IBM Software Group © 2004 IBM Corporation MQ Security

IBM Software Group

© 2004 IBM Corporation

MQ Security

IBM Software Group | WebSphere software

© 2004 IBM Corporation2

Agenda



setmqaut (set or reset authority)



Authorizations



Specify authorities for different object types



Examples

1. specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. run : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladm

2. In this example, the authorization list specifies that user group foxy:Cannot issue any calls from the MQI to the specified queueCan perform all administration operations on the specified queuerun : setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm

3. This example gives user1 full access to all queues with names beginning a.b on queue manager qmgr1. The profile is persistent, and will apply to any object with a name that matches the profile name.run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all

4. This example deletes the specified profile.run :setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove

5. This example creates a profile with no authority.run : setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none



Related Commands

dspmqaut -m WBRK_QM -t qmgr -p dmwang



SSL The Secure Sockets Layer (SSL) provides an industry standard protocol for

transmitting data in a secure manner over an insecure network. The SSL

protocol is widely deployed in both Internet and Intranet applications. SSL

defines methods for authentication, data encryption, and message integrity

for a reliable transport protocol, usually TCP/IP. SSL uses both asymmetric and symmetric cryptography techniques. Refer to

the following web site for a complete description of the SSL protocol:

http://home.netscape.com/eng/ssl3/. An SSL connection is initiated by the caller application, which becomes the

SSL client. The responder application becomes the SSL server. Every new

SSL session begins with an SSL handshake, as defined by the SSL protocol.



SSL HandShake

Agree on the version of the SSL protocol to use. Select cryptographic algorithms Authenticate each other by exchanging and validating digital

certificates. Use asymmetric encryption techniques to generate a shared secret

key, which avoids the key distribution problem. SSL subsequently

uses the shared key for the symmetric encryption of messages,

which is faster than asymmetric encryption.



SSL HandShake



SSL in WebSphere MQ Message channels and MQI channels can use the SSL protocol to provide

link level security. A caller MCA is an SSL client and a responder MCA is an SSL server.

WebSphere MQ supports Version 3.0 of the SSL protocol. You specify the cryptographic algorithms that are used by the SSL protocol

by supplying a CipherSpec as part of the channel definition. During the SSL handshake, the MCA sends the digital certificate of the

queue manager to its partner MCA at the other end of the channel. The

WebSphere MQ code at the client end of an MQI channel acts on behalf of

the user of the WebSphere MQ client application. During the SSL

handshake, the WebSphere MQ code sends the user’s digital certificate to

the MCA at the server end of the MQI channel.



SSL in WebSphere MQ

Digital certificates are stored in a key repository. The queue manager attribute SSLKeyRepository specifies the

location of the key repository that holds the queue manager’s digital certificate.

On a WebSphere MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user’s digital certificate.

Alternatively, a WebSphere MQ client application can specify its location in the KeyRepository field of the SSL configuration options structure, MQSCO, on an MQCONNX call.

Documents

IBM Software Group © 2004 IBM Corporation MQ Security