Scribd Logo
Carica

Benvenuto in Scribd!

  • SSL MQ

    Caricato da

    karthickmsit
    1K visualizzazioni35 pagine
    SSL MQ http://middlewarenews.blogspot.com/

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    SSL MQ http://middlewarenews.blogspot.com/

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    1K visualizzazioni35 pagine

    SSL MQ

    Caricato da

    karthickmsit
    SSL MQ http://middlewarenews.blogspot.com/

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 35

    WebSphere MQ

    MQ and SSL

    Neil Kolban
    IBM Corp
    kolban@us.ibm.com

    October 31st 2002 © 2002 IBM Corporation


    WebSphere MQ

    Overview

    ƒ Part I – Overview of security goals and SSL


    ƒ Part II – The MQ SSL story

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Security

    ƒ Goals of security
    – Confidentiality
    – Message integrity
    – Endpoint Authentication

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Encryption (1)

    ƒ Encryption
    – Data confidentiality
    – Plain text vs Cipher text

    Plaintext Cyphertext Plaintext

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Encryption (2)

    ƒ Encryption Plain Cipher


    – Data confidentiality A T
    – Plain text vs Cipher text
    B M

    ƒ Encryption C I

    – ƒE(Plain) = Cipher D N
    – Example: ƒE(“HEAD”) = “BQTN” E Q
    F C
    ƒ Decryption
    – ƒD(Cipher) = Plain G D

    – Example: ƒD(“BQTN”) = “HEAD” H B

    I A

    … …

    Z R

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Cipher keys (1)

    Encryption Decryption

    Plaintext Ciphertext Plaintext

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Cipher keys (2)

    ƒ Keys
    –Shared secret key Plain Cipher Cipher Cipher
    K=1 K=2 K=n
    –Symmetric cryptography
    A T N O
    –Common algorithms
    B M T W
    –DES
    C I Y E
    –RC2
    –RC4 D N C T
    E Q P S
    ƒ Encryption F C S C
    –ƒE(Plain, Key) = Cipher
    G D U I
    –ƒE(“HEAD”, 2) = “LPNC” H B L N
    I A E F
    ƒ Decryption
    –ƒD(Cipher, Key) = Plain … … … …

    –ƒD(“LPNC”, 2) = “HEAD” Z R M H

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Public Key Cryptography (1)

    Public key Private key

    Encryption Decryption

    Plaintext Ciphertext Plaintext

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Public Key Cryptography (2)

    ƒ Two keys
    – One public (known to everyone)
    – One private (known only to you)
    – Common algorithms
    – RSA
    – Diffie-Hellman
    – Asymmetric cryptography
    ƒ ƒE(Plain, Keypublic) = Cipher
    ƒ ƒD(Cipher, Keyprivate) = Plain
    ƒ Keys are asymmetric
    ƒ Relatively expensive to use

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Security

    ƒ Goals of security

    – Confidentiality

    – Message integrity

    – Endpoint Authentication

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Message Digest (1)

    ƒ Input → arbitrary length message


    ƒ Output → fixed length string
    ƒ Attributes
    – Irreversibility
    – Collision resistance
    ƒ Other names for this
    – Hashing
    – Checksum
    ƒ Common algorithms
    – MD5
    – SHA

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Message Digest (2)

    ƒ ƒH(Message) = HashData
    ƒ ƒH(Message1) ≠ ƒH(Message2)
    → Message1 ≠ Message2

    Message
    Digest
    h

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Digital Signature (1)

    ƒ Digital Signature built from


    – Message Digest
    – Public key encryption
    ƒ Used to prove that a message has not been tampered with.

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Digital Signature (2)

    h
    Private Key

    Private Key

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Digital Signature (3)

    h
    Public Key

    ?
    h
    Public Key

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Security

    ƒ Goals of security
    –Confidentiality

    –Message integrity

    –Endpoint Authentication

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Man in the middle attack

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Certificate Authority

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Certificates

    ƒ Issued by CA
    –VeriSign
    –Entrust
    –CyberTrust
    –etc
    ƒ Contains
    –Subject Name
    –Issuer Name
    –X.500 distinguished names
    ƒ X.509
    –Common certificate exchange
    format

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Security

    ƒ Goals of security
    – Confidentiality
    – Message integrity
    – Endpoint Authentication
    ƒ Implement this design and you have SSL!!

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Part II MQ and SSL

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Data movement between queue managers

    Queue Queue
    Manager Manager
    No SSL

    Queue Queue
    Manager Manager
    With SSL

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Adding SSL Support

    Queue Queue
    Manager Channel Manager

    TCP/IP Link TCP/IP

    Queue Queue
    Manager Channel Manager

    SSL Encryption SSL

    TCP/IP Link TCP/IP

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    MQ SSL Implementations

    ƒ Supports SSL V3.0


    ƒ Implemented using:

    Java JSSE (Java Secure Socket Extension)

    Windows SChannel

    Unix ???

    z/OS System SSL

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Channel Security

    ƒ SSL can be used across channels


    ƒ All kinds of channels supported
    – Sender
    – Receiver
    – Cluster
    – Client
    – Etc
    ƒ Specified on a per channel basis

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Key questions

    ƒ Which CipherSpec shall be used?


    – Cost of security
    – Performance characteristics
    ƒ Is client authentication required?
    – Uni or bidirectional authentication
    ƒ Names of accepted peers.
    – Limit the names of channel initiators (SSL clients)

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Channel definitions

    ƒ SSL either enabled or disabled by channel definition


    ƒ New parameters for channel definitions
    – Cypher spec (SSLCIPH)
    – DN’s allowed (SSLPEER)
    – Client authentication required (SSLCAUTH)

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    SSLCipherSpec (SSLCIPH) – Channel attribute

    ƒ Name of the Cipher specification to use


    ƒ If blank, no SSL
    ƒ Same attribute value required on both ends of the channel

    CipherSpec name Hash algorithm Encryption algorithm Encryption bits


    NULL_MD5 MD5 None 0
    NULL_SHA SHA None 0
    RC4_MD5_EXPORT MD5 RC4 0
    RC4_MD5_US MD5 RC4 40
    RC4_SHA_US SHA RC4 128
    RC2_MD5_EXPORT MD5 RC2 128
    DES_SHA_EXPORT SHA DES 40
    RC4_56_SHA_EXPORT1024 SHA RC4 56
    DES_SHA_EXPORT1024 SHA DES 56
    TRIPLE_DES_SHA_US SHA 3DES 128
    TLS_RSA_WITH_AES_128_CBC_SHA SHA AES 128
    TLS_RSA_WITH_AES_128_CBC_SHA SHA AES 256

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    SSLClientAuth (SSLCAUTH) - Channel attribute

    ƒ Requestor to form channel considered the SSL Client


    ƒ Defines if certificate from client is needed to form channel
    ƒ Values:
    – Required – Client authentication required
    – Optional – Client authentication optional

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    SSLPeerName (SSLPEER) - Channel attribute

    ƒ Distinguished names of the allowed partners

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Obtaining certificates

    ƒ Certificates obtained from Commercial CA


    ƒ Certificates for test environments
    – OpenSSL
    – MakeCert
    – Java 1.4 Keytool
    – IKeyMan

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Certificate Stores

    ƒ Certificates stored in key repositories


    ƒ Queue manager SSLKeyRepository (SSLKEYR) attributes specifies
    Queue Manager’s location of its own certificate
    ƒ MQ Client uses the MQSSLKEYR environment variable to specify
    location of certificate store

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    The amqmcert command

    ƒ Used to manage MQSeries certificate store


    ƒ Adds certificates to store
    ƒ Removes certificates from store
    ƒ Lists certificates in store
    ƒ Assigns certificate to queue manager

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    Performance

    ƒ Nothing for nothing …


    ƒ Extra CPU overhead for encrypted data
    ƒ No official IBM numbers yet published
    ƒ Performance expected to be equivalent to moving same quantity of
    data over base SSL implementation
    – Possibly better due to single handshake and reuse
    – Overhead based on ciphersuite employed

    WebSphere MQ & SSL © 2002 IBM Corporation


    WebSphere MQ

    References
    ƒ MQ Security Manual
    ƒ SSL and TLS – Eric Rescorta
    ƒ Java Secure Socket Extension (JSSE) Reference Guide
    ƒ Web sites
    http://home.netscape.com/eng/ssl3/ssl-toc.html

    WebSphere MQ & SSL © 2002 IBM Corporation

    Potrebbero piacerti anche