610 likes | 616 Vues
Explore the future of MQ infrastructure with universal connectivity, high security features, and high availability. Learn about the latest advancements in MQ 7.1 and how it can improve your business data delivery.
E N D
Today’s MQ Infrastructure & Tomorrow's Security & High Availability with MQ 7.1, MQ AMS & MQ FTE Author: A.J. Aronoff Connectivity Practice Director Email: aj@prolifics.com Desk: 646-201-4943
Agenda – MQ Infrastructure Universal Connectivity: The Path to the Future MQ File Transfer Edition MQ Security – With MQ AMS MQ 7.1 – the latest MQ Infrastructure features Including MQ “Security Policies” 2
Prolifics Wins IBM Awards S o f t w a r e S a l e s L e a d e r s h i p T e c h n i c a l I n n o v a t i o n A L o n g R e c o r d O f I B M H o n o r s • Multi Award-winning: • 2010 Lotus Award Best End-User Solution • 2010 Lotus Award for Best Industry Solution • 2009 Rational Solution Award • 2008 Outstanding SOA Solution Award • 2008 Overall Technical Excellence Award • 2007 Overall Technical Excellence Award • 2007 Impact SOA Process Solution Award • 2006 Best Portal Solution Lotus Award • 2005 5-Star Partner Award demonstratingProlifics’ cross-brand sales expertise and certifications. One of only 5 partners worldwide to receive the distinction • Serviced over 1200 IBM software accounts in the past 8 years; implemented over 250 portals • Prolifics boasts more overall certifications than any other of the over 300 SVI partners in the US totaling over 250 J2EE & WebSphere certifications • IBM’s highest technical rating (Level 5) • IBM Tivoli “AAA Accredited”
by doing great work with Great Customers F i n a n c i a l S e r v i c e s R e t a i l & D i s t r i b u t i o n I n s u r a n c e E d u c a t i o n G o v e r n m e n t U t i l i t i e s H e a l t h c a r e 4
WebSphere MQ Value: Connectivity to, from & within an EnterpriseThe path to the future Enterprise • A Universal Message Bus for access to data wherever it exists to support your business • Provides a comprehensive range of Messaging capabilities to support your Business requirements for data integration • Managed File Transfer • Messaging integration patterns • Reliability and availability QoS • SOA foundation • Provides appropriate data accessand data privacy controls to help meet audit and regulatory requirements • WMQ Telemetry is one step in extending the reach of WMQ to a wider world of data relevant to your business • Recent technology demonstration of MQ Web Messaging using HTML5 WebSockets continues this progress Regional Office Sensor e.g. RFID Branch Outlet Retail Store Pervasive Device Refinery Petrol Forecourt Mobile Phone CSS: F S
IBM Universal MessagingProven, Flexible, Robust business data delivery from anywhere to everywhere IBM UNIVERSAL MESSAGING Business Transactions Sense and Respond MQ MQ Telemetry Leveraging System z Web applications MQ for z/OS MQ HTTP Bridge Managed File Transfer Real-time Awareness MQ File Transfer Edition MQ Low Latency Messaging Extra Data Protection Cloud Platform-as-a-Service MQ Advanced Message Security MQ Hypervisor Edition 7
Early Access Programs 2009 2010 2011 2012 WMQ Family Roadmap – continual delivery of customer value (4Q/09) MQ LLM V2.3 msg store (2Q/10) MQ LLM V2.4 late join (4Q/10) MQ LLM V2.5 self-managing (2Q/11) MQ LLM V2.6 improved perf. ( ) MQ LLM V2.x (2Q/11) MQ FTE V7.0.4 C:D Integration ( ) MQ FTE V7.x (4Q/09) MQ FTE V7.0.2 FTP Bridging (4Q/10) MQ FTE V7.0.3 end-to-end security (4Q/11 ) MQ V7.1 with Multi-version Install, Out-of-the-box security, Multicast capability, Improved Performance, z/OS Shared Q enhancements (1Q/11) MQ V7.0.1.4 Pre-Connect Exit (3Q/09) MQ V7.0.1 with Multi-Instance QMgrs, Automatic Client Reconnect, z/OS Availability, Capacity and Performance improvements (3Q/10) MQ Telemetry V7.0.1 (2Q/11) MQ WebSockets Tech Preview. MQ HVE for RHEL ESX and IBM Workload Deployer (1Q/10) Security SupportPacs and Wizards (4Q/10) MQ Advanced Message Security V7.0.1 ( ) MQ AMS V7.x CSS: F S
MQ FTE Quick Overview Directory Monitoring File to Message - Message to File FTP & SFTP Bridging agents 9
FTP Spaghetti Infrustructure (haphazard growth) • X Unreliable transport mechanisms • Each link in a chain reduces reliability • X No central set-up, logging or monitoring • X Poor documentation of overall system • X Expensive, one-off solutions • X High maintenance costs • (60 – 70% of a company’s IT budget) • X Lack of business agility
Ideal File Transfer Infrastructure Automation & Centralized Set-up Documented, Standardized Solutions Reliable Transport Reliable Transport Reliable Transport Event based Centralized Logging Centralized Monitoring Reliable Transport Reliable Transport Reliable Transport Reliable Transport
MQ FTE allows you to …go from this …to this
MQ FTE 7.0.2 Protocol Bridge Support for transferring files located on FTP and SFTP servers The source or destination for a transfer can be an FTP or an SFTP server Fully integrated into graphical, command line and XML scripting interfaces Just looks like another FTE agent… Enables incremental modernization of (S)FTP-based Legacy solutions This helps ease migration from a non-managed (FTP or SFTP) network to a managed network based on WebSphere MQ File Transfer Edition. (I.E. less rip & replace). Ensures reliability of transfers across FTP/SFTP with checkpoint restart Provides auditability of transfers across FTP/SFTP to central audit log FTE FTE FTE FTP FTP FTP Files exchanged between FTE and FTP/SFTP MQ network FTP / SFTPnetwork FTE FTP BridgingAgent FTP/SFTPServer FTPServer ProtocolBridgeAgent Audit information
MQ FTE: Use Case 1: Directory Monitor • Three sub directories with the same names of three destination FTE Agents • When a file with an extension of “doc” is added to one of the sub directories … • The Resource monitor detects the file and • creates a file transfer request for the file where • the destination agent has the same name as the sub directory. • http://www.ibm.com/developerworks/websphere/library/techarticles/0910_bonney/0910_bonney.html • Company in Florida is using the above system and planning to scale up further /incoming/monitor FTE Receiving Agent OfficeA Resource Monitor FTE Receiving Agent OfficeB /A /B /C FTE Sending Agent FTE Receiving Agent OfficeC 1.Doc 14
File & Message Broker Hub: Connect Anything to Anything Integration with WebSphere Message Broker for File Processing Tight integration between FTE and WebSphere Message Broker Enables ESB capabilities to be applied to file data Ability to parse and transform files and process into messages, files, events, service requests etc Messages Files Files WMQ FTE Network MQ, FTE, FTP, HTTP, SOAP… WebSphereMessage Broker Enrich, Mediate, Transform… 15
WMB FTEInput and FTEOutput nodes FTEInput node Build flows that accepts file transfers from the WMQ FTE network FTEOutput node Build flows that are designed to send a file across a WMQ FTE network When WMQ FTE nodes are used in a flow an FTE agent is automatically stated in the Message Broker Execution Group Message Broker Execution Group FTE Agent Message Flow FTE Agent FTE Agent FTE Agent FTEInput FTEOutput 16
File & Message Hub (HTTP and MQ FTE)Web based File Transfers using the Web Gateway Web-based File Transfer A RESTful API for sending files into and receiving files from a WMQ FTE network Reliable and secure file transfer option for Web users Auditable transfer and large file support Zero-footprint file transfer support without the need to provision and install code Interfaces for embedding into third party and custom user applications WMQ FTEServer WMQ FTE Network HTTP/S 17
Options for converting data between files & messages The file can be split based on: Size Binary delimiter Regular expression One file to one message • One file becomes one message WMQFTE One file to a group of messages WMQFTE One message to one file • One message becomes one file WMQFTE A group of messages (or all messages on the queue) to one file • Optionally, a delimiter can be inserted between each message used to compose the file WMQFTE 18
End-to-end encryption using WebSphere MQ Advanced Message Security WMQ FTE already supports transport level encryption using SSL Data is encrypted before it is sent over a channel and decrypted when it is received WebSphereMQQueueManager WebSphereMQQueueManager svrconn channel sndr/rcvrchannels FTE Agent FTE Agent • V7.0.3 (when combined with WMQ AMS v7.0.1) allows file data to be encrypted at the source system and only decrypted when it reaches the destination system • This helps reduce encryption costs • Data is secure even when at rest on a queue WebSphereMQQueueManager WebSphereMQQueueManager svrconn channel sndr/rcvrchannels FTE Agent FTE Agent 19
Customer Survey: Of the points below: Which point(s) matters most to you?
MQ AMS Quick Overview Message Level Protection WMQ AMS - Key Features Architecture Interceptors Policies 22
WebSphere MQ Advanced Message Security What is it? New product - WebSphere MQ Advanced Message Security Replaces WebSphere MQ Extended Security Edition Component added to WebSphere MQ V7 or V6 Enhances MQ security processing Provides additional security services over and above base QM Designed to assist with requirements such as PCI DSS compliance Application ---> Application protection for point-to-point messaging Industry standard asymmetric cryptography used to protect individual messages Uses Public Key Infrastructure (PKI) to protect MQ messages Uses digital certificates (X.509) for applications Non-invasive No changes required to MQ applications Security policies used to define the security level required Administratively controlled policies applied to queues Command line Explorer
Message Level Protection Enables secure message transfers at application level Assurance that messages have not been altered in transit When issuing payment information messages, ensure the payment amount does not change before reaching the receiver Assurance that messages originated from the expected source When processing messages, validate the sender Assurance that messages can only be viewed by intended recipient(s When sending confidential information.
WMQ AMS - Key Features Secures sensitive or high-value MQ messages Detects and removes rogue or unauthorized messages before they are processed by receiving applications Verifies that messages are not modified in transit from queue to queue Protects messages not only when they flow across the network but when they are at rest in queues Messages from existing MQ applications are transparently secured using interceptors Protects point-to-point messages
WMQ AMS - Key Features (continued) No prereq products Significantly simplified installation and configuration compared to predecessor product Up and running in minutes … Works in conjunction with SSL Can choose to use either or both depending on your requirements Works in conjunction with WMQ authorisation model (OAM and SAF) No changes required to WMQ applications Works with local applications and clients, including Java Support for WMQ V6 and V7 No changes required to existing object definitions Fine-grained policies to define which queues are protected and how Asymmetric cryptography used to protect individual messages Administratively controlled policies Command line MQ Explorer
MQ AMS interceptors MQ AMS functionality is implemented in interceptors. There are no long running processes or daemons (Except in z/OS). Existing MQ applications do not require changes. Three interceptors are provided: 1.Server interceptor for local (bindings mode) MQI API & Java applications. Implemented as queue manager API exit. 2. MQI API client interceptor for remote (client mode) MQ API applications. MQ AMS interceptor imbedded in MQ client code. 3. Java client interceptor for remote (client mode) MQ JMS and MQ classes for java applications (J2EE and J2SE). MQ AMS interceptor imbedded in MQ java client code. MQ V7.0 java client required. SupportPac MQC7 WebSphere MQ V7.0 clients.
Protecting files transferred with WMQ FTE • AMS plugs in on top of / alongside WebSphere MQ File Tranfer Edition, enable file data to be encrypted in transit through the MQ network • Apply AMS protection to your WMQ FTE agent data queue • it's that simple!
Instantly familiar UI and command line: no new tools to learn!
Message protection policies Created or updated or removed by command ‘setmqspl’ Or by MQ AMS plug-in for MQ Explorer (GUI). Policies are stored in queue ‘SYSTEM.PROTECTION.POLICY.QUEUE’. Each protected queue can have only one policy. Two types of policies: Message Integrity policy. Message Privacy policy. Display policies with command ‘dspmqspl’.
Message integrity policy example This policy is to enforce integrity protection (signature) for messages put on queue Q.INTEGRITY in queue manager QM. The message signing algorithm is SHA1. Messages can only by signed by one authorized application. Messages signed by any other signer are sent to the SYSTEM.PROTECTION.ERROR.QUEUE and error returned to the receiving application. • setmqspl -m QM • -p Q.INTEGRITY • -s SHA1 • -e NONE • -'CN=pdmqss,O=tivoli,C=US'
Message privacy policy Encryption algorithms: RC2, DES, 3DES, AES128 and AES256. Message privacy requires that encrypted messages are also signed. The list of authorized signers is optional. It is mandatory to specify at least one recipient • setmqspl • -m <queue_manager> • -p <protected_queue_name> • -s <SHA1 | MD5> • -e <encryption algorithm> • -a <Authorized signer DN1> • -a <Authorized signer DN2> • -r < Message recipient DN1> • -r < Message recipient DN2>
Message privacy policy example This policy enforces privacy protection (signature and encryption) for messages put on queue Q.PRIVACY in queue manager QM. The message signing algorithm is SHA1. The message encryption algorithm is AES128. Two message recipients are listed using their certificates DN. Messages retrieved by unauthorized recipients cause messages to be sent to the SYSTEM.PROTECTION.ERROR.QUEUE. • Setmqspl -m QM • -p Q.PRIVACY • -s SHA1 • -e AES128 • -r ‘-CN=pmqdss,O=tivoli,C=US' • -r ‘-CN=Vicente Suarez,OU=ISSW,O=IBM,L=Hursley,C=GB'
WebSphere MQ AMS 1.Install AMS Interceptor 2.Create public / private key pairs 3.Copy public key
AMS Summary WebSphere MQ Advanced Message Security V7.0.1 It is a new member of the WebSphere MQ family. It is a replacement for MQ ESE V6.0 It protects message integrity and/or privacy. It supports MQ V6 and V7. It does not support Pub/Sub. Existing MQ applications do not require changes. MQ AMS uses interceptors, policies, keystores and certificates.
MQ in the cloudMQ Cloud Support: HyperVisor Editions • HVE is pre-packaged image of MQ with an operating system • For easy configuration deployment into virtualised environments • First release included MQ V7.0.1.4 and Red Hat Enterprise Linux x86 64-bit OS • Also now available with an AIX flavour • Pre-defined patterns for IBM WebSphere Workload Deployer deploy configure HVE Config Pattern CSS: F S
WebSphere MQ V7.1: Feature Summary WebSphere MQ V7.1 Announced: 4 October 2011 Availability: 11 November 2011 CSS: F S
Scalability & Performance – Distributed platforms • Performance measured and improved for a range of scenarios • Hardware capabilities have evolved over years to have more CPUs, more memory etc • MQ topologies have evolved to have more clients and larger/fewer queue managers • “Fastest MQ ever”: better performance than V6 and V7 • Multicast faster than traditional non-persistent • Over 5x for one-many publications • Performance reports to be released on availability CSS: F S CSS: F S
Channel Access Blocking Points Access Control Lists Channel blocking and mapping Listener blocking IP Firewall CSS: F
Blocking at the Listener • Single list of IP address patterns • NOT A REPLACEMENT FOR AN IP FIREWALL • Temporary blocking • Blocking until IP firewall updated • Shouldn’t be many entries in the list • Blocked before any data read from the socket • i.e. before SSL Handshake • Before channel name or userid is known • Avoiding DoS attack • Really the place of the IP firewall • Simplistic ‘hold’ of inbound connection to avoid reconnect busy loop • Network Pingers if blocked don’t raise an alert • Immediate close of socket with no data not considered a threat SET CHLAUTH(*) TYPE(BLOCKADDR) ADDRLIST(‘9.20.*’, ‘192.168.2.10’) CSS: F
Channel Access Policy (1) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) “We must make sure our system is completely locked down” CSS: F
Channel Access Policy (2) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK123) SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK456) “Our Business Partners must all connect using SSL, so we will map their access from the certificate DNs” CSS: F
Channel Access Policy (3) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK123) SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK456) SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)ADDRESS(‘9.20.1-30.*’) MCAUSER(ADMUSER) “Our Administrators connect in using MQ Explorer, but don’t use SSL. We will map their access by IP Address” CSS: F
Channel Access Policy (4) SET CHLAUTH(*) TYPE(ADDRESSMAP) ADDRESS(‘*’) USERSRC(NOACCESS) SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Shetland’) MCAUSER(BANK123) SET CHLAUTH(BPCHL.*) TYPE(SSLPEERMAP) SSLPEER(‘O=Bank of Orkney’) MCAUSER(BANK456) SET CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)ADDRESS(‘9.20.1-30.*’) MCAUSER(ADMUSER) SET CHLAUTH(TO.CLUS.*) TYPE(QMGRMAP)QMNAME(CLUSQM*) MCAUSER(CLUSUSR) ADDRESS(‘9.30.*’) “Our internal cluster doesn’t use SSL, but we must ensure only the correct queue managers can connect into the cluster” CSS: F
MQ High Availability: Multi-instance Queue Managers MQ Client MQ Client 1. Normal Execution network Machine A Machine B 192.168.0.1 192.168.0.2 QM1 Active instance QM1 Standby instance can fail-over QM1 networked storage Owns the queue manager data