Professional Documents
Culture Documents
SSL
SSL
MQ and SSL
WebSphere MQ
Overview
Part I Overview of security goals and SSL Part II The MQ SSL story
WebSphere MQ
Security
Goals of security
Confidentiality Message integrity Endpoint Authentication
WebSphere MQ
Encryption (1)
Encryption
Data confidentiality Plain text vs Cipher text
Plaintext
Cyphertext
Plaintext
WebSphere MQ
Encryption (2)
Encryption
Data confidentiality Plain text vs Cipher text
Plain A B C D E F G H I Z Cipher T M I N Q C D B A R
Encryption
E(Plain) = Cipher Example: E(HEAD) = BQTN
Decryption
D(Cipher) = Plain Example: D(BQTN) = HEAD
WebSphere MQ
Encryption
Decryption
Plaintext
Ciphertext
Plaintext
WebSphere MQ
Encryption
E(Plain, Key) = Cipher E(HEAD, 2) = LPNC
Decryption
D(Cipher, Key) = Plain D(LPNC, 2) = HEAD
WebSphere MQ
Encryption
Decryption
Plaintext
Ciphertext
Plaintext
WebSphere MQ
E(Plain, Keypublic) = Cipher D(Cipher, Keyprivate) = Plain Keys are asymmetric Relatively expensive to use
WebSphere MQ
Security
Goals of security
Confidentiality Message integrity Endpoint Authentication
WebSphere MQ
Common algorithms
MD5 SHA
WebSphere MQ
Message
Digest
WebSphere MQ
WebSphere MQ
h
Private Key
Private Key
WebSphere MQ
h
Public Key
?
h
Public Key
WebSphere MQ
Security
Goals of security
Confidentiality Message integrity Endpoint Authentication
WebSphere MQ
WebSphere MQ
Certificate Authority
WebSphere MQ
Certificates
Issued by CA
VeriSign Entrust CyberTrust etc
Contains
Subject Name Issuer Name X.500 distinguished names
X.509
Common certificate exchange format
WebSphere MQ
Security
Goals of security
Confidentiality Message integrity Endpoint Authentication
WebSphere MQ
WebSphere MQ
Queue Manager
No SSL
Queue Manager
Queue Manager
With SSL
Queue Manager
WebSphere MQ
Queue Manager
Channel
Queue Manager
TCP/IP
Link
TCP/IP
Queue Manager
Channel
Queue Manager
SSL
Encryption
SSL
TCP/IP
Link
TCP/IP
WebSphere MQ
MQ SSL Implementations
Supports SSL V3.0 Implemented using:
WebSphere MQ
Channel Security
SSL can be used across channels All kinds of channels supported
Sender Receiver Cluster Client Etc
WebSphere MQ
Key questions
Which CipherSpec shall be used?
Cost of security Performance characteristics
WebSphere MQ
Channel definitions
SSL either enabled or disabled by channel definition New parameters for channel definitions
Cypher spec (SSLCIPH) DNs allowed (SSLPEER) Client authentication required (SSLCAUTH)
WebSphere MQ
WebSphere MQ
WebSphere MQ
WebSphere MQ
Obtaining certificates
Certificates obtained from Commercial CA Certificates for test environments
OpenSSL MakeCert Java 1.4 Keytool IKeyMan
WebSphere MQ
Certificate Stores
Certificates stored in key repositories Queue manager SSLKeyRepository (SSLKEYR) attributes specifies Queue Managers location of its own certificate MQ Client uses the MQSSLKEYR environment variable to specify location of certificate store
WebSphere MQ
WebSphere MQ
Performance
Nothing for nothing Extra CPU overhead for encrypted data No official IBM numbers yet published Performance expected to be equivalent to moving same quantity of data over base SSL implementation
Possibly better due to single handshake and reuse Overhead based on ciphersuite employed
WebSphere MQ
References
MQ Security Manual SSL and TLS Eric Rescorta Java Secure Socket Extension (JSSE) Reference Guide Web sites
http://home.netscape.com/eng/ssl3/ssl-toc.html