Skip to main content

Routing protected messages using WebSphere Message Broker - Middleware News

Routing protected messages using WebSphere Message Broker

IBM WebSphere MQ Advanced Message Security can protect messages in an infrastructure where WebSphere Message Broker version 8.0.0.1 (or later) is installed. You should understand the nature of both products before applying security in the WebSphere Message Broker environment.

About this task

WebSphere MQ Advanced Message Security provides end-to-end security of the message payload. This means that only the parties specified as the valid senders and recipients of a message are capable of producing or receiving it. This implies that in order to secure messages flowing through WebSphere Message Broker, you can either allow WebSphere Message Broker to process messages without knowing their content (Scenario 1) or make it an authorized user able to receive and send messages (Scenario 2).
Parent topic: User scenarios

Scenario 1 - Message Broker cannot see message content

Before you begin

You should have your WebSphere Message Broker connected to an existing queue manager.. Replace QMgrName with this existing queue manager name in the commands that follow.

About this task

In this scenario, Alice puts a protected message into an input queue QIN. Based on the message property routeTo, the message is routed either to bob's (QBOB), 1 (QCECIL), or the default (QDEF) queue. The routing is possible because WebSphere MQ Advanced Message Security protects only the message payload and not its headers and properties which remain unprotected and can be read by WebSphere Message Broker. WebSphere MQ Advanced Message Security is used only by alice, bob and cecil. It is not necessary to install or configure it for the WebSphere Message Broker.
WebSphere Message Broker receives the protected message from the unprotected alias queue in order to avoid any attempt to decrypt the message. If it were to use the protected queue directly, the message would be put onto the DEAD LETTER queue as impossible to decrypt. The message is routed by WebSphere Message Broker and arrives on the target queue unchanged. Therefore it is still signed by the original author (both bob and cecil only accept messages sent by alice) and protected as before (only bob and cecil can read it). WebSphere Message Broker puts the routed message to an unprotected alias. The recipients retrieve the message from a protected output queue where WebSphere MQ AMS will transparently decrypt the message.

Procedure

  1. Configure alice, bob and cecil to use WebSphere MQ Advanced Message Security as described in the Quick Start Guide (Windows or UNIX). Ensure the following steps are completed:
    • Creating and authorizing users
    • Creating Key Database and Certificates
    • Creating keystore.conf
  2. Provide alice's certificate to bob and cecil, so alice can be identified by them when checking digital signatures on messages. 
    runmqakm -cert -export -db <location-of-alicekey.kdb> -pw passw0rd
-label Alice_Cert -target <location-of-bobkey.kdb> -target_pw passw0rd
  3. Provide bob and cecil's certificates to alice, so alice can send messages encrypted for bob and cecil. 
    runmqakm -cert -export -db <location-of-bobkey.kdb> -pw passw0rd
-label Bob_Cert -target <location-of-alicekey.kdb> -target_pw passw0rd
  4. On your queue manager, define local queues called QIN, QBOB, QCECIL and QDEF. 
    DEFINE QLOCAL(QIN)
  5. Setup the security policy for the QIN queue to an eligible configuration. Use the identical setup for the QBOB, QCECIL and QDEF queues. 
    setmqspl -m QMgrName -p QIN -s SHA1 -a "CN=alice,O=IBM,C=GB"
-e AES256 -r "CN=bob,O=IBM,C=GB" -r "CN=cecil,O=IBM,C=GB"
    This scenario assumes the security policy where alice is the only authorized sender and bob and cecil are the recipients.
  6. Define alias queues AIN, ABOB and ACECIL referencing local queues QIN, QBOB and QCECIL respectively. 
    DEFINE QALIAS(AIN) TARGET(QIN)
  7. Verify that the security configuration for the aliases specified in the previous step is not present; otherwise set its policy to NONE. 
    dspmqspl -m QMgrName -p AIN
  8. In WebSphere Message Broker create a message flow to route the messages arriving on the AIN alias queue to the BOB, CECIL, or DEF node depending on the routeTo property of the message. To do so:
    1. Create an MQInput node called IN and assign the AIN alias as its queue name.
    2. Create MQOutput nodes called BOB, CECIL and DEF and assign alias queues ABOB, ACECIL and ADEF as their respective queue names.
    3. Create a route node and call it TEST.
    4. Connect the IN node to the input terminal of the TEST node.
    5. Create bob, and cecil output terminals for the TEST node.
    6. Connect the bob output terminal to the BOB node.
    7. Connect the cecil output terminal to the CECIL node.
    8. Connect the DEF node to the default output terminal.
    9. Apply the following rules: 
      $Root/MQRFH2/usr/routeTo/text()="bob"
$Root/MQRFH2/usr/routeTo/text()="cecil"
  9. Deploy the message flow to the WebSphere Message Broker runtime component.
  10. Running as the user Alice put a message that also contains a message property called routeTo with a value of either bob or cecil. Running the sample application amqsstm will allow you to do this. 
    Sample AMQSSTMA start
target queue is TEST.Q
Enter property name
routeTo
Enter property value
bob
Enter property name

Enter message text
My Message to Bob
Sample AMQSSTMA end
  11. Running as user bob retrieve the message from the queue QBOB using the sample application amqsget.

Results

When alice puts a message on the QIN queue, the message is protected. It is retrieved in protected form by the WebSphere Message Broker from the AIN alias queue. WebSphere Message Broker decides where to route the message reading the routeTo property which is, as all properties, not encrypted. WebSphere Message Broker places the message on the appropriate unprotected alias avoiding its further protection. When received by bob or cecil from the queue, the message is decrypted and the digital signature is verified.

Scenario 2 - Message Broker can see message content

About this task

In this scenario, a group of individuals are allowed to send messages to WebSphere Message Broker. Another group are authorized to receive messages which are created by WebSphere Message Broker. The transmission between the parties and WebSphere Message Broker cannot be eavesdropped.
Remember that WebSphere Message Broker reads protection policies and certificates only when a queue is opened, so you must reload the execution group after making any updates to protection policies for the changes to take effect. 
mqsireload execution-group-name
If WebSphere Message is considered an authorized party allowed to read or sign the message payload, you must configure WebSphere MQ Advanced Message Security for the user starting the WebSphere Message Broker service. Be aware it is not necessarily the same user who puts/gets the messages onto queues nor the user creating and deploying the WebSphere Message Broker applications.

Procedure

  1. Configure alice, bob, cecil and dave and the WebSphere Message Broker service user, to use WebSphere MQ Advanced Message Security as described in the Quick Start Guide (Windows or UNIX). Ensure the following steps are completed:
    • Creating and authorizing users
    • Creating Key Database and Certificates
    • Creating keystore.conf
  2. Provide alice, bob, cecil and dave's certificate to the WebSphere Message Broker service user. 
    runmqakm -cert -export -db <location-of-alicekey.kdb> -pw passw0rd
-label Alice_Cert -target <location-of-Message-Broker-key-database> -target_pw passw0rd
  3. Provide the WebSphere Message Broker service user's certificate to alice, bob, cecil and dave. 
    runmqakm -cert -export -db <location-of-Message-Broker-key-database> -pw passw0rd
-label Broker_Cert -target <location-of-alicekey.kdb> -target_pw passw0rd
    Note: Alice and bob need the WebSphere Message Broker service user's certificate to encrypt the messages correctly. The WebSphere Message Broker service user needs alice's and bob's certificates to verify authors of the messages. The WebSphere Message Broker service user needs cecil's and dave's certificates to encrypt the messages for them. cecil and dave need the WebSphere Message Broker service user's certificate to verify if the message comes from WebSphere Message Broker.
  4. Define a local queue named IN and define the security policy with alice and bob specified as authors and WebSphere Message Broker's service user specified as recipient: 
    setmqspl -m QMgrName -p IN -s MD5 -a "CN=alice,O=IBM,C=GB" -a "CN=bob,O=IBM,C=GB"
-e AES256 -r "CN=broker,O=IBM,C=GB"
  5. Define a local queue named OUT and define the security policy with WebSphere Message Broker's service user specified as author and cecil and dave specified as recipients: 
    setmqspl -m QMgrName -p OUT -s MD5 -a "CN=broker,O=IBM,C=GB" -e AES256
-r "CN=cecil,O=IBM,C=GB" -r "CN=dave,O=IBM,C=GB"
  6. In WebSphere Message Broker create a message flow with an MQInput and MQOutput node. Configure the MQInput node to use the IN queue and the MQOutput node to use the OUT queue.
  7. Deploy the message flow to the WebSphere Message Broker runtime component.
  8. Running as user alice or bob put a message on the queue IN using the sample application amqsput.
  9. Running as user cecil or dave retrieve the message from the queue OUT using the sample application amqsget.

Results

Messages sent by alice or bob to the input queue IN are encrypted allowing only WebSphere Message Broker to read it. WebSphere Message Broker will only accept messages from alice and bob and will reject any others. The accepted messages will be appropriately processed then signed and encrypted with cecil's and dave's keys before being put onto the output queue OUT. Only cecil and dave are capable of reading it, messages not signed by WebSphere Message Broker are rejected.
Labels:

Comments

Post a Comment

adsrerrapop

Popular posts from this blog

IBM Websphere MQ interview Questions Part 5

MQ Series: - It is an IBM web sphere product which is evolved in 1990’s. MQ series does transportation from one point to other. It is an EAI tool (Middle ware) VERSIONS:-5.0, 5.1, 5.3, 6.0, 7.0(new version). The currently using version is 6.2 Note: – MQ series supports more than 35+ operating systems. It is platform Independent. For every OS we have different MQ series software’s. But the functionality of MQ series Default path for installing MQ series is:- C: programfiles\BM\clipse\SDK30 C: programfiles\IBM\WebsphereMQ After installation it will create a group and user. Some middleware technologies are Tibco, SAP XI. MQ series deals with two things, they are OBJECTS, SERVICES. In OBJECTS we have • QUEUES • CHANNELS • PROCESS • AUTHENTICATION • QUERY MANAGER. In SERVICES we have LISTENERS. Objects: – objects are used to handle the transactions with the help of services. QUEUE MANAGER maintains all the objects and services. QUEUE: – it is a database structure
136 comments
Read more

IBM Websphere MQ Reason code list / mq reason codes / websphere mq error codes / mq error messages

Reason code list ================= The following is a list of reason codes, in numeric order, providing detailed information to help you understand them, including: * An explanation of the circumstances that have caused the code to be raised * The associated completion code * Suggested programmer actions in response to the code * 0 (0000) (RC0): MQRC_NONE * 900 (0384) (RC900): MQRC_APPL_FIRST * 999 (03E7) (RC999): MQRC_APPL_LAST * 2001 (07D1) (RC2001): MQRC_ALIAS_BASE_Q_TYPE_ERROR * 2002 (07D2) (RC2002): MQRC_ALREADY_CONNECTED * 2003 (07D3) (RC2003): MQRC_BACKED_OUT * 2004 (07D4) (RC2004): MQRC_BUFFER_ERROR * 2005 (07D5) (RC2005): MQRC_BUFFER_LENGTH_ERROR * 2006 (07D6) (RC2006): MQRC_CHAR_ATTR_LENGTH_ERROR * 2007 (07D7) (RC2007): MQRC_CHAR_ATTRS_ERROR * 2008 (07D8) (RC2008): MQRC_CHAR_ATTRS_TOO_SHORT * 2009 (07D9) (RC2009): MQRC_CONNECTION_BROKEN * 2010 (07DA) (RC2010): MQRC_DATA_LENGTH_ERROR * 2011 (07DB) (RC2011): MQRC_DYNAMIC_Q_NAME_ERROR * 2012 (07DC) (RC201
2 comments
Read more

IBM WebSphere MQ – Common install/uninstall issues for MQ Version on Windows - Middleware News

Creating a log file when you install or uninstall WebSphere MQ WebSphere MQ for Windows is installed using the Microsoft Installer (MSI). If you install the MQ server or client through launchpad , MQPARMS or setup.exe , then a log file is automatically generated in %temp% during installation. Alternatively you can supply parameters on the installation MSI command msiexec to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). If you uninstall through the Windows Add/Remove programs option, no log file is generated. You should either uninstall from the MSI command line and supply parameters to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). For details on how to enable MSI logging, see the following article in the WebSphere MQ product documentation: Advanced installation using msiexec For details on how to enable system-w
Post a Comment
Read more