120 likes | 327 Vues
MQ Security. Agenda. setmqaut (set or reset authority). Authorizations. Specify authorities for different object types. Examples. specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager.
E N D
Examples • specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. • run : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladm • 2. In this example, the authorization list specifies that user group foxy: • Cannot issue any calls from the MQI to the specified queue • Can perform all administration operations on the specified queue • run : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm • 3. This example gives user1 full access to all queues with names beginning a.b on queue manager qmgr1. The profile is persistent, and will apply to any object with a name that matches the profile name. • run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all • 4. This example deletes the specified profile. • run :setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove • 5. This example creates a profile with no authority. • run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none
Related Commands • dspmqaut -m WBRK_QM -t qmgr -p dmwang
SSL • The Secure Sockets Layer (SSL) provides an industry standard protocol for transmitting data in a secure manner over an insecure network. The SSL protocol is widely deployed in both Internet and Intranet applications. SSL defines methods for authentication, data encryption, and message integrity for a reliable transport protocol, usually TCP/IP. • SSL uses both asymmetric and symmetric cryptography techniques. Refer to the following web site for a complete description of the SSL protocol: http://home.netscape.com/eng/ssl3/. • An SSL connection is initiated by the caller application, which becomes the SSL client. The responder application becomes the SSL server. Every new SSL session begins with an SSL handshake, as defined by the SSL protocol.
SSL HandShake • Agree on the version of the SSL protocol to use. • Select cryptographic algorithms • Authenticate each other by exchanging and validating digital certificates. • Use asymmetric encryption techniques to generate a shared secret key, which avoids the key distribution problem. SSL subsequently uses the shared key for the symmetric encryption of messages, which is faster than asymmetric encryption.
SSL in WebSphere MQ • Message channels and MQI channels can use the SSL protocol to provide link level security. • A caller MCA is an SSL client and a responder MCA is an SSL server. WebSphere MQ supports Version 3.0 of the SSL protocol. • You specify the cryptographic algorithms that are used by the SSL protocol by supplying a CipherSpec as part of the channel definition. • During the SSL handshake, the MCA sends the digital certificate of the queue manager to its partner MCA at the other end of the channel. The WebSphere MQ code at the client end of an MQI channel acts on behalf of the user of the WebSphere MQ client application. During the SSL handshake, the WebSphere MQ code sends the user’s digital certificate to the MCA at the server end of the MQI channel.
SSL in WebSphere MQ • Digital certificates are stored in a key repository. • The queue manager attribute SSLKeyRepository specifies the location of the key repository that holds the queue manager’s digital certificate. • On a WebSphere MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user’s digital certificate. • Alternatively, a WebSphere MQ client application can specify its location in the KeyRepository field of the SSL configuration options structure, MQSCO, on an MQCONNX call.