Professional Documents
Culture Documents
Channel Authentication Records A New Channel Security Feature in WebSphere MQ v7.1
Channel Authentication Records A New Channel Security Feature in WebSphere MQ v7.1
Morag Hughson
hughson@uk.ibm.com
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
ing
t r block
Ls
Listener Blocking
f NOT A REPLACEMENT FOR AN IP
ll
rewa
FIREWALL!!
f Blocked before any data read from the socket Fi
IP
f Simplistic avoidance of DoS attack
y Really the place of the IP firewall
f Network Pingers if blocked don’t raise an alert
WebSphere MQ V7.1
O One point of note, the inbound connections can be from any version of MQ. There
is no requirement that the clients or remote queue managers also be on
WebSphere MQ V7.1 to be blocked or mapped by these rules.
WebSphere MQ V7.1
IBM Software Group | WebSphere software
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
Mapping done before calling security exit Order Identity mechanism Notes
0 Channel Name
Parameter to indicate where user ID is 1 SSL Distinguished Name
taken from 2= Client asserted User ID Clearly several different user IDs can
f Provided on command be running on the same IP address.
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
WebSphere MQ V7.1
IBM Software Group | WebSphere software
SSL Peer
QM Name
Client User
IP Address
Restrict where an SSL Certificate Restrict
can be used from By
f Specific IP address
Mapped
SSL Peer X X 8
Restrict where a queue manager QM Name 8
or client user ID can come from Client User 8
f Specific IP address
IP Address
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
Specific 4 O= Organization
Match 5 L= Locality
6 ST=, SP=, S= State or province name
Certificate
CN=Morag 7 C= Country
Hughson
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
Ranges 9.20.4.1-10
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
“Our
“Our
“OurBusiness
internal
Administrators
cluster
Partners
doesn’t
connect
mustuse
all
in connect
using
SSL, but
MQ using
we
Explorer,
must
SSL,ensure
so
butwe
don’t
only
willuse
map
the
“We must make sure our system is completely locked down”
correct
SSL.queue
their
We access
will
managers
mapfrom
theircan
the
access
connect
certificate
by IP
into
DNs”
Address”
the cluster”
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
CHLAUTH(*)
TYPE(SSLPEERMAP)
SSLPEER(‘O=”IBM UK”’) MCAUSER(UKUSER)
WebSphere MQ V7.1
IBM Software Group | WebSphere software
Chl: SYSTEM.ADMIN.SVRCONN
DN: CN=Morag Hughson.O=IBM UK
Order Identity mechanism UID: mhughson
0 Channel Name IP: 9.180.165.163
1 SSL Distinguished Name
2= Client asserted User ID
2= Queue Manager Name
4 IP address
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
Warning mode
ALTER QMGR CHLEV(ENABLED)
Inspect
channel Channel is
Write Event message Warn
mapping blocked Mode?
instruction
Warn mode is
on
Find a non-warn record?
IP: 9.20.1.2
Chl: SYSTEM.DEF.SVRCONN
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
f Difficult to supply any default rules regarding IP addresses and SSL Peer Names since they
are very installation specific.
WebSphere MQ V7.1
WebSphere MQ V7.1
IBM Software Group | WebSphere software
Events
Command events (as normal)
Configuration events (as normal)
Channel event
Controlled by existing switch
f Considered to be an EXCEPTION SYSTEM.ADMIN.CHANNEL.EVENT
WebSphere MQ V7.1
Events - Notes
These commands will generate command events and configuration events
N (assuming that these events are enabled by the existing CMDEV and CONFIGEV
switches).
There are some new events to record whenever an inbound connection attempt is
O blocked. Controlled by the current CHLEV switch (and considered to be an
EXCEPTION) this new event message will be issued to the
SYSTEM.ADMIN.CHANNEL.EVENT queue when a channel or listener blocks an
attempt to connect.
T The reason qualifier of the event message can be
– MQRQ_CHANNEL_BLOCKED_ADDRESS
Channel was blocked due to its IP address being in the list to be refused.
– MQRQ_CHANNEL_BLOCKED_USERID
E Channel was blocked due to its asserted (or mapped) user ID being in the list to be refused.
– MQRQ_CHANNEL_BLOCKED_NOACCESS
Channel was blocked due to its identity (e.g. IP address or SSL Peer name) being mapped to a rule
that says it is to be blocked.
S
WebSphere MQ V7.1