
> with particular reference to the bits about SSL.
>
> Regards,
> James.
>
> Wesley Shaw wrote:
>
> >Who has the best and cheapest Security Exit Program ?
> >
> >Instructions for managing your mailing list subscription are provided in
> >the Listserv General Users Guide avail

Re: MQSeries Client Security - SSL

2002-07-15 Thread philip . distefano


Is the SSL for JMS security available for APPLETS ?



|-+--->
| |   |
| |   [EMAIL PROTECTED]|
| |   M   |
| |   Sent by:|
| |   MQSERIES@akh-wie|
| |   n.ac.at |
| |   |
| |   |
| |   07/15/2002 11:11|
| |   AM  |
| |   Please respond  |
| |   to MQSERIES |
| |   |
|-+--->
  
>|
  |
|
  |To:  [EMAIL PROTECTED]
|
  |cc: 
|
  |Subject: Re: MQSeries Client Security - SSL 
|
  
>|



Tony,

You can use the SSL options on channels created within the Java/JMS client.

Cheers,

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  tony reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 09:02 AM
  Please respond to
  MQSeries List






Morag,
  I'll have to have a read of the security manual, but perhaps
you might know if I can use the SSL options on channels created within Java
programs ?  Also, will the MQSI control centre be able to use it ?

If I have to have a single svrconn channel that I can't protect, then I'm
back to square one.

Many thanks,

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com

Alphacourt - "The Integration Practice"


- Original Message -
From: "Morag Hughson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 9:52 AM
Subject: Re: MQSeries Client Security - SSL


> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication
has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>  ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   12/07/2002 08:59
>   Please respond to
>   MQSeries List
>
>
>
>
>
> James,
>  I haven't got my hands on 5.3 yet.  I know it adds SSL
but
> I thought this was only for encryption.  Does it help with authentication
> as
> well ?
>
> I'd be interested in retrying my testing with 5.3 in that case.
>
> Thanks,
> Tony.
>
> Tony Reddiough
> Certified MQSeries Specialist
> Tel:   +44 (0) 1793 616100
> Mobile:  +44 (0) 7711 264281
> www.alphacourt.com <http://www.alphacourt.com>
>
> Alphacourt - "The Integration Practice"
>
>
> -Original Message-
> From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
> Kingdon
> Sent: 12 July 2002 07:59
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security
>
>
> You may be interested in the announcement at
>
> http://www.ibmlink.ibm.com/usalets&parms=H_202-074
>
> with particular reference to the bits

Re: MQSeries Client Security - SSL

2002-07-15 Thread Tony Reddiough


Mike,
   Thanks for that.  Do you know if the MQSI control center uses
them ?

Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com <http://www.alphacourt.com>

Alphacourt - "The Integration Practice"


-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of Mike
Horan
Sent: 15 July 2002 16:11
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL


Tony,

You can use the SSL options on channels created within the Java/JMS client.

Cheers,

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  tony reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 09:02 AM
  Please respond to
  MQSeries List






Morag,
  I'll have to have a read of the security manual, but perhaps
you might know if I can use the SSL options on channels created within Java
programs ?  Also, will the MQSI control centre be able to use it ?

If I have to have a single svrconn channel that I can't protect, then I'm
back to square one.

Many thanks,

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com

Alphacourt - "The Integration Practice"


- Original Message -
From: "Morag Hughson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 9:52 AM
Subject: Re: MQSeries Client Security - SSL


> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication
has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>  ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   12/07/2002 08:59
>   Please respond to
>   MQSeries List
>
>
>
>
>
> James,
>  I haven't got my hands on 5.3 yet.  I know it adds SSL
but
> I thought this was only for encryption.  Does it help with authentication
> as
> well ?
>
> I'd be interested in retrying my testing with 5.3 in that case.
>
> Thanks,
> Tony.
>
> Tony Reddiough
> Certified MQSeries Specialist
> Tel:   +44 (0) 1793 616100
> Mobile:  +44 (0) 7711 264281
> www.alphacourt.com <http://www.alphacourt.com>
>
> Alphacourt - "The Integration Practice"
>
>
> -Original Message-
> From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
> Kingdon
> Sent: 12 July 2002 07:59
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security
>
>
> You may be interested in the announcement at
>
> http://www.ibmlink.ibm.com/usalets&parms=H_202-074
>
> with particular reference to the bits about SSL.
>
> Regards,
> James.
>
> Wesley Shaw wrote:
>
> >Who has the best and cheapest Security Exit Program ?
> >
> >Instructions for managing your mailing list subscription are provided in
> >the Listserv General Users Guide available at http://www.lsoft.com
> >Archive: http://vm.akh-wien.ac.at/MQSeries.archive
> >
> >
> >
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Gui

Re: MQSeries Client Security - SSL

2002-07-15 Thread Mike Horan


Tony,

You can use the SSL options on channels created within the Java/JMS client.

Cheers,

Mike

WebSphere MQ Base Development (distributed platforms)
[EMAIL PROTECTED]




  tony reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries Client 
Security - SSL
  List
  <[EMAIL PROTECTED]
  C.AT>


  07/15/2002 09:02 AM
  Please respond to
  MQSeries List






Morag,
  I'll have to have a read of the security manual, but perhaps
you might know if I can use the SSL options on channels created within Java
programs ?  Also, will the MQSI control centre be able to use it ?

If I have to have a single svrconn channel that I can't protect, then I'm
back to square one.

Many thanks,

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com

Alphacourt - "The Integration Practice"


- Original Message -
From: "Morag Hughson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 9:52 AM
Subject: Re: MQSeries Client Security - SSL


> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication
has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>  ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   12/07/2002 08:59
>   Please respond to
>   MQSeries List
>
>
>
>
>
> James,
>  I haven't got my hands on 5.3 yet.  I know it adds SSL
but
> I thought this was only for encryption.  Does it help with authentication
> as
> well ?
>
> I'd be interested in retrying my testing with 5.3 in that case.
>
> Thanks,
> Tony.
>
> Tony Reddiough
> Certified MQSeries Specialist
> Tel:   +44 (0) 1793 616100
> Mobile:  +44 (0) 7711 264281
> www.alphacourt.com <http://www.alphacourt.com>
>
> Alphacourt - "The Integration Practice"
>
>
> -Original Message-
> From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
> Kingdon
> Sent: 12 July 2002 07:59
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security
>
>
> You may be interested in the announcement at
>
> http://www.ibmlink.ibm.com/usalets&parms=H_202-074
>
> with particular reference to the bits about SSL.
>
> Regards,
> James.
>
> Wesley Shaw wrote:
>
> >Who has the best and cheapest Security Exit Program ?
> >
> >Instructions for managing your mailing list subscription are provided in
> >the Listserv General Users Guide available at http://www.lsoft.com
> >Archive: http://vm.akh-wien.ac.at/MQSeries.archive
> >
> >
> >
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Bruce Giordano


Unless I'm missing something, I don't see that the SSL support is providing
true authentication at least as I use the term.  It lets you know that the
client or queue manager coming across has a valid certificate.  What it
doesn't do is let you know who this client or queue manager is.  That means
you also can't use it to provide access control.  Access control still
seems dependent on the passed userid.  This still requires use of a
security exit on both sides since you can't really trust the passed userid
otherwise.
Since I'm still digging thru the 5.3 documentation, I may be incorrect on
this.  This is my take on what I've seen so far though.  Any other
comments?
 - Bruce Giordano
Prudential Insurance

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-15 Thread Taylor, Neil


Which is fine for qmgr-qmgr, but does not solve app-app level security.


-Original Message-
From:   Brian S. Crabtree [mailto:[EMAIL PROTECTED]]
Sent:   Fri 12/07/2002 19:46
To: [EMAIL PROTECTED]
Cc: 
Subject: Re: MQSeries Client Security - SSL
Philip

See Morag Hughson's posts in this thread

According to the manual SSL provides all the security features that you will
ever need

Secure Sockets Layer in WebSphere MQ
Message channels and MQI channels can use the SSL protocol to provide link
level security. A caller MCA is an SSL client and a responder MCA is an SSL
server.

> Does SSL provide authentication security for JMS or JAVA applications ?  I
> don't believe so.

The docs say that you can do it - I havent delved deeply enough to find the
specifics on setting up JMS/SSL support but it is in there somewhere

Brian S. Crabtree
EAI Consultant

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 6:09 PM
Subject: Re: MQSeries Client Security - SSL


> Does SSL provide authentication security for JMS or JAVA applications ?  I
> don't believe so.
>
>
>
>
>
>   pavel.tolkachev@ To:
[EMAIL PROTECTED]
>   DB.COM   cc:
>       Sent by: Subject: Re: MQSeries
Client Security - SSL
>   MQSERIES@akh-wie
>   n.ac.at
>
>
>   07/12/2002 09:55
>   AM
>   Please respond
>   to MQSERIES
>
>
>
>
>
> Yes, please! :-)
>
> Or if there is no document readily available, can someone who knows 5.3
> share his or her knowledge about the following:
>
> 1. Is it possible to configure server end of the client channel to
> authenticate different identities based on MCAUSER field? Other fields? I
> mean: to be really useful SSL channel security should be integrated with
MQ
> user name-based or group name-based access control architecture. I do not
> think the anonymous clients are really useful in secure environment unless
> you want to allow a separate port and channel process for each user or
> administrative group.
>
> 2. How do I configure the client end for SSL? Is this new API, new
> configuration file or what? Can I configure different identities on same
> client machine? Different identities for same user name on different
> machines? (e.g. user1@host1 and user1@host2 to have different identities
> and therefore different rights)? My client and server platforms of
interest
> are NT, Solaris, AIX, Linux.
>
> Thank you in advance,
> Pavel
>
>
>
>
>
>   "Garcia Rich
>       (SYS1RXG)"   To:
> [EMAIL PROTECTED]
>   <[EMAIL PROTECTED]>cc:
>   Sent by: MQSeriesSubject:  Re: MQSeries
> Client Security - SSL
>   List
>  n.AC.AT>
>
>
>   07/12/2002 09:02
>   AM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Is this security manual which you are referring too available now or is it
> 5.3 if it is can you please pass the link.
>
> Thank you
>
> -Original Message-
> From: Morag Hughson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 12, 2002 4:53 AM
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security - SSL
>
>
> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>[EMAIL PROTECTED]
>   ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
> Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>

Re: MQSeries Client Security - SSL

2002-07-15 Thread tony reddiough


Morag,
  I'll have to have a read of the security manual, but perhaps
you might know if I can use the SSL options on channels created within Java
programs ?  Also, will the MQSI control centre be able to use it ?

If I have to have a single svrconn channel that I can't protect, then I'm
back to square one.

Many thanks,

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com

Alphacourt - "The Integration Practice"


- Original Message -
From: "Morag Hughson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 9:52 AM
Subject: Re: MQSeries Client Security - SSL


> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>  ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   12/07/2002 08:59
>   Please respond to
>   MQSeries List
>
>
>
>
>
> James,
>  I haven't got my hands on 5.3 yet.  I know it adds SSL
but
> I thought this was only for encryption.  Does it help with authentication
> as
> well ?
>
> I'd be interested in retrying my testing with 5.3 in that case.
>
> Thanks,
> Tony.
>
> Tony Reddiough
> Certified MQSeries Specialist
> Tel:   +44 (0) 1793 616100
> Mobile:  +44 (0) 7711 264281
> www.alphacourt.com <http://www.alphacourt.com>
>
> Alphacourt - "The Integration Practice"
>
>
> -Original Message-
> From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
> Kingdon
> Sent: 12 July 2002 07:59
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security
>
>
> You may be interested in the announcement at
>
> http://www.ibmlink.ibm.com/usalets&parms=H_202-074
>
> with particular reference to the bits about SSL.
>
> Regards,
> James.
>
> Wesley Shaw wrote:
>
> >Who has the best and cheapest Security Exit Program ?
> >
> >Instructions for managing your mailing list subscription are provided in
> >the Listserv General Users Guide available at http://www.lsoft.com
> >Archive: http://vm.akh-wien.ac.at/MQSeries.archive
> >
> >
> >
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-12 Thread Brian S. Crabtree


Philip

See Morag Hughson's posts in this thread

According to the manual SSL provides all the security features that you will
ever need

Secure Sockets Layer in WebSphere MQ
Message channels and MQI channels can use the SSL protocol to provide link
level security. A caller MCA is an SSL client and a responder MCA is an SSL
server.

> Does SSL provide authentication security for JMS or JAVA applications ?  I
> don't believe so.

The docs say that you can do it - I havent delved deeply enough to find the
specifics on setting up JMS/SSL support but it is in there somewhere

Brian S. Crabtree
EAI Consultant

- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 12, 2002 6:09 PM
Subject: Re: MQSeries Client Security - SSL


> Does SSL provide authentication security for JMS or JAVA applications ?  I
> don't believe so.
>
>
>
>
>
>   pavel.tolkachev@ To:
[EMAIL PROTECTED]
>   DB.COM   cc:
>       Sent by: Subject: Re: MQSeries
Client Security - SSL
>   MQSERIES@akh-wie
>   n.ac.at
>
>
>   07/12/2002 09:55
>   AM
>   Please respond
>   to MQSERIES
>
>
>
>
>
> Yes, please! :-)
>
> Or if there is no document readily available, can someone who knows 5.3
> share his or her knowledge about the following:
>
> 1. Is it possible to configure server end of the client channel to
> authenticate different identities based on MCAUSER field? Other fields? I
> mean: to be really useful SSL channel security should be integrated with
MQ
> user name-based or group name-based access control architecture. I do not
> think the anonymous clients are really useful in secure environment unless
> you want to allow a separate port and channel process for each user or
> administrative group.
>
> 2. How do I configure the client end for SSL? Is this new API, new
> configuration file or what? Can I configure different identities on same
> client machine? Different identities for same user name on different
> machines? (e.g. user1@host1 and user1@host2 to have different identities
> and therefore different rights)? My client and server platforms of
interest
> are NT, Solaris, AIX, Linux.
>
> Thank you in advance,
> Pavel
>
>
>
>
>
>   "Garcia Rich
>       (SYS1RXG)"   To:
> [EMAIL PROTECTED]
>   <[EMAIL PROTECTED]>cc:
>   Sent by: MQSeriesSubject:  Re: MQSeries
> Client Security - SSL
>   List
>  n.AC.AT>
>
>
>   07/12/2002 09:02
>   AM
>   Please respond to
>   MQSeries List
>
>
>
>
>
>
> Is this security manual which you are referring too available now or is it
> 5.3 if it is can you please pass the link.
>
> Thank you
>
> -Original Message-
> From: Morag Hughson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 12, 2002 4:53 AM
> To: [EMAIL PROTECTED]
> Subject: Re: MQSeries Client Security - SSL
>
>
> SSL allows you to authenticate the parties concerned. Each queue manager
or
> client log-on gets a digital certificate, and these certificates are
> authenticated when a channel, using SSL, is started between two queue
> managers, or between a client and queue manager (you can choose to only
> authenticate the responding end of the channel if you wish, allowing you
to
> effectively have anonymous initiators or clients). Once authentication has
> been completed a secret key is set up to use to do encryption for the
> lifetime of that channel instance.
>
> There's more information about SSL in the new Security Manual.
>
> Cheers
> Morag
>
> Morag Hughson
> WebSphere MQ for z/OS Development
> Internet: [EMAIL PROTECTED]
>
>
>
>
>   Tony Reddiough
>[EMAIL PROTECTED]
>   ACOURT.COM> cc:
>   Sent by: MQSeries   Subject:  Re: MQSeries
> Client Security
>   List
>   <[EMAIL PROTECTED]
>   C.AT>
>
>
>   12/07/2002 08:59
>   Please respond to
>   MQSeries List
>
>
>
>
>
> James,
>  I haven't got my hands on 5.3 yet.  I know it adds SSL
but
> I thought this was only

Re: MQSeries Client Security - SSL

2002-07-12 Thread philip . distefano

Does SSL provide authentication security for JMS or JAVA applications ?  I
don't believe so.

  pavel.tolkachev@ To:  [EMAIL PROTECTED]
  DB.COM   cc:
  Sent by: Subject: Re: MQSeries Client Security - 
SSL
  MQSERIES@akh-wie
  n.ac.at

  07/12/2002 09:55
  AM
  Please respond
  to MQSERIES

Yes, please! :-)

Or if there is no document readily available, can someone who knows 5.3
share his or her knowledge about the following:

1. Is it possible to configure server end of the client channel to
authenticate different identities based on MCAUSER field? Other fields? I
mean: to be really useful SSL channel security should be integrated with MQ
user name-based or group name-based access control architecture. I do not
think the anonymous clients are really useful in secure environment unless
you want to allow a separate port and channel process for each user or
administrative group.

2. How do I configure the client end for SSL? Is this new API, new
configuration file or what? Can I configure different identities on same
client machine? Different identities for same user name on different
machines? (e.g. user1@host1 and user1@host2 to have different identities
and therefore different rights)? My client and server platforms of interest
are NT, Solaris, AIX, Linux.

Thank you in advance,
Pavel

  "Garcia Rich
  (SYS1RXG)"   To:
[EMAIL PROTECTED]
  <[EMAIL PROTECTED]>cc:
  Sent by: MQSeries    Subject:  Re: MQSeries
Client Security - SSL
  List

  07/12/2002 09:02
  AM
  Please respond to
  MQSeries List

Is this security manual which you are referring too available now or is it
5.3 if it is can you please pass the link.

Thank you

-Original Message-
From: Morag Hughson [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 4:53 AM
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL

SSL allows you to authenticate the parties concerned. Each queue manager or
client log-on gets a digital certificate, and these certificates are
authenticated when a channel, using SSL, is started between two queue
managers, or between a client and queue manager (you can choose to only
authenticate the responding end of the channel if you wish, allowing you to
effectively have anonymous initiators or clients). Once authentication has
been completed a secret key is set up to use to do encryption for the
lifetime of that channel instance.

There's more information about SSL in the new Security Manual.

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

  Tony Reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
  List
  <[EMAIL PROTECTED]
  C.AT>

  12/07/2002 08:59
  Please respond to
  MQSeries List

James,
 I haven't got my hands on 5.3 yet.  I know it adds SSL but
I thought this was only for encryption.  Does it help with authentication
as
well ?

I'd be interested in retrying my testing with 5.3 in that case.

Thanks,
Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com <http://www.alphacourt.com>

Alphacourt - "The Integration Practice"

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
Kingdon
Sent: 12 July 2002 07:59
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security

You may be interested in the announcement at

http://www.ibmlink.ibm.com/usalets&parms=H_202-074

with particular reference to the bits about SSL.

Regards,
James.

Wesley Shaw wrote:

>Who has the best and cheapest Security Exit Program ?
>
>Instructions for managing your mailing list subscription are provided
>in the Listserv General Users Guide available at http://www.lsoft.com
>Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
>
>

Instructions for managing your mailing list subscription are provided in
the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are

Re: MQSeries Client Security - SSL

2002-07-12 Thread Morag Hughson

The brand new V5.3 books are available on the following website:-
http://www-3.ibm.com/software/ts/mqseries/library/manualsa/manuals/crosslatest.html
the usual place in other words.

Specifically the security manual is:-
HTML
http://publibfp.boulder.ibm.com/epubs/html/csqzas00/csqzas00tfrm.htm
PDF
http://publibfp.boulder.ibm.com/epubs/pdf/csqzas00.pdf

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

  "Garcia Rich
  (SYS1RXG)"   To:   [EMAIL PROTECTED]
  <[EMAIL PROTECTED]>cc:
  Sent by: MQSeries    Subject:  Re: MQSeries Client Security 
- SSL
  List

  12/07/2002 14:02
  Please respond to
  MQSeries List

Is this security manual which you are referring too available now or is it
5.3 if it is can you please pass the link.

Thank you

-Original Message-
From: Morag Hughson [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 4:53 AM
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL

SSL allows you to authenticate the parties concerned. Each queue manager or
client log-on gets a digital certificate, and these certificates are
authenticated when a channel, using SSL, is started between two queue
managers, or between a client and queue manager (you can choose to only
authenticate the responding end of the channel if you wish, allowing you to
effectively have anonymous initiators or clients). Once authentication has
been completed a secret key is set up to use to do encryption for the
lifetime of that channel instance.

There's more information about SSL in the new Security Manual.

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

  Tony Reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
  List
  <[EMAIL PROTECTED]
  C.AT>

  12/07/2002 08:59
  Please respond to
  MQSeries List

James,
 I haven't got my hands on 5.3 yet.  I know it adds SSL but
I thought this was only for encryption.  Does it help with authentication
as
well ?

I'd be interested in retrying my testing with 5.3 in that case.

Thanks,
Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com <http://www.alphacourt.com>

Alphacourt - "The Integration Practice"

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
Kingdon
Sent: 12 July 2002 07:59
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security

You may be interested in the announcement at

http://www.ibmlink.ibm.com/usalets&parms=H_202-074

with particular reference to the bits about SSL.

Regards,
James.

Wesley Shaw wrote:

>Who has the best and cheapest Security Exit Program ?
>
>Instructions for managing your mailing list subscription are provided
>in the Listserv General Users Guide available at http://www.lsoft.com
>Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
>
>

Instructions for managing your mailing list subscription are provided in
the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-12 Thread Tom Schneider

Rich,

If you go to http://www-3.ibm.com/software/ts/mqseries/library/manualsa/manuals/crosslatest.html the WebSphere MQ Security manual be downloaded as a PDF.

-Tom

==
Tom Schneider / IBM Global Services
(513) 533-3644 
[EMAIL PROTECTED]
==

"Garcia Rich (SYS1RXG)" <[EMAIL PROTECTED]>
Sent by: MQSeries List <[EMAIL PROTECTED]>
07/12/2002 09:02 AM
Please respond to MQSeries List

        To:        [EMAIL PROTECTED]
        cc:        
        Subject:        Re: MQSeries Client Security - SSL

Is this security manual which you are referring too available now or is it
5.3 if it is can you please pass the link.

Thank you

-Original Message-
From: Morag Hughson [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 4:53 AM
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL

SSL allows you to authenticate the parties concerned. Each queue manager or
client log-on gets a digital certificate, and these certificates are
authenticated when a channel, using SSL, is started between two queue
managers, or between a client and queue manager (you can choose to only
authenticate the responding end of the channel if you wish, allowing you to
effectively have anonymous initiators or clients). Once authentication has
been completed a secret key is set up to use to do encryption for the
lifetime of that channel instance.

There's more information about SSL in the new Security Manual.

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

                      Tony Reddiough

[EMAIL PROTECTED]
                      ACOURT.COM>                 cc:
                      Sent by: MQSeries           Subject:  Re: MQSeries
Client Security
                      List
                      <[EMAIL PROTECTED]
                      C.AT>

                      12/07/2002 08:59
                      Please respond to
                      MQSeries List

James,
                 I haven't got my hands on 5.3 yet.  I know it adds SSL but
I thought this was only for encryption.  Does it help with authentication as
well ?

I'd be interested in retrying my testing with 5.3 in that case.

Thanks,
Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:       +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com 

Alphacourt - "The Integration Practice"

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
Kingdon
Sent: 12 July 2002 07:59
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security

You may be interested in the announcement at

http://www.ibmlink.ibm.com/usalets&parms=H_202-074

with particular reference to the bits about SSL.

Regards,
James.

Wesley Shaw wrote:

>Who has the best and cheapest Security Exit Program ?
>
>Instructions for managing your mailing list subscription are provided
>in the Listserv General Users Guide available at http://www.lsoft.com
>Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
>
>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-12 Thread Pavel Tolkachev

Yes, please! :-)

Or if there is no document readily available, can someone who knows 5.3 share his or 
her knowledge about the following:

1. Is it possible to configure server end of the client channel to authenticate 
different identities based on MCAUSER field? Other fields? I mean: to be really useful 
SSL channel security should be integrated with MQ user name-based or group name-based 
access control architecture. I do not think the anonymous clients are really useful in 
secure environment unless you want to allow a separate port and channel process for 
each user or administrative group.

2. How do I configure the client end for SSL? Is this new API, new configuration file 
or what? Can I configure different identities on same client machine? Different 
identities for same user name on different machines? (e.g. user1@host1 and user1@host2 
to have different identities and therefore different rights)? My client and server 
platforms of interest are NT, Solaris, AIX, Linux.

Thank you in advance,
Pavel

  "Garcia Rich
  (SYS1RXG)"   To:   [EMAIL PROTECTED]
  <[EMAIL PROTECTED]>cc:
  Sent by: MQSeries    Subject:  Re: MQSeries Client Security 
- SSL
  List

  07/12/2002 09:02
  AM
  Please respond to
  MQSeries List

Is this security manual which you are referring too available now or is it
5.3 if it is can you please pass the link.

Thank you

-Original Message-
From: Morag Hughson [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 4:53 AM
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL

SSL allows you to authenticate the parties concerned. Each queue manager or
client log-on gets a digital certificate, and these certificates are
authenticated when a channel, using SSL, is started between two queue
managers, or between a client and queue manager (you can choose to only
authenticate the responding end of the channel if you wish, allowing you to
effectively have anonymous initiators or clients). Once authentication has
been completed a secret key is set up to use to do encryption for the
lifetime of that channel instance.

There's more information about SSL in the new Security Manual.

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

  Tony Reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
  List
  <[EMAIL PROTECTED]
  C.AT>

  12/07/2002 08:59
  Please respond to
  MQSeries List

James,
 I haven't got my hands on 5.3 yet.  I know it adds SSL but
I thought this was only for encryption.  Does it help with authentication as
well ?

I'd be interested in retrying my testing with 5.3 in that case.

Thanks,
Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com <http://www.alphacourt.com>

Alphacourt - "The Integration Practice"

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
Kingdon
Sent: 12 July 2002 07:59
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security

You may be interested in the announcement at

http://www.ibmlink.ibm.com/usalets&parms=H_202-074

with particular reference to the bits about SSL.

Regards,
James.

Wesley Shaw wrote:

>Who has the best and cheapest Security Exit Program ?
>
>Instructions for managing your mailing list subscription are provided
>in the Listserv General Users Guide available at http://www.lsoft.com
>Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
>
>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately

Re: MQSeries Client Security - SSL

2002-07-12 Thread Garcia Rich (SYS1RXG)

Is this security manual which you are referring too available now or is it
5.3 if it is can you please pass the link.

Thank you

-Original Message-
From: Morag Hughson [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 12, 2002 4:53 AM
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security - SSL

SSL allows you to authenticate the parties concerned. Each queue manager or
client log-on gets a digital certificate, and these certificates are
authenticated when a channel, using SSL, is started between two queue
managers, or between a client and queue manager (you can choose to only
authenticate the responding end of the channel if you wish, allowing you to
effectively have anonymous initiators or clients). Once authentication has
been completed a secret key is set up to use to do encryption for the
lifetime of that channel instance.

There's more information about SSL in the new Security Manual.

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

  Tony Reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries
Client Security
  List
  <[EMAIL PROTECTED]
  C.AT>

  12/07/2002 08:59
  Please respond to
  MQSeries List

James,
 I haven't got my hands on 5.3 yet.  I know it adds SSL but
I thought this was only for encryption.  Does it help with authentication as
well ?

I'd be interested in retrying my testing with 5.3 in that case.

Thanks,
Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com <http://www.alphacourt.com>

Alphacourt - "The Integration Practice"

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
Kingdon
Sent: 12 July 2002 07:59
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security

You may be interested in the announcement at

http://www.ibmlink.ibm.com/usalets&parms=H_202-074

with particular reference to the bits about SSL.

Regards,
James.

Wesley Shaw wrote:

>Who has the best and cheapest Security Exit Program ?
>
>Instructions for managing your mailing list subscription are provided
>in the Listserv General Users Guide available at http://www.lsoft.com
>Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
>
>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

2002-07-12 Thread Morag Hughson

SSL allows you to authenticate the parties concerned. Each queue manager or
client log-on gets a digital certificate, and these certificates are
authenticated when a channel, using SSL, is started between two queue
managers, or between a client and queue manager (you can choose to only
authenticate the responding end of the channel if you wish, allowing you to
effectively have anonymous initiators or clients). Once authentication has
been completed a secret key is set up to use to do encryption for the
lifetime of that channel instance.

There's more information about SSL in the new Security Manual.

Cheers
Morag

Morag Hughson
WebSphere MQ for z/OS Development
Internet: [EMAIL PROTECTED]

  Tony Reddiough
   cc:
  Sent by: MQSeries   Subject:  Re: MQSeries Client 
Security
  List
  <[EMAIL PROTECTED]
  C.AT>

  12/07/2002 08:59
  Please respond to
  MQSeries List

James,
 I haven't got my hands on 5.3 yet.  I know it adds SSL but
I thought this was only for encryption.  Does it help with authentication
as
well ?

I'd be interested in retrying my testing with 5.3 in that case.

Thanks,
Tony.

Tony Reddiough
Certified MQSeries Specialist
Tel:   +44 (0) 1793 616100
Mobile:  +44 (0) 7711 264281
www.alphacourt.com 

Alphacourt - "The Integration Practice"

-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED]]On Behalf Of James
Kingdon
Sent: 12 July 2002 07:59
To: [EMAIL PROTECTED]
Subject: Re: MQSeries Client Security

You may be interested in the announcement at

http://www.ibmlink.ibm.com/usalets&parms=H_202-074

with particular reference to the bits about SSL.

Regards,
James.

Wesley Shaw wrote:

>Who has the best and cheapest Security Exit Program ?
>
>Instructions for managing your mailing list subscription are provided in
>the Listserv General Users Guide available at http://www.lsoft.com
>Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
>
>

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

Re: MQSeries Client Security - SSL

20 matches

Site Navigation

Mail list logo

Footer information