Today s MQ Infrastructure Tomorrow s Security High

Today’s MQ Infrastructure & Tomorrow's Security & High Availability with MQ 7. 1, MQ AMS & MQ FTE Author: A. J. Aronoff Connectivity Practice Director Email: aj@prolifics. com Desk: 646 -201 -4943

Agenda – MQ Infrastructure ØUniversal Connectivity: The Path to the Future ØMQ File Transfer Edition ØMQ Security – With MQ AMS ØMQ 7. 1 – the latest MQ Infrastructure features q. Including MQ “Security Policies” 2

Prolifics Wins IBM Awards A Long Record Of IBM Honors Software Sales Leadership Multi Award-winning: 4 2010 Lotus Award Best End-User Solution 4 2010 Lotus Award for Best Industry Solution 4 2009 Rational Solution Award 4 2008 Outstanding SOA Solution Award 4 2008 Overall Technical Excellence Award 4 2007 Impact SOA Process Solution Award 4 2006 Best Portal Solution Lotus Award 4 2005 5 -Star Partner Award demonstrating Prolifics’ cross-brand sales expertise and certifications. One of only 5 partners world wide to receive the distinction Technical Innovation 4 4 Serviced over 1200 IBM software accounts in the past 8 years; implemented over 250 portals Prolifics boasts more overall certifications than any other of the over 300 SVI partners in the US totaling over 250 J 2 EE & Web. Sphere certifications 4 IBM’s highest technical rating (Level 5) 4 IBM Tivoli “AAA Accredited”

by doing great work with Great Customers Financial Services Healthcare Government Retail & Distribution Insurance 4 Utilities Education

Web. Sphere MQ Value: Connectivity to, from & within an Enterprise The path to Ø A Universal Message Bus for access to data the future Regional Office wherever it exists to support your business Ø Provides a comprehensive range of Messaging capabilities to support your Business requirements for data integration q q Managed File Transfer Messaging integration patterns Reliability and availability Qo. S SOA foundation Branch Outlet Ø Provides appropriate data access and data privacy controls to help meet audit and regulatory requirements Ø WMQ Telemetry is one step in extending the reach of WMQ to a wider world of data relevant to your business Ø Recent technology demonstration of MQ Web Messaging using HTML 5 Web. Sockets continues this progress Sensor e. g. RFID Retail Store Pervasi ve Device Refinery Petrol Forecourt 5 CSS: F S Mobile Phone

IBM Universal Connectivity

IBM Universal Messaging Proven, Flexible, Robust business data delivery from anywhere to everywhere IBM UNIVERSAL MESSAGING Business Transactions MQ Leveraging System z MQ for z/OS Managed File Transfer Sense and Respond MQ Telemetry Web applications MQ HTTP Bridge Real-time Awareness MQ File Transfer Edition MQ Low Latency Messaging Extra Data Protection Cloud Platform-as-a-Service MQ Advanced Message Security 7 MQ Hypervisor Edition

WMQ Family Roadmap – continual delivery of customer value (4 Q/09) MQ LLM V 2. 3 msg store (2 Q/10) MQ LLM V 2. 4 late join (4 Q/10) MQ LLM V 2. 5 self-managing (4 Q/10) MQ FTE V 7. 0. 3 end-to-end security (4 Q/09) MQ FTE V 7. 0. 2 FTP Bridging (3 Q/09) MQ V 7. 0. 1 with Multi-Instance QMgrs, Automatic Client Reconnect, z/OS Availability, Capacity and Performance improvements (2 Q/11) MQ LLM V 2. 6 improved perf. (2 Q/11) MQ FTE V 7. 0. 4 C: D Integration (3 Q/10) MQ Telemetry V 7. 0. 1 (1 Q/11) MQ V 7. 0. 1. 4 Pre-Connect Exit () MQ LLM V 2. x () MQ FTE V 7. x (4 Q/11 ) MQ V 7. 1 with Multi-version Install, Out-of-the-box security, Multicast capability, Improved Performance, z/OS Shared Q enhancements (2 Q/11) MQ Web. Sockets Tech Preview. MQ HVE for RHEL ESX and IBM Workload Deployer (1 Q/10) Security Support. Pacs and Wizards (4 Q/10) MQ Advanced Message Security V 7. 0. 1 200 9 8 201 0 Early Access Programs 201 1 CSS: F S () MQ AMS V 7. x 201 2

MQ FTE Quick Overview Directory Monitoring File to Message - Message to File FTP & SFTP Bridging agents 9

FTP Spaghetti Infrustructure (haphazard growth) X Unreliable transport mechanisms Each link in a chain reduces reliability X No central set-up, logging or monitoring X Poor documentation of overall system X Expensive, one-off solutions X High maintenance costs (60 – 70% of a company’s IT budget) X Lack of business agility

Ideal File Transfer Infrastructure Automation & Centralized Set-up Documented, Standardized Solutions Reliable Transport Event based Centralized Logging Centralized Monitoring Reliable Transport

MQ FTE allows you to …go from this …to this

MQ FTE 7. 0. 2 Protocol Bridge ØSupport for transferring files located on FTP and SFTP servers q. The source or destination for a transfer can be an FTP or an SFTP server ØFully integrated into graphical, command line and XML scripting interfaces q. Just looks like another FTE agent… ØEnables incremental modernization of (S)FTP-based Legacy solutions q. This helps ease migration from a non-managed (FTP or SFTP) network to a managed network based on Web. Sphere MQ File Transfer Edition. (I. E. less rip & replace). q. Ensures reliability of transfers across FTP/SFTP with checkpoint restart Files exchanged between FTE and FTP/SFTP q. Provides auditability of transfers across FTP/SFTP to central audit log FTE FTE MQ network FTE Bridging Agent Audit information FTP / SFTP network FTP/SFTP Server Protocol Bridge Agent FTP Server FTP FTP

MQ FTE: Use Case 1: Directory Monitor • Three sub directories with the same names of three destination FTE Agents • When a file with an extension of “doc” is added to one of the sub directories … • The Resource monitor detects the file and • creates a file transfer request for the file where the destination agent has the same name as the sub directory. http: //www. ibm. com/developerworks/websphere/library/techarticles/0910_bonney. html • Company in Florida is using the above system and planning to scale up further Resource Monitor /incoming/monitor FTE Receiving Agent Office. A FTE Receiving Agent Office. B /A 1. Doc 14 /B /C FTE Sending Agent FTE Receiving Agent Office. C

File & Message Broker Hub: Connect Anything to Anything ØIntegration with Web. Sphere Message Broker for File Processing q. Tight integration between FTE and Web. Sphere Message Broker q. Enables ESB capabilities to be applied to file data q. Ability to parse and transform files and process into messages, files, events, service requests etc Messages Files WMQ FTE Network MQ, FTE, FTP, HTTP, SOAP… Web. Spher e Message Broker 15 Enrich, Mediate, Transform…

WMB FTEInput and FTEOutput nodes Message Broker Execution Group FTE Agent Message Flow FTE Agent FTEInput FTEOutput Ø FTEInput node q. Build flows that accepts file transfers from the WMQ FTE network Ø FTEOutput node q. Build flows that are designed to send a file across a WMQ FTE network ØWhen WMQ FTE nodes are used in a flow an FTE agent is automatically stated in the Message Broker Execution Group 16

File & Message Hub (HTTP and MQ FTE) Web based File Transfers using the Web Gateway ØWeb-based File Transfer q. A RESTful API for sending files into and receiving files from a WMQ FTE network q. Reliable and secure file transfer option for Web users q. Auditable transfer and large file support q. Zero-footprint file transfer support without the need to provision and install code WMQ q. Interfaces for embedding into third party and custom user applications WMQ FTE Network 17 FTE Server HTT P/S

Options for converting data between files & messages One file to one WMQ message § One file becomes one message One file to a group of WMQ messages ØThe file can be split based on: FTE q. Size q. Binary delimiter One message to one WMQ file FTE q. Regular expression § One message becomes one file A group of messages (or all messages on the queue) § Optionally, a delimiter can be to one file WMQ inserted between each message FTE 18 used to compose the file

End-to-end encryption using Web. Sphere MQ Advanced Message Security FTE Agent 19 svrconn Web. Sphere channel MQ sndr/rcvr channels Queue Manager svrconn Web. Sphere channel MQ Queue Manager sndr/rcvr channels Web. Sphere MQ FTE Queue Agent Manager Web. Sphere FTE MQ Queue Agent Manager ØWMQ FTE already supports transport level encryption using SSL ØData is encrypted before it is sent over a channel and decrypted when it is received § V 7. 0. 3 (when combined with WMQ AMS v 7. 0. 1) allows file data to be encrypted at the source system and only decrypted when it reaches the destination system – This helps reduce encryption costs – Data is secure even when at rest on a queue

Customer Survey: Of the points below: Which point(s) matters most to you? þ Auditable Records complete and detailed audit log of entire file journey “What went where, when and to whom” þ Reliable File contents not corrupted or partially transmitted Files only appear at destination whole and intact þ Secure Files content encrypted during transmission File access authenticated and controlled þ Automated Eliminates need to manually detect problems and restart transfers Providing scheduling and triggering for event-driven transfers þ Centralized Remote control and monitoring of file progress from anywhere þ Flexible Able to deploy and re-configure file transfers instantaneously from anywhere Managing transfers end-to-end across a network – not just between 2 points þ Any file size þ Integrated þ Cost No upper limit on the size of file that can be moved Effective With SOA infrastructure: Messaging, ESBs, Governance, B 2 B and BPM Provides a consolidated transport for moving both Files and Messages

Securing the Universal Messaging Bus

MQ AMS Quick Overview Message Level Protection WMQ AMS - Key Features Architecture Interceptors Policies 22

Web. Sphere MQ Advanced Message Security ØWhat is it? q New product - Web. Sphere MQ Advanced Message Security q Replaces Web. Sphere MQ Extended Security Edition q Component added to Web. Sphere MQ V 7 or V 6 ØEnhances MQ security processing q Provides additional security services over and above base QM q Designed to assist with requirements such as PCI DSS compliance ØApplication ---> Application protection for point-to-point messaging ØIndustry standard asymmetric cryptography used to protect individual messages ØUses Public Key Infrastructure (PKI) to protect MQ messages q Uses digital certificates (X. 509) for applications ØNon-invasive q. No changes required to MQ applications ØSecurity policies used to define the security level required q Administratively controlled policies applied to queues • Command line • Explorer

Message Level Protection ØEnables secure message transfers at application level ØAssurance that messages have not been altered in transit q. When issuing payment information messages, ensure the payment amount does not change before reaching the receiver ØAssurance that messages originated from the expected source q. When processing messages, validate the sender ØAssurance that messages can only be viewed by intended recipient(s q. When sending confidential information.

WMQ AMS - Key Features ØSecures sensitive or high-value MQ messages ØDetects and removes rogue or unauthorized messages before they are processed by receiving applications ØVerifies that messages are not modified in transit from queue to queue ØProtects messages not only when they flow across the network but when they are at rest in queues ØMessages from existing MQ applications are transparently secured using interceptors ØProtects point-to-point messages

WMQ AMS - Key Features (continued) ØNo prereq products q. Significantly simplified installation and configuration compared to predecessor product q. Up and running in minutes … ØWorks in conjunction with SSL q. Can choose to use either or both depending on your requirements ØWorks in conjunction with WMQ authorisation model (OAM and SAF) ØNo changes required to WMQ applications q. Works with local applications and clients, including Java q. Support for WMQ V 6 and V 7 ØNo changes required to existing object definitions ØFine-grained policies to define which queues are protected and how q. Asymmetric cryptography used to protect individual messages ØAdministratively controlled policies q. Command line q. MQ Explorer

WMQ + ESE 6 Architecture

WMQ + MQ AMS

Logical Architecture Design – Distributed Platforms

Interceptors

MQ AMS interceptors ØMQ AMS functionality is implemented in interceptors. q. There are no long running processes or daemons (Except in z/OS). ØExisting MQ applications do not require changes. ØThree interceptors are provided: Ø 1. Server interceptor for local (bindings mode) MQI API & Java applications. q. Implemented as queue manager API exit. Ø 2. MQI API client interceptor for remote (client mode) MQ API applications. q. MQ AMS interceptor imbedded in MQ client code. Ø 3. Java client interceptor for remote (client mode) MQ JMS and MQ classes for java applications (J 2 EE and J 2 SE). q. MQ AMS interceptor imbedded in MQ java client code. q. MQ V 7. 0 java client required.

Protecting files transferred with WMQ FTE Ø AMS plugs in on top of / alongside Web. Sphere MQ File Tranfer Edition, enable file data to be encrypted in transit through the MQ network Ø Apply AMS protection to your WMQ FTE agent data queue Ø it's that simple!

Instantly familiar UI and command line: no new tools to learn!

Message protection policies ØCreated or updated or removed by command ‘setmqspl’ ØOr by MQ AMS plug-in for MQ Explorer (GUI). ØPolicies are stored in queue q‘SYSTEM. PROTECTION. POLICY. QUEUE’. ØEach protected queue can have only one policy. ØTwo types of policies: q. Message Integrity policy. q. Message Privacy policy. ØDisplay policies with command ‘dspmqspl’.

Message integrity policy example ØThis policy is to enforce integrity protection (signature) for messages put on queue Q. INTEGRITY in queue manager QM. ØThe message signing algorithm is SHA 1. ØMessages can only by signed by one authorized application. ØMessages signed by any other signer are sent to the SYSTEM. PROTECTION. ERROR. QUEUE and error returned to the receiving application. § setmqspl -m QM § -p Q. INTEGRITY § -s SHA 1 § -e NONE § -'CN=pdmqss, O=tivoli, C=US'

Message privacy policy ØEncryption algorithms: RC 2, DES, 3 DES, AES 128 and AES 256. ØMessage privacy requires that encrypted messages are also signed. ØThe list of authorized signers is optional. ØIt is mandatory to specify at least one recipient § setmqspl § -m § -p § -s § -e § -a § -a § -r < Message recipient DN 1> § -r < Message recipient DN 2>

Message privacy policy example ØThis policy enforces privacy protection (signature and encryption) for messages put on queue Q. PRIVACY in queue manager QM. ØThe message signing algorithm is SHA 1. ØThe message encryption algorithm is AES 128. ØTwo message recipients are listed using their certificates DN. ØMessages retrieved by unauthorized recipients cause messages to be sent to the SYSTEM. PROTECTION. ERROR. QUEUE. § Setmqspl -m QM § -p Q. PRIVACY § -s SHA 1 § -e AES 128 § -r ‘-CN=pmqdss, O=tivoli, C=US' § -r ‘-CN=Vicente Suarez, OU=ISSW, O=IBM, L=Hursl ey, C=GB'

Web. Sphere MQ AMS : Integrity Message Format

Web. Sphere MQ AMS 1. Install AMS Interceptor 2. Create public / private key pairs 3. Copy public key

AMS Summary ØWeb. Sphere MQ Advanced Message Security V 7. 0. 1 q. It is a new member of the Web. Sphere MQ family. q. It is a replacement for MQ ESE V 6. 0 q. It protects message integrity and/or privacy. q. It supports MQ V 6 and V 7. q. It does not support Pub/Sub. q. Existing MQ applications do not require changes. q. MQ AMS uses interceptors, policies, keystores and certificates.

MQ in the cloud MQ Cloud Support: Hyper. Visor Editions Ø HVE is pre-packaged image of MQ with an operating system q For easy configuration deployment into virtualised environments Ø First release included MQ V 7. 0. 1. 4 and Red Hat Enterprise Linux x 86 64 bit OS Ø Also now available with an AIX flavour Ø Pre-defined patterns for IBM Web. Sphere Workload Deployer configure HVE Config Pattern CSS: F S deploy

Web. Sphere MQ V 7. 1: Feature Summary Web. Sphere MQ V 7. 1 Announced: 4 October 2011 Availability: 11 November 2011 Details New Feature Benefits Multi-Version Install capability on Distributed platforms Makes it easier to deploy and upgrade systems and stage version to version migration Unix and Windows support for multiple versions of MQ V 7. x (AND one copy of MQ V 7. 0. 1) down to fixpack levels. Relocatable installation support. Applications can connect to any Qmgr IP address Authorisation capability Simplified Configuration Additional crypto algorithms Enhanced Security Enhanced Authorisation and Auditing More granular authorisation for non-local queues Application Activity Reports Cloud Support Simplifies and support Cloud deployments Enhanced Clustering Improves ease-of-use Multicast capability New messaging Qo. S provides low latency with high fan-out capability Authorisation on Cluster Q rather than XMIT Q on Dist. Platforms Bind-on-Group Support Further exploitation of z 196 Improved scalability and availability on z/OS Improved Performance on Dist platforms 42 Additional HVE images MQ Pub/Sub Topic space can now map to multicast Group Addresses Provides direct interoperability with MQ LLM Customer control over CF storage use CF Connectivity Loss improvements Code contention reduced to improve multi-processor linear scaling Use of MQ Datasets rather than DB 2 significantly improves “large” message capability Structure rebuild capability for CF Connectivity Loss scenarios Improved multiprocessor exploitation Various code improvements CSS: F S

Scalability & Performance – Distributed platforms Ø Performance measured and improved for a range of scenarios q Hardware capabilities have evolved over years to have more CPUs, more memory etc q MQ topologies have evolved to have more clients and larger/fewer queue managers Ø “Fastest MQ ever”: better performance than V 6 and V 7 Ø Multicast faster than traditional non-persistent q Over 5 x for one-many publications Ø Performance reports to be released on availability CSS: F S

Channel Access Blocking Points Access Control Lists Channel blocking and mapping Listener blocking IP Firewall CSS: F

Blocking at the Listener Ø Single list of IP address patterns Ø NOT A REPLACEMENT FOR AN IP FIREWALL q Temporary blocking q Blocking until IP firewall updated q Shouldn’t be many entries in the list Ø Blocked before any data read from the socket q i. e. before SSL Handshake q Before channel name or userid is known Ø Avoiding Do. S attack q Really the place of the IP firewall q Simplistic ‘hold’ of inbound connection to avoid reconnect busy loop Ø Network Pingers if blocked don’t raise an alert q Immediate close of socket with no data not considered a threat SET CHLAUTH(*) TYPE(BLOCKADDR) ADDRLIST(‘ 9. 20. *’, ‘ 192. 168. 2. 10’) CSS: F

Channel Access Policy (1) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS ) “We must make sure our system is completely locked down” CSS: F

Channel Access Policy (2) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) SET CHLAUTH(BPCHL. *) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK 123) SET CHLAUTH(BPCHL. *) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK 456) “Our Business Partners must all connect using SSL, so we will map their access from the certificate DNs” CSS: F

Channel Access Policy (3) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) SET CHLAUTH(BPCHL. *) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK 123) SET CHLAUTH(BPCHL. *) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK 456) SET CHLAUTH(SYSTEM. ADMIN. SVRCONN) TYPE(ADDRESSMAP) ADDRESS(‘ 9. 20. 1 -30. *’) MCAUSER(ADMUSER) “Our Administrators connect in using MQ Explorer, but don’t use SSL. We will map their access by IP Address” CSS: F

Channel Access Policy (4) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) SET CHLAUTH(BPCHL. *) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK 123) SET CHLAUTH(BPCHL. *) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK 456) SET CHLAUTH(SYSTEM. ADMIN. SVRCONN) TYPE(ADDRESSMAP) ADDRESS(‘ 9. 20. 1 -30. *’) MCAUSER(ADMUSER) SET CHLAUTH(TO. CLUS. *) TYPE(QMGRMAP) QMNAME(CLUSQM*) MCAUSER(CLUSUSR) ADDRESS(‘ 9. 30. *’) “Our internal cluster doesn’t use SSL, but we must ensure only the correct queue managers can connect into the cluster” CSS: F

MQ High Availability: Multi-instance Queue Managers 1. Normal Execution MQ Client network 192. 168. 0. 1 192. 168. 0. 2 Machine A QM 1 Active instance Machine B QM 1 Standby instance can fail-over QM 1 networked storage Owns the queue manager data

Multi-instance Queue Managers 2. Disaster Strikes MQ Client network Connections broken from clients 192. 168. 0. 1 192. 168. 0. 2 Machine A QM 1 Active instance Machine B QM 1 Standby instance locks freed QM 1 networked storage

Multi-instance Queue Managers 3. Standby Comes to Life MQ Client Connections still broken network 192. 168. 0. 2 Machine B QM 1 Active instance QM 1 networked storage Owns the queue manager data

Multi-instance Queue Managers 4. Recovery Complete MQ Clients reconnected. Processing continues. network 192. 168. 0. 2 Machine B QM 1 Active instance QM 1 networked storage Owns the queue manager data

Multi-instance queue managers: How it looks Ø As a graphical example, Support. Pac MS 0 P V 7. 0. 1

Multi-instance queue managers: How it looks Ø Enhanced dspmq Ø New option for dspmq to output English-only text q Useful for programmable parsing $ hostname rockall $ dspmq -x QMNAME(V 7) STATUS(Running) INSTANCE(rockall) MODE(Active) QMNAME(V 7 B) STATUS(Running) INSTANCE(rockall) MODE(Active) QMNAME(V 7 C) STATUS(Running as standby) INSTANCE(llareggub) MODE(Active) INSTANCE(rockall) MODE(Standby)

Message Broker H. A. using MQ 7. 0. 1 multi instance queue managers Ø Message Broker exploits MQ 7. 0. 1 multi-instance queue manager capability Ø Active and stand-by queue managers q Start multiple instances of a queue manager on different machines q One is “active” instance; other is “standby” instance q Shared data is held in shared networked storage but owned by active instance Ø Exploitation by Message Broker q If standby instance of the queue manager becomes active, then the newly active MQ instance will start message broker once MQ recovery is complete

Automatic Client Reconnection Ø Client library provides necessary reconnection logic on detection of a failure Ø Hides failure from application code QM 1 Application MQ Client QM 2 QM 3

Automatic Client Reconnection Ø Tries to hide queue manager failures by restoring current state automatically q For example, if MQPUT returns error, client reruns MQCONN/MQOPEN/MQPUT internally Ø Uses the list of addresses in CONNAME to find queue manager q MQSERVER environment variable also understands list q MQSERVER=SYSTEM. DEF. SVRCONN/TCP/host 1(1414), host 2(1414) Ø Can reconnect to the same or different Queue Manager Ø Re-opens queues and other qmgr objects, re-establishes subscriptions Ø Reconnection interval is backed off exponentially on each unsuccessful retry q Total timeout is configurable – default 30 minutes.

Automatic Client Reconnection: Details Ø Enabled in application code or ini file q Event Handler callback shows reconnection is happening if app cares q Good For Debugging q If callback occurs may decide on special handling for following 3 cases. 1. Not all MQI is seamless, but majority repaired transparently • eg a browse cursor would revert to the top of the queue, non-persistent messages will have been lost during restart, non-durable subscriptions may miss some messages, in -flight transactions backed out, h. Obj values maintained 2. Some MQI options will fail if you have reconnection enabled • Using MQGMO_LOGICAL_ORDER, MQGET gives MQRC_RECONNECT_INCOMPATIBLE 3. Tries to keep dynamic queues with same name • So replies may not be missed Ø Initially just in MQI and JMS – not the other OO classes

Resources Ø IBM Page: q http: //www. ibm. com/webspheremq/filetransfer q Getting Started • http: //ow. ly/u. O 9 e Ø Blogs: q http: //cumbers. wordpress. com/tag/wmqfte/ Ø Twitter q http: //www. twitter. com/ibm_wmq Ø Support Pacs q http: //www 01. ibm. com/support/docview. wss? rs=171&uid=swg 27007197