Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 300
GC32-9342-00
January 2003
Candle Corporation
100 North Sepulveda Blvd
El Segundo, California 90245
Registered trademarks and service marks of Candle Corporation: AF/OPERATOR, AF/PERFORMER, AF/REMOTE,
Availability Command Center, Candle, Candle Command Center, Candle Direct logo, Candle Electronic Customer Support, Candle
logo, Candle Management Server, Candle Management Workstation, CandleNet Portal, Candle Technologies, CL/CONFERENCE,
CL/SUPERSESSION, CommandWatch, CandleNet Command Center, CT, CT/Data Server, CT/DS, DELTAMON, eBA,
eBA*ServiceMonitor, eBA*ServiceNetwork, eBusiness Assurance, eBusiness Institute, ETEWatch, IntelliWatch, IntelliWatch Pinnacle,
MQSecure, MQView, OMEGACENTER, OMEGAMON, OMEGAMON/e, OMEGAMON II, OMEGAMON Monitoring Agent,
OMEGAVIEW, OMEGAVIEW II, PQEdit, Solutions for Networked Applications, Solutions for Networked Businesses, and Transplex.
Trademarks and service marks of Candle Corporation: Alert Adapter, Alert Adapter Plus, Alert Emitter, AMS, Amsys,
AutoBridge, AUTOMATED FACILITIES, Availability Management Systems, Candle Alert, Candle Business Partner Logo, Candle
Command Center/SentinelManager, Candle CommandPro, Candle CIRCUIT, Candle eDelivery, CandleLight, CandleNet, CandleNet
2000, CandleNet eBP, CandleNet eBP Access, CandleNet eBP Administrator, CandleNet eBP Broker Access, CandleNet eBP
Configuration, CandleNet eBP Connector, CandleNet eBP File Transfer, CandleNet eBP Host Connect, CandleNet eBP Object Access,
CandleNet eBP Object Browser, CandleNet eBP Secure Access, CandleNet eBP Service Directory, CandleNet eBP Universal
Connector, CandleNet eBP Workflow Access, CandleNet eBusiness Assurance, CandleNet eBusiness Exchange, CandleNet eBusiness
Platform, CandleNet eBusiness Platform Administrator, CandleNet eBusiness Platform Connector, CandleNet eBusiness Platform
Connectors, CandleNet eBusiness Platform Powered by Roma Technology, CandleNet eBusiness Platform Service Directory, CCC,
CCP, CEBA, CECS, CICAT, CL/ENGINE, CL/GATEWAY, CL/TECHNOLOGY, CMS, CMW, Command & Control, Connect-Notes,
Connect-Two, CSA ANALYZER, CT/ALS, CT/Application Logic Services, CT/DCS, CT/Distributed Computing Services, CT/Engine,
CT/Implementation Services, CT/IX, CT/Workbench, CT/Workstation Server, CT/WS, !DB Logo, !DB/DASD, !DB/EXPLAIN,
!DB/MIGRATOR, !DB/QUICKCHANGE, !DB/QUICKCOMPARE, !DB/SMU, !DB/Tools, !DB/WORKBENCH, Design Network, DEXAN,
e2e, eBAA, eBAAuditor, eBAN, eBANetwork, eBAAPractice, eBP, eBusiness Assurance Network, eBusiness at the speed of light,
eBusiness at the speed of light logo, eBusiness Exchange, eBusiness Institute, eBX, End-to-End, ENTERPRISE, Enterprise Candle
Command Center, Enterprise Candle Management Workstation, Enterprise Reporter Plus, EPILOG, ER+, ERPNet, ESRA, ETEWatch
Customizer, HostBridge, InterFlow, Candle InterFlow, Lava Console, MessageMate, Messaging Mastered, Millennium Management
Blueprint, MMNA, MQADMIN, MQEdit, MQEXPERT, MQMON, NBX, NetGlue, NetGlue Extra, NetMirror, NetScheduler, OMA, OMC
Gateway, OMC Status Manager, OMEGACENTER Bridge, OMEGACENTER Gateway, OMEGACENTER Status Manager,
OMEGAMON Management Center, OSM, PC COMPANION, Performance Pac, PowerQ, PQConfiguration, PQScope, Response Time
Network, Roma, Roma Application Manager, Roma Broker, Roma BSP, Roma Connector, Roma Developer, Roma FS/A, Roma
FS/Access, RomaNet, Roma Network, Roma Object Access, Roma Secure, Roma WF/Access, Roma Workflow Access, RTA, RTN,
SentinelManager, Somerset, Somerset Systems, Status Monitor, The Millennium Alliance, The Millennium Alliance logo, The
Millennium Management Network Alliance, TMA2000, Tracer, Unified Directory Services, Volcano and ZCopy.
Trademarks and registered trademarks of other companies: AIX, DB2, MQSeries and WebSphere are registered trademarks of
International Business Machines Corporation. SAP is a registered trademark and R/3 is a trademark of SAP AG. UNIX is a registered
trademark in the U.S. and other countries, licensed exclusively through X/Open Company Ltd. HP-UX is a trademark of
Hewlett-Packard Company. SunOS is a trademark of Sun Microsystems, Inc. All other company and product names used herein are
trademarks or registered trademarks of their respective companies.
Copyright © October 2002, Candle Corporation, a California corporation. All rights reserved. International rights secured.
Threaded Environment for AS/400, Patent No. 5,504,898; Data Server with Data Probes Employing Predicate Tests in Rule Statements
(Event Driven Sampling), Patent No. 5,615,359; MVS/ESA Message Transport System Using the XCF Coupling Facility, Patent No.
5,754,856; Intelligent Remote Agent for Computer Performance Monitoring, Patent No. 5,781,703; Data Server with Event Driven
Sampling, Patent No. 5,809,238; Threaded Environment for Computer Systems Without Native Threading Support, Patent No.
5,835,763; Object Procedure Messaging Facility, Patent No. 5,848,234; End-to-End Response Time Measurement for Computer
Programs, Patent No. 5,991,705; Communications on a Network, Patent Pending; Improved Message Queuing Based Network
Computing Architecture, Patent Pending; User Interface for System Management Applications, Patent Pending.
NOTICE: This documentation is provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to
restrictions set forth in the applicable license agreement and/or the applicable government rights clause.
This documentation contains confidential, proprietary information of Candle Corporation that is licensed for your internal use only.
Any unauthorized use, duplication, or disclosure is unlawful.
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
What’s New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Contents 3
Contents
Appendixes
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Contents 5
Contents
List of Figures 7
List of Figures
List of Tables 9
List of Tables
P
This is a guide for administrators of PathWAI™ Secure for WebSphere MQ, a
product that provides both node-to-node and application-to-application
security for WebSphere MQ networks and, via the CASP Secure Connector,
for CandleNet eBusiness Platform (eBP) or Candle Application Services Pac
(CASP) applications.
This guide provides a general introduction to PathWAI Secure, covers
PathWAI Secure adminstrative tasks, and details how to configure WebSphere
MQ channels to invoke PathWAI Secure security functions. It also documents
CASP Secure Connector, which allows eBP or CASP applications to invoke
PathWAI Secure as an inline service rather than using its APIs.
Preface 11
n Chapter 2 describes PathWAI Secure’s user key and encryption options
and provides detailed instructions for configuring them.
n Chapter 3 covers the management of PathWAI Secure users and user
cryptokeys, including registering users, distributing public keys, revoking
keys, and managing user key databases
n Chapter 4 provides instructions for managing the Candle-provided LDAP
respository.
n Chapter 5 provides instructions for securing WebSphere MQ messages
using WebSphere MQ channel exits.
n Appendix A documents CASP Secure Connector, and provides
instruction for its use.
n Appendix B documents the PathWAI Secure administrative and helper
utilities.
n Appendix C provides advice for troubleshooting problems.
n Appendix D documents the messages and return codes.
n Appendix E provides information on contacting Candle Customer
Support.
4. (Optional). Select the Shrink to Fit option if you need to fit oversize pages to
the paper size currently loaded on your printer.
Preface 13
The print quality of your output is ultimately determined by your printer.
Sometimes printing problems can occur. If you experience printing problems,
potential areas to check are:
n settings for your printer and printer driver. (The dpi settings for both your
driver and printer should be the same. A setting of 300 dpi is
recommended.)
n the printer driver you are using. (You may need a different printer driver
or the Universal Printer driver from Adobe. This free printer driver is
available at www.adobe.com.)
n the halftone/graphics color adjustment for printing color on black and white
printers (check the printer properties under Start > Settings > Printer).
For more information, see the online help for the Acrobat Reader.
n the amount of available memory in your printer. (Insufficient memory can
cause a document or graphics to fail to print.)
For additional information on printing problems, refer to the documentation
for your printer or contact your printer manufacturer.
R
This product is subject to export and re-export restrictions and regulations
imposed by the government of the United States and, if applicable, the
country to which the product is shipped, and any related federal, state, or
local laws.
As of October 19, 2000, the new export rules for PathWAI Secure for
WebSphere MQ are as follows:
1. No shipments to or use by non-United States Government End Users
outside the United States are allowed without a special license for the
government end user, except for Members of the European Union (EU),
Australia, Czech Republic, Hungary, Japan, New Zealand, Norway,
Poland and Switzerland;
2. No shipments may be made to and the product may not be used or
licensed for use by any person or entity that is a member of, or located in,
any terrorist-supporting nations (currently, Cuba, Iran, Iraq, Libya, North
Korea, Sudan, and Syria); and
3. The product may not otherwise be used in violation of any applicable
license agreement. Some countries’ import regulations prohibit
importation or use of encryption software products, and it is the user's
responsibility to comply with those regulations.
Note: A Government End User is any foreign central, regional, or local
government department, agency, or other entity performing
governmental functions, including governmental research institutions,
governmental corporations or their separate business units (as defined
in part 772 of the EAR) which are engaged in the manufacture or
distribution of items or services controlled on the Wassenaar Munitions
List, and international governmental organizations. The term does not
Restrictions 15
include utilities (including telecommunications companies and Internet
service providers), banks and financial institutions, transportation,
broadcast or entertainment, educational organizations, civil health and
medical organizations, retail or wholesale firms, and manufacturing or
industrial entities not engaged in the manufacture or distribution of
items or services controlled on the Wassenaar Munitions List.
PathWAI Secure for WebSphere MQ Version 300. Copyright © 1997–2002,
Candle Corporation, a California corporation. All rights reserved.
International copyright secured.
This material is proprietary to Candle Corporation and is not to be
reproduced, used, or disclosed except in accordance with program licenses or
upon written authorization of Candle Corporation. This product contains
BSAFE sofware, owned exclusively by RSA™ Data Security, Inc., and
sublicensed by Candle Corporation.
CASP Secure Connector Version 300 fully exploits the new features in
PathWAI Secure Version 300.
What’s New 17
The enhancements are described in the following sections. For information on
the new and revised API calls that support these enhancements, please refer
to the PathWAI Secure Programmer’s Guide.
Audit support
Nonrepudiation typically involves archiving signed messages and the
certificates or public keys required to verify the message signature. PathWAI
Secure provides an API call that allows programmers to extract from the
security trailer the information needed to counter any future attempts to
repudiate the message: the signature, the signer’s public key, the supporting
certificate if included with the message, and the encrypted symmetric key.
This information can then be archived along with the message to create an
audit trail.
What’s New 19
At channel startup, the security exits will embed (as available) the full root
chain of certificates with each security exchange message to ensure both sides
of the channel trust each other. This feature avoids the overhead of sending a
certificate or chain of certificates with every signed message.
What’s New 21
22 PathWAI Secure for WebSphere MQ Administrator’s Guide, Version 300
Introducing
1 PathWAI Secure
for WebSphere MQ
Overview
This chapter introduces PathWAI Secure, a suite of software tools that provide
encryption and authentication for messages traveling over WebSphere MQ
networks. It also discusses public key cryptography and describes how
PathWAI Secure implements it.
Chapter Contents
What is PathWAI Secure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
What does PathWAI Secure do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Why secure messages? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
What security services does PathWAI Secure provide? . . . . . . . . . . . . 24
How are PathWAI Secure services invoked? . . . . . . . . . . . . . . . . . . . . 25
What type of encryption does PathWAI Secure use? . . . . . . . . . . . . . . 25
What type of key management does PathWAI Secure provide? . . . . . 25
What is Public Key Cryptography? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Public/private keys pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Digital envelopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Applications of public key cryptography . . . . . . . . . . . . . . . . . . . . . . . 31
How Does PathWAI Secure Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Securing messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing users and user keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Asymmetric Keys
The public/private key pair can be used to prove a sender’s identity and to
confirm the integrity of messages (authenticate), as well as to encrypt and
decrypt them.
Since only the owner has access to the private key of a pair, use of the private
key is proof of the user’s identity. Thus, a sender uses his or her private key to
sign a message, and the receiver uses the sender’s public key to authenticate
the signature—since only the owner of the private key of the pair could have
had access to the private key that signed it. Similarly, public/private keys are
used to encrypt messages so they can be read only by the intended receiver.
The sender uses the intended receiver’s public key to encrypt a message, and
only the intended receiver has access to the matching private key to decrypt it
(see Figure 2 on page 28).
A digital certificate may be associated with the public key of a public/private
key pair to establish the identity of the key owner.
Digital certificates
Digital certificates establish, or certify, the identity of a public key holder. They
are issued by a trusted third party, or certification authority (CA). They contain
the key holder’s name, a serial number, a copy of the certificate holder's
public key, and other information such as expiration date of the certificate,
and are signed by the certification authority (CA) that issued the certificate.
Recipients can use the CA’s signatures to verify that the certificate is real. A
chain of certificates extending back to a mutually trusted third party may be
required to verify a key holder’s identity. Digital certificates are usually kept in
registries so that users can look up others' public keys to encrypt messages or
authenticate signatures.
Certificates are revoked through certificate revocation lists (CRLs), issued
periodically by the CAs. CRLs can be issued as complete lists of the serial
numbers of all revoked certificates, or as "delta" lists which contain only the
changes since the last full CRL was issued. Typically, CRLs are issued at
12-hour, 1-day, or 1-week intervals, depending on installation policies.
To ensure the most current certificate status, CRLs must be downloaded
frequently. For critical applications requiring virtually real-time status
information, or simply to offload the effort of CRL management, revocation
checking can be done through online certificate status protocol (OCSP)
requests to a network-based server application, or responder.
Sender encrypts
message using
receiver’s public key,
obtained from
repository.
Receiver decrypts
Public key repository
message using private
key, stored locally
Digital envelopes
The digital envelope is an extension of the public key approach. It combines
the security of asymmetric key encryption and the performance advantage of
symmetric key encryption.
Certificate
Name
Serial Number
Date
Message text is
encrypted using
symmetric key to
produce ciphertext
message
text + ciphertext
Digital envelope
is “opened” using
the receiver’s
private key
+ ciphertext
digital envelope
The ciphertext is
decrypted using
the symmetric key
ciphertext + message
text
Securing messages
PathWAI Secure’s authentication and encryption services can be invoked in
two ways:
n through WebSphere MQ channel exit programs
n through APIs
PathWAI Secure channel exits provide security on a node-to-node or
channel-specific basis. You use channel exits to perform
signing/authentication and encryption/decryption of messages being passed
entirely over channels over which you have control. Channel exits can also be
used to ensure the identity of communicating nodes or individual channel
users before channels are activated.
To invoke PathWAI Secure security services at the channel exit level, a
WebSphere MQ administrator configures WebSphere MQ channels to invoke
channel exits and supplies parameters that tell the channel what PathWAI
Secure channel exit program to use and specify what type of security PathWAI
Secure should apply.
The PathWAI Secure APIs provide security on an application-to-application
basis. Because security is handled by the sending and receiving applications,
the route the messages travel does not matter and you do not need to know
the identity of the machines that handle the messages en route. This method
of securing messages is especially useful when messages must pass through
channels over which you have no control—for example, when messages
travel over the Internet.
The PathWAI Secure APIs allow you to encrypt all or only parts of a message.
Partial, or range, encryption is useful when parts of a message (such as
routing instructions) need to be in the clear, while other parts (such as account
numbers) need to be encrypted. Encryption ranges can be specified using
user-defined delimiters or the offset and length of message segments.
If you have existing applications that use WebSphere MQ MQPUT and MQGET
commands, you can simply add PathWAI Secure direct security function calls.
If you are creating new applications, or are willing to modify existing
programs, you can use integrated calls that make the WebSphere MQ MQPUT
and MQGET calls as well as calling the appropriate security routines.
PathWAI Secure provides APIs for COBOL, C/C++, and Java applications.
For more information on these APIs and developing applications that
implement PathWAI Secure security services, refer to the PathWAI Secure for
WebSphere MQ Programmer’s Guide.
Both channel exits and APIs let you encrypt messages for WebSphere MQ
clusters. Members of the cluster are assigned PathWAI Secure user IDs that
share a common prefix—for example, CLUS1QM1, CLUS1QM2,
CLUS1QM3—so the entire cluster can be identified using the prefix and an
asterisk wildcard (CLUS1*). When the destination ID is specified in this
manner, PathWAI Secure encrypts the message using a symmetric key, then
encrypts the symmetric key using the public key of each queue manager in the
cluster in turn.
identify of the key holder. Local administrators are responsible for revoking
users registered on their node.
PathWAI Secure users holding third-party public keys are verified through
certificate chains to a trusted certificate. The status of certificates is verified
through imported certificate revocation lists or status requests to an OCSP
responder.
Only a Global Administrator can designate certificates as trusted for a site.
Global Administrators are a special class of PathWAI Secure administrator,
with the authority to assign trust to imported certificates and to export trusted
certificates for distribution through the PathWAI Secure network.
For sites using PathWAI Secure-generated keys and distributing keys via an
LDAP repository, Global Administrators act as the certifying authority for local
administrators.
Users holding third-party keys are revoked through CRLs. PathWAI Secure
checks CRLs before any operation requiring verification of a public key
(authentication or encryption) is executed. If a PathWAI Secure-secured node
or channel is configured to use an OCSP responder, the responder is queried
for certificate status.
2 Options
Overview
PathWAI Secure offers a number of key management and encryption options.
Most of these options are configured on a node-by-node basis, using
environment variables. A few are configured on a channel-by-channel basis.
Typically, these options are set at the time PathWAI Secure is installed, but
they can be changed at any time. This chapter describes the available options
and provides instructions for configuring them.
Chapter contents
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
LDAP Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Hardware Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Symmetric Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Asymmetric Key Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Hashing Algorithms for Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 57
PathWAI Secure ID Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Certificate Revocation List Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Online Certificate Revocation Checking . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Triple Prime Key Generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Message-Embedded Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Queue Authorization using PathWAI Secure Sender ID. . . . . . . . . . . . . . . 85
Symmetric Key Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuration Options
Overview
PathWAI Secure offers a number of options for key generation, key
management, and message encryption.
The following options are configured on a node-by-node basis:
n LDAP Repository—Enable or disable connection to an LDAP repository
for public key storage and distribution
n Hardware encryption—Enable or disable encryption/decryption using an
IBM hardware encryption device (S/390 Crypto Facility, 4758
Cryptographic Coprocessor, or 4963 feature)
n Symmetric encryption algorithm—Specify one of six algorithms at varying
degrees of strength
n Asymmetric key length—Set a modulus size for public/private key pairs
generated by PathWAI Secure
n Hashing algorithm—Select either MD5 or SHA-1 hashing for digital
signatures
n PathWAI Secure ID mapping—Specify how PathWAI Secure IDs are
mapped to certificates’ Subject Name
n Online certificate revocation checking—Enable and configure real-time
checking of certificate revocation status through an OCSP responder
n Triple prime key generation—Enable/Disable key generation with three
primes
n Message-embedded certificates—Embed message signers’ public keys
and supporting certificates in messages
n Queue authorization using PathWAI Secure sender user ID
The following options are configured on a channel-by-channel basis:
n Symmetric key reuse—Enable reuse of symmetric keys by specifying
number of reuses or maximum lifetime of the key
Configuration
On Windows and UNIX, options can be set using the PathWAI Secure
configuration tool (see Figures 5). On OS/390, they must be set manually.
There are two UNIX versions of the configuration utility: a GUI version and a
command line version. The GUI version requires X/Windows. To run either
version, home/candle/bin must be in the user's path, where candle is the
directory in which PathWAI Secure is installed).
On UNIX, if you reset a variable using the configuration tool, you must make
the same change to your environment by issuing the appropriate export
command from the command line or by modifying the login script (*.profile,
*.cshrc, or *.login).
On OS/390, options are configured by specifying a value for the appropriate
variable in the member pointed to by DD statement MQSCONF in the
MFSSRVR JCL on each server. After you have made the changes, you must
recycle the servers (MFSSRVR).
After you reset any of these variables on any platform, you must recycle all
PathWAI Secure-related processes, including any WebSphere MQ channels
using PathWAI Secure channel exits.
LDAP Repository
– To set the LDAP port, type the port number in the LDAP Server Port
field.
The port number used by the node must match the port number set for
the LDAP server on the LDAP repository host.
3. If you are finished setting variables, click Apply to set the variables.
A message appears to inform you when the variables have been set. When
you dismiss the message, a dialog appears asking if you want to reboot now.
4. Either reboot the machine or recycle all the PathWAI Secure-related
processes.
export MQSECURE_LDAP_SERVER_PORT=new_port_number
5. Recycle all the PathWAI Secure-related processes.
MQSECURE_LDAP_SERVER_ADDRESS=
to indicate the hostname or IP address of the machine to which PathWAI
Secure should connect, and
MQSECURE_LDAP_SERVER_PORT=
to indicate the port number to which PathWAI Secure should connect. The
default port number is 389.
To disable an existing LDAP connection, set both variables to NONE.
Hardware Encryption
Note: If you are enabling the 4758 Cryptographic Coprocessor, you must
shut down all PathWAI Secure applications and channels and issue a
dbdown command before starting the configuration tool.
1. Start the PathWAI Secure Configuration tool, if necessary:
Start > Programs > PathWAI Secure for WebSphere MQ >
PathWAI Secure for WebSphere MQ Configuration Tool.
2. On the Configure PathWAI Secure for WebSphere MQ tab:
– To enable hardware encryption, for Hardware Enabled select
ADAPTER1 from the dropdown menu.
– To disable hardware encryption, for Hardware Enabled select none
from the dropdown menu.
3. If you are finished setting variables, click Apply to set the variables.
A message appears to inform you when the variables have been set. When
you dismiss the message, a dialog appears asking if you want to reboot now.
4. Either reboot the machine or recycle all the PathWAI Secure-related
processes.
4. Enter the appropriate command from the command line or add it to the login
script:
– if you are changing from software encryption to hardware encryption,
enter:
export MQSECURE_HARDWARE_ENABLED=ADAPTER1
– if you are changing from hardware encryption to software encryption,
enter:
export MQSECURE_HARDWARE_ENABLED=
5. Recycle all the PathWAI Secure-related processes.
RC2 A block cipher that operates on 8-byte blocks. This algorithm was
designed as a drop-in replacement for the DES algorithm, but
optimized for software. The only key length supported is 128 bits.
RC2 is the default alogrithm used by PathWAI Secure if no
symmetric encryption algorithm is explicitly specified.
Triple-DES A block cipher that uses three iterations of the DES (Data Encryption
(TDES) Standard) algorithm on each 8-byte block. PathWAI Secure uses
the 2-key EDE implementation of Triple-DES. This method uses two
different DES keys, the first used to encrypt each block, the second
used to decrypt the output of the first, encryption operation, and
finally the first key is used again to encrypt the output of the second,
decryption operation.
RC4 A stream cipher that operates on bit or byte streams. Its execution
speed is considered very fast, but the encryption key can only be
used once. As a result, PathWAI Secure’s channel exit key reuse
feature will not allow reuse of RC4 keys. Key lengths supported are
128, 192, and 256 bits.
RC5 A block cipher that operates on 8-byte blocks. It is a successor to the
RC2 algorithm and offers higher execution speed and comparable
strength of security at similar key lengths. Key lengths supported are
128, 192, and 256 bits.
RC6 A block cipher that operates on 16-byte blocks. It is a successor to
the RC5 algorithm and was a final candidate for the new Advanced
Encryption Standard (AES) algorithm to replace DES. Key lengths
supported are 128, 192, and 256 bits.
AES A block cipher that operates on 16-byte blocks. It was selected as the
(RijnDael) new Advanced Encryption Standard (AES) algorithm to replace
DES. Key lengths supported are 128, 192, and 256 bits.
If you are using software encryption and a PathWAI Secure Version 300 or
210 node is communicating with another Version 300 or 210 node, you may
specify any of the supported algorithms listed, including triple DES (TDES). If
you are using hardware encryption, you must use TDES.
If a PathWAI Secure V210 or V300 node is communicating with a V200 node,
you may use either RC2 or TDES. If a PathWAI Secure Version 210 or V300
node is communicating with a Version 110 node, you must use RC2.
Hashing algorithms
PathWAI Secure supports both MD5 and SHA-1 hashing algorithms. SHA-1 is
considered more secure than the MD5 hashing algorithm and should be used
wherever possible. MD5 should be used where compatibility with existing
PathWAI Secure installations (V200 and before) is an issue.
The attributes included in the subject name vary from certificate authority to
certificate authority. You should be aware of, or set a standard for, the
attributes included in the subject name of the certificates that are used to
verify PathWAI Secure users keys.
PathWAI Secure has very strict naming conventions for channel and cluster
mutual authentication IDs (see “Users, User IDs, and Passwords” on page 98).
You must ensure that the component of the Distinguished Name used as the
PathWAI Secure user ID conforms to these conventions.
MQSECURE_ID_MAPPING_ATTRIBUTE=
to one of the attributes shown in Table 3 on page 60.
How it works
Validation of a certificate and its revocation status through an OCSP
responder is triggered by configuration of PathWAI Secure and the presence
of certificate extensions, if any, which allow the OCSP requests to be
submitted to a network address. Revocation checking is done whenever a
public key is required for authentication of a signature or encryption of a
message.
Each certificate within the chain of verification back to a trust point is
validated through the responder. If you elect to use an OCSP responder and
the certificates contain extensions, all the certificates in the verification path to
a trust point must contain extensions specifying the same URL as the
certificate being validated.
Responders return a status of “valid”, “invalid”, or “unknown” for each
certificate. If the certificate status is “invalid” or “unknown”, the PathWAI
Secure operation fails. For channel exits, the error is logged to the problems
queue and the channel exit logs. For programs using the PathWAI Secure
APIs, an error message is issued.
The certificate for the signer of the response from the responder must be in the
local trusted database. This certificate must be imported by the Global
Administrator as trusted (see “Importing trusted certificates” on page 108)
and exported as trusted either to the LDAP repository or to a PKCS#7 file for
distribution to all nodes that will be communicating with the responder.
Enabling
You enable checking by specifying ValiCert as the OCSP responder type. In
addition, you must provide some or all of the following information.
and time for a certificate within its repository. The next update date/time
overrides the cache retention setting.
Scope of checking
By default, OCSP checking is configured on a node-by-node (GLOBAL)
basis. You can limit the overhead incurred by OCSP validation by limiting the
scope of OCSP revocation checking to specific channels. To enable checking
for specific channels, you specify CHANNEL as the scope of checking and
add the letter “V” in the MSGDATA parameter of each channel for which you
want checking enabled.
For application-level (API) checking, scope must be set to GLOBAL.
5. Click Apply to set the new settings, or continue selecting other variables.
6. Issue the appropriate export command from the command line or by
modifying the login script (*.profile, *.cshrc, or *.login) to export the modified
variables:
MQSECURE_OCSP_REVOCATION_CHECKING=VALICERT | NONE
MQSECURE_OCSP_SCOPE=GLOBAL | CHANNEL
MQSECURE_OCSP_TRANSPORT_DESTINATIONS=OCSP Responder
URL(s) | NONE
MQSECURE_OCSP_TRANSPORT_PROXIES=OCSP Responder Proxy
URL(s) | NONE
MQSECURE_OCSP_REQUESTOR_CERT=Distinguished Name | NONE
MQSECURE_OCSP_RESPONSE_CERT=Distinguished Name | NONE
MQSECURE_OCSP_CACHE_RETENTION=time_in_seconds
7. Recycle all the PathWAI Secure-related processes.
Overview
By default, PathWAI Secure uses two prime numbers to generate a key pair
modulus. You can reduce processing overhead in private key operations by
enabling triple prime key generation.
Standard generation of RSA keys involves the multiplication of two prime
number to derive the modulus that is an integral part of the key construct.
The strength of an RSA key is based on the difficulty of factoring the modulus
into its two prime numbers which can then be used to establish the private key
of the key pair. Because of the characteristics of the techniques used when
attempting to factor the modulus, there is a point at which the use of more
than two prime numbers in deriving the modulus can be used without
compromising security. Using more primes improves the performance of
private key operations.
PathWAI Secure’s implementation of multiprime key generation (using RSA’s
version of Compaq’s MultiPrime technology) uses three primes in the
generation of RSA keys with a modulus length of 1024 through 2048 bits. If
shorter modulus lengths are specified, PathWAI Secure will use only two
prime numbers to generate the RSA key modulus even if multiprime key
generation is configured, so security is not compromised.
A message appears to inform you when the variables have been set. When
you dismiss the message, a dialog appears asking if you want to reboot now.
4. Either reboot the machine or recycle all the PathWAI Secure-related
processes.
2. At the prompt
MQSECURE_MULTIPRIME_KEYS (Default is: NO):
– Press Enter to accept the default.
– Enter NO to disable triple-prime key generation.
– Enter YES to enable triple-prime key generation.
3. If you are finished changing variables, continue pressing Enter in response to
the subsequent prompts to accept the current values. If you want to change
other variables, enter the appropriate values, then press Enter.
When the variables have been reset, the message “Configuration complete” is
displayed.
4. Enter the appropriate commands from the command line or add them to the
login script. For example:
export MQSECURE_MULTIPRIME_KEYS=YES
5. Recycle all the PathWAI Secure-related processes.
Message-Embedded Certificates
Overview
Embedding the public key certificate of a message signatory in the MQSecure
message itself makes it possible for a receiver to verify a digital signature
without having to access an MQSecure LDAP repository or a previously
imported public key. Multiple certificates may be sent with a message to
enable the receiver to establish a verification chain to an established local trust
point.
When a message is received, any embedded certificates are used to verify the
signature on the message and, if necessary, replace the certificate and public
key associated with the signatory in the local MQSecure database. If the signer
does not already exist in the local user key database, a new “foreign” user is
registered. If the receiver has an LDAP repository configured, the public key
information is written to it.
You can configure certificate embedding on either a node-by-node or a
channel-by-channel basis.
Note: You do not need enable message embedding to exchange keys via
certificates between nodes connected by a channel using the PathWAI
Secure security exits (that is, for platform or channel mutual
authentication). At channel startup, the security exits automatically
embed (as available) the full chain of certificates with each security
exchange message. However, you must have imported a common
certificate, such as a ValiCert root certificate, into each node’s PathWAI
Secure certificate database for this operation to be successful.
See “Embedding public keys in messages” on page 122 for more information
on how message embedding works.
To embed a chain of certificates, you must specify one of the following values:
ONE (default) Embed only the certificate of the user who signed the
message
TRUSTED Embed only the minimum chain required to certify back to
certificates in the PathWAI Secure trusted certificate
database
ROOT Embed the entire chain back to the self-signed (root)
certificate in the trusted certificate database or the last
certificate in the database
Overview
Reusing symmetric keys provides significant improvement in performance
without sacrificing security. You specify the number of reuses or the maximum
lifetime of the key, and the key is saved at the sender to be reused as
configured. On reuse, the saved key is used to encrypt the message and the
public key encryption operation is bypassed by placing the saved key into the
security trailer.
The following table shows the number of messages that can be encrypted and
decrypted based on the same amount of CPU resource and the number of
times the symmetric encryption key is reused.
The table indicates that reusing the symmetric key for 100 encryptions and
decryptions will allow approximately 60 messages to be processed for the
same amount of CPU resource as a single encryption and decryption without
reuse.
The risk of queue depth build-up at the receiving platform is considerably
reduced or eliminated
Symmetric key reuse can be configured on a channel-by-channel or an
application-by-application basis. (For information on configuring symmetric
key reuse using the PathWAI Secure APIs, refer to the PathWAI Secure for
WebSphere MQ Programmer’s Guide.)
If this variable is not set, a new symmetric key is generated for each
encryption operation.
Overview
This chapter discusses how users and user keys are managed in the PathWAI
Secure environment. It covers
n registration of PathWAI Secure administrators and users
n distribution of user keys
n verification and revocation of users keys
n management of PathWAI Secure user key databases
Chapter Contents
Managing Users and Keys in the PathWAI Secure Environment . . . . . . . . 92
Users, User IDs, and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Registering a Global Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Registering Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Registering Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Distributing Public Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 117
Revoking Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Managing the Local User Key Databases . . . . . . . . . . . . . . . . . . . . . . . . 131
Overview
PathWAI Secure users are authorized through the process of registration.
During registration, a public/private RSA key pair is associated with an
PathWAI Secure user ID and a password for private key operations.
PathWAI Secure users and their keys are managed by a special class of users
known as administrators. The first user ID and password registered on each
node using the PathWAI Secure administrative utility becomes the
administrative ID and password for that system. The administrator’s ID and
password is required to:
n register users
n export and import public keys
n manage the local user key database
PathWAI Secure users may hold either PathWAI Secure-generated keys or
keys generated by a third-party certificate or registration authority (CA/RA).
The way in which users are verified depends on the type of key (PathWAI
Secure-generated or third-party) they hold.
Administrative utilities
Administrative functions are performed using one of the following utilities:
mqs_adm and mqs_admc are command line utilities whose functions are
invoked through parameters. Each function has a series of prompts to help
you enter the required parameter values. You can also enter all the
parameters for a function on the command line at one time. This means that if
you need to perform multiple configuration tasks you can collect commands
in a single file and execute them all at once. The parameters and the syntax
for the commands are discussed in “Utilities” on page 187.
Figure 6 illustrates a typical mqs_adm session.
==============================================
KMFPADM0 PathWAI Secure Administration
User : MQSADMIN1 Select Administration Function Date: 2002/06/29
Terminal: 3278 Time: 15:26
UserData: CANDINST.PWSECURE.DATABASE
==============================================
Create/Specify user key database
Manage User Keys
Manage User Key Database
Manage Certificates
Manage LDAP Repository
==============================================
Select function using ’/’ and press ENTER Press END to exit.
COMMAND ===>
User keys
PathWAI Secure supports both PathWAI Secure-generated RSA key pairs and
keys issued by third party CA/RAs and their supporting certificates.
PathWAI Secure-generated keys offer simplicity and ease of use. They are
particularly useful when you want to secure a small number of channels
without incurring the overhead of certificate management. PathWAI
Secure-generated keys are suited to a self-contained environment, where
individual users are known and trust can be assigned implicitly rather than
explicitly. In such environments, use of PathWAI Secure-generated keys is
indicated unless company or industry standards require certificates.
Third-party keys are suitable for more complex security systems
encompassing business partners or customers, where verification to a
mutually trusted third party is desireable, no shared repository is feasible, or
security standards require certificates.
RSA keys use a modulus–exponent format. The RSA key length consists of
two different lengths (the private key length and the public key length), neither
of which has the same value as the modulus size. The modulus size is an input
to the RSA key pair values. The greater the modulus size, the greater the
length of the public/private key pair.
The default modulus for PathWAI Secure-generated key pairs is 1024 bits, but
you can use any modulus between 768 and 2048 bits. The modulus size is set
on a node-by-node basis (see “Asymmetric Key Length” on page 54), but can
be overridden at the time keys are generated.
If you are using third-party keys, you should establish a policy for importing
and distributing CRLs from the issuing authorities on a regular basis.
Note: If you are using third-party public key certificates, by default there
must be a certificate revocation list (CRL) in the local database from
the issuer of the certificates. If there is no CRL, certificate verification
will fail and the authentication or encryption operations will not be
performed. You can disable CRL checking (see “Certificate
Revocation List Checking” on page 64), but this should be done only
for testing and in case of emergencies.
Users
From the standpoint of PathWAI Secure, a user can be any entity—a person,
a machine, an application, a channel, a group. PathWAI Secure distinguishes
two classes of users: regular users and administrators.
Administrators are intended to be role-based entities rather than actual
individuals. The first user ID and password registered on an PathWAI Secure
node becomes the administrative ID and password for that node. That ID and
password are required to execute most administrative functions, including
registering other users, exporting and importing keys, and managing the local
user key database.
The administrator’s private key is used to sign all public keys originating from
that node. When local users’ public keys are exported (to a file or a
repository), PathWAI Secure uses the local administrator’s private key to sign
the message containing the user keys. When the user keys are imported on
another PathWAI Secure node, PathWAI Secure authenticates the sending
administrator’s signature to ensure that the keys really originated at a trusted
source. For this reason, users’ public keys cannot be distributed until
administrators’ public keys have been exchanged between all communicating
nodes.
Sites using third-party keys or using an LDAP repository for public key
distribution must establish a special site administrator, known as a Global
Administrator.
Only a Global Administrator, using the administrative utility installed from the
Global Administrator’s CD, can designate certificates as trusted by the site for
purposes of verification of third-party keys.
For sites using PathWAI Secure-generated keys and distributing keys via an
LDAP repository, Global Administrators act as the certifying authority for all
other administrators. PathWAI Secure uses the Global Administrator’s private
key to sign the administrators’ public keys when they exported to the
repository, and uses the Global Administrator’s public key to authenticate the
keys when they are imported on other nodes.
The recommended way to administer the PathWAI Secure users is to treat the
Global Administrator as a subordinate certification authority. The Global
Administrator is tasked with establishing the trust chains required in the sphere
of his or her control. In most cases—certainly in a non-business-to-business
environment—there will probably be only two certificates in the verification
chain and these certificates would form the verification chain for all certificates
in that environment.
In other words, the registration of the Global Administrator would most likely
pull in the verification certificates required by all the other nodes in the
environment. In a business-to-business situation, the local Global
Administrator should be the one to initially receive the certificates from the
business partner that will be required to verify the certificates used in
communications between the businesses. So business partners should export
their certificates to the local Global Administrator, who then imports them as
trusted as necessary, exporting them to LDAP automatically, or manually,
depending on local policy.
User IDs
IDs play a critical role in key management and signature authentication.
PathWAI Secure uses IDs to locate keys in its secured, internal user key
database.
User IDs for PathWAI Secure-generated keys are assigned by the local
administrator. User IDs for third-party keys are derived by PathWAI Secure
from the Subject Name on the public key certificate. By default, PathWAI
Secure uses the Common Name (cn) portion of the Distinguished Name that
comprises the subject name of an X509v.3 certificate, but it can be configured
to use any of the component of a Distinguished Name (see “PathWAI Secure
ID Mapping” on page 60). In the case of special purpose IDs discussed below,
this means that you must ensure that the component of the Distinguished
Name used as the PathWAI Secure user ID conforms to the conventions
discussed below.
All PathWAI Secure user IDs must be unique systemwide. This prevents
conflicts with locally-defined PathWAI Secure user IDs when “foreign” user
IDs are imported to other nodes. Regular user IDs may consist of up to 47
alphanumeric characters and special characters !@#$%^&*. However, there
are restrictions on the IDs used for channel mutual authentication and for
WebSphere MQ clusters.
User IDs are case-sensitive on all platforms.
Note: If you are exchanging messages between OS/390 and other platforms,
you should create IDs in all uppercase, as WebSphere MQ changes the
casing of IDs to uppercase when it sends messages to other platforms
using channel exits. Many LDAP implementations are not case
sensitive. To avoid potential name collisions you should not specify
user IDs which are identical except for casing.
Cluster authentication IDs are managed by PathWAI Secure in the same way
as user IDs. From the standpoint of key management, PathWAI Secure does
not differentiate between cluster authentication IDs and user IDs.
Cluster IDs
To encrypt messages sent to an WebSphere MQ cluster, each member of the
cluster must be assigned an PathWAI Secure user ID with a shared prefix. For
example:
CLUS1QM1, CLUS1QM2, CLUS1QM2, . . .
The entire cluster can then be identified using the prefix and an asterisk
wildcard:
CLUS1*
When the destination user ID is specified in this manner, PathWAI Secure
encrypts the symmetric key with which the message is encrypted repeatedly,
using the public key of each member of the cluster in turn.
For various reasons you may need to review the user IDs for which public,
and possibly private, keys are known in the local PathWAI Secure user key
database.
To view a list of user IDs:
Note: The revocation status of third-party keys is not shown by the list users
command. If you want to see which third-party keys have been
revoked, you must check revocation lists issued by their certifying
authority.
To view a list of the certificates known in the local nontrusted certificate
database:
Passwords
Each PathWAI Secure user ID is associated with a password. The password is
required to use the private key associated with the user ID to sign or decrypt
messages.
Overview
If you intend to use third-party keys, or to use an LDAP repository for key
distribution, your site must have a Global Administrator. Only a Global
Administrator can establish the end points for verification of public key
certificates for your site by designating certain verification certificates as
trusted certificates. If you are using PathWAI Secure-generated keys and your
site is configured to use an LDAP repository, the Global Administrator can
play a central role in the distribution of administrators’ public keys (see
“Distributing Public Keys and Certificates” on page 117). In order to
designate certificates as trusted, a Global Administrator must be registered
using the special Global Administrator CD. (If you are designating a Global
Administrator only for central distribution of PathWAI Secure-generated keys,
you do not have to register the Global Administrator using the special CD.)
Registering the Global Administrator should be the first step in setting up your
PathWAI Secure infrastructure. If you are using third-party keys, no other
administrators can be registered until the Global Administrator has imported
and distributed the trusted certificates required to verify the administrators’
public keys.
Registering a Global Administrator initializes the PathWAI Secure
environment in the same way as registering any administrator: The process
establishes the administrative ID and password for that node and initializes the
local user key database. All subsequent sessions using the administrative
utility on the node are validated against the Global Administrator’s ID and
password. The Global Administrator becomes the certifying authority for any
PathWAI Secure-generated keys originating from this node. Only the Global
Administrator, however, can export certificates as trusted.
Since keys exported to the LDAP repository are signed using the local
administrator’s private key, if you are using PathWAI Secure-generated keys
and an LDAP repository, the Global Administrator can act as the certifying
authority for local administrators by exporting their keys to the LDAP
repository.
On OS/390 you will see a panel asking you whether you want to generate your
administrator’s key using a PKCS#12 file (third-party key), or have PathWAI
Secure generate the key for you. Select “Register Administrator using
PathWAI Secure generated keys.” You are then asked to specify the
administrator ID and password to be associated with these keys (see “Users,
User IDs, and Passwords” on page 98 for a discussion of valid PathWAI
Secure user IDs and passwords). On OS/390 , you must also supply the name
of the configuration file holding the PathWAI Secure environment variables.
This name is specified during installation in the JCL used to start the Server
Address Space.
You can override the default key length by specifying the modulus size for the
administrator’s keys:
OS/390 Specify the desired modulus size in the RSA Modulus Size
field on the New Adminid Signon panel
Windows and UNIX Use the switch -l to specify the modulus size
(mqs_adm(c) -s -l modulus_size)
You can use any modulus size between 768 and 2048 bits, but the value
should be divisible by 8. See “Asymmetric Key Length” on page 54 for more
information on determining key length by setting modulus size.
If you are using PathWAI Secure-generated keys, the Global Administrator’s
public key should be exported to a file that is securely transmitted to all other
PathWAI Secure nodes (see “Exporting keys to a flat file” on page 119) and
imported into the local user key databases (see “Importing public keys” on
page 124).
On OS/390 you will see a panel asking you whether you want to generate your
administrator’s key using a PKCS#12 file (third-party key), or have PathWAI
Secure generate the key for you. Select “Register Administrator using third
party generated keys.” You will need to supply the name of the PKCS#12 file
containing the keys and verification certificates and the password required to
decrypt the private key information in the PKCS#12 file, if any.
PathWAI Secure extracts the user ID to be associated with the key pair from
the certificate (see “User IDs” on page 99 for how PathWAI Secure determines
the user ID), but you provide the password to be used for private key
operations (see “Passwords” on page 102 for a discussion valid passwords).
On OS/390 , you must also supply the name of the configuration file holding
the PathWAI Secure environment variables. This name is specified during
installation in the JCL used to start the Server Address Space.
After you enter the name of the PKCS#12 file to be imported, PathWAI
Secure displays the subject name on the certificate. The PathWAI Secure user
ID assigned to the key pair is the value of the attribute specified for the
MQSECURE_ID_MAPPING_ATTRIBUTE variable. (By default, this is the
common name attribute: cn=). Be sure to record this ID and password and
store them in a secure location.
If your site is configured to use an LDAP repository, the Global
Administrator’s public key certificate is automatically exported to the
repository. If you are not using an LDAP repository, the Global
Administrator’s public key certificate must be manually exported to a
PKCS#7 file and imported on other PathWAI Secure nodes (see “Exporting
certificates to a PKCS#7 file” on page 123). If the Global Administrator’s
certificate is to act as the end point in a chain of certificate verification, the
certificate must be flagged as trusted and exported either to the LDAP
repository or to a file and imported into the local trusted certificate database
(see “Exporting keys to an LDAP repository” on page 118, “Exporting
The certificates will be extracted from the file and placed in the trusted
certificate database.
Note that some of the certificates in the PKCS#7 file may already have been
imported as part of the chain of verification certificates included in the
PKCS#12 file containing the Global Administrator’s keys. Those certificates,
however, were placed in the nontrusted databased. To be placed in the trusted
database, they must be explicitly imported as trusted.
If PathWAI Secure is configured to use an LDAP repository, certificates
imported by the Global Administrator as trusted are automatically exported to
the repository and copied to local trusted certificate database the first time
they are needed to verify a signature. If PathWAI Secure is not configured to
use an LDAP repository, the certificates must be exported by the Global
Registering Administrators
Overview
Registering an administrator initializes the PathWAI Secure environment on
that node. The process establishes the administrator’s ID and password and
initializes the local user key database. All subsequent sessions using the
administrative utility on the node are validated against the administrator’s ID
and password, and the administrator’s signature is used to certify any
PathWAI Secure-generated keys originating from that node.
The local administrator should be registered at the time PathWAI Secure is
installed on a node so that the installation can be verified. Consult the
PathWAI Secure for WebSphere MQ Installation Guide for detailed
instructions.
Notes: If you have configured the PathWAI Secure node to connect to an
LDAP repository, you must have a viable connection to the
repository to generate or import keys successfully.
If the node is configured to use an LDAP repository, you are
prompted for the user ID and password PathWAI Secure should use
to access the LDAP repository when you register an administrator.
You must enter the LDAP user ID prefixed by cn=. For example:
LDAP Update User ID: cn=manager
You specify the ID and password to be associated with these keys (see “Users,
User IDs, and Passwords” on page 98 for a discussion of valid PathWAI
Secure user IDs and passwords). On OS/390 , you must also supply the name
of the configuration file holding the PathWAI Secure environment variables.
This name is specified during installation in the JCL used to start the Server
Address Space.
You can override the default key length by specifying the modulus size for the
administrator’s keys:
You can use any modulus size between 768 and 2048 bits, but the value
should be divisible by 8. See “Asymmetric Key Length” on page 54 for more
information on determining key length by setting modulus size.
When users’ public keys are imported on another PathWAI Secure node,
PathWAI Secure authenticates the sending administrator’s signature to ensure
that the keys really originated at a trusted source. For this reason, the
administrator’s public key must be distributed to all communicating nodes
before any user keys generated on the node can be distributed.
Administrators cannot export their own keys to an LDAP repository. If your
site is using an LDAP repository, the administrator’s key should be exported to
a file and securely transmitted to the site’s Global Administrator. The Global
Administrator can then export the administrator’s key to the repository (see
“Exporting keys to an LDAP repository” on page 118).
If your site is not using an LDAP repository, the administrator’s key should be
exported to a flat file and securely distributed to and imported on all other
PathWAI Secure nodes with which it will be communicating (see “Exporting
keys to a flat file” on page 119).
You will need to supply the name of the PKCS#12 file containing the keys
and verification certificates assigned to the administrator and the password
required to decrypt the private key information in the PKCS#12 file, if any.
PathWAI Secure extracts the user ID to be associated with the key pair from
the certificate (see “User IDs” on page 99 for a discussion of how PathWAI
Secure determines user IDs), but you specify the password to be used for
private key operations (see “Passwords” on page 102 for a discussion of valid
passwords.) On OS/390 , you must also supply the name of the configuration
file holding the PathWAI Secure environment variables. This name is specified
during installation in the JCL used to start the Server Address Space.
After you enter the name of the PKCS#12 file to be imported, PathWAI
Secure displays the subject name on the certificate. The PathWAI Secure user
ID assigned to the key pair is the value of the attribute specified for the
MQSECURE_ID_MAPPING_ATTRIBUTE variable. (By default, this is the
common name attribute: cn=). Be sure to record this ID and password and
store them in a secure location.
If your site is configured to use an LDAP repository, the administrator’s public
key certificate is automatically exported to the repository. Any supporting
certificates imported from PKCS#12 file, however, must be manually
exported to the repository. If the administrator's PKCS#12 file contains
supporting certificates that are not already in the chain of verification
established by the Global Administrator at registration, the local administrator
must export those certificates in a PKCS#7 file to the Global Administrator,
who then exports them to the LDAP repository.
Individual node administrators will become trusted users as they are
automatically imported from LDAP by other nodes and verified to a trust
point.
If you are not using an LDAP repository, the administrator’s public key
certificate (and its verification certificates) must be manually exported to a
PKCS#7 file and imported on other PathWAI Secure nodes (see “Exporting
certificates to a PKCS#7 file” on page 123).
Registering Users
Overview
Registering a new user involves:
1. Importing or generating a public/private key pair
2. Assigning the user ID (if necessary) and password
3. Exporting the user’s public key to a file or target systems
4. Importing the user’s public key on target systems
Only administrators can register other users. If PathWAI Secure is configured
to use an LDAP repository, steps 3 and 4 are performed automatically.
Notes: If you have configured the PathWAI Secure node to connect to an
LDAP repository, you must have a viable connection to the
repository to generate or import keys successfully.
If the node is configured to use an LDAP repository, you are
prompted for the user ID and password PathWAI Secure should use
to access the repository. You must enter the LDAP user ID prefixed
by cn=. For example:
LDAP Update User ID: cn=manager
You specify the ID and password to be associated with these keys. See “Users,
User IDs, and Passwords” on page 98 for a discussion of valid PathWAI
Secure user IDs and passwords.
You can override the default key length by specifying the modulus size for the
keys:
Secure determines user IDs), but the administrator assigns the password to be
used for private operations (see “Passwords” on page 102 for a discussion of
valid PathWAI Secure passwords).
After you enter the name of the PKCS#12 file to be imported, PathWAI
Secure displays the subject name on the certificate. The PathWAI Secure user
ID assigned to the key pair is the value of the attribute specified for the
MQSECURE_ID_MAPPING_ATTRIBUTE variable. (By default, this is the
common name attribute: cn=). Be sure to record this ID and password and
store them in a secure location. The password must be communicated to the
user, if the user is an actual person, or to the application programmer, as
required for signing and decryption operations.
If your site is configured to use an LDAP repository, the user’s public key
certificate is automatically exported to the repository. If you are not using an
LDAP repository, the user’s public key certificate must be manually exported
to a PKCS#7 file and imported on other PathWAI Secure nodes (see
“Exporting certificates to a PKCS#7 file” on page 123).
Overview
In public key cryptography, reciprocal functions are performed using opposite
members of a public/private key pair: Senders use their private keys to sign
messages, and receivers use the senders’ public keys to authenticate their
signatures. Conversely, senders use intended receivers’ public keys to encrypt
messages, and receivers decrypt the messages using their private keys.
Therefore, before communicating parties can sign and authenticate or encrypt
and decrypt messages, they must exchange public keys directly or make them
available in a repository accessible to all authorized parties. If the keys are
verified by a third-party certifying authorities, users’ must also have access to
the chain of certificates that authenticate the keys.
Since administrators’ public keys are used to verify public keys originating
from their nodes, their keys must be exchanged between all communicating
nodes before users’ keys can be exchanged.
Note: If you are using third-party keys, you do not need to exchange the
public keys used for platform or channel mutual authentication. At
channel startup, the security exits automatically embed (as available)
the full chain of certificates with each security exchange message.
However, you must have imported a common certificate, such as a
ValiCert root certificate, into each node’s trusted certificate database
for this operation to be successful.
PathWAI Secure supports four methods of distributing public keys:
n via an LDAP repository
n in flat file
n via an WebSphere MQ queue manager
n embedded in a message
In addition, PathWAI Secure allows you to
n export public/private key pairs and supporting certificates in a
password-encoded PKCS#12 file
n export stand-alone (“verification”) certificates in a signed PKCS#7 file
Note: PathWAI Secure does not allow you to export revoked users to the
LDAP repository. It also does not allow you to export users to the
LDAP repository which you have previously imported from the
repository.
On OS/390 , specify the fully qualified name of the dataset, without quotes.
You do not need to preallocate the dataset. If you specify a partitioned
dataset, the member name is required. For example:
CANDLE.MQSECURE.EXPORTS(MEMBER)
On Windows and UNIX , to specify a directory other than the current directory,
specify the full path name in the command. For example:
c:\mqs_adm -e -f \candle\mqsecure\export_users
\mqs_adm -e -f /home/mqsecure/export_users
Public keys exported to a flat file must be manually imported into the user key
database on each target system (see “Importing public keys” on page 124).
When triggering conditions are fulfilled, the trigger monitor invokes the
program, which updates the user key database by processing all messages in
the SYSTEM.MQSECURE.COMMANDS queue.
Note: The WebSphere MQ administrator should ensure that the
SYSTEM.MQSECURE.COMMANDS queue is sufficiently secured.
This is especially important in client/server configurations, where each
PathWAI Secure client can be an PathWAI Secure administrator. Refer
to WebSphere MQ administration documentation, as needed.
To export keys using a queue manager:
Specify q-mgr (queue manager name) and q-name (queue name) using these
guidelines:
– The queue manager name parameter can be either the remote queue
manager (the target system) or a local queue manager.
– If you specify a remote queue manager, you do not need to specify a
queue name, as this defaults to SYSTEM.MQSECURE.COMMANDS.
The message is put to a local default queue manager. This means that
there must be a transmit queue with the same name as the remote
queue manager and the sending channel of the local default queue
manager must use the transmit queue.
files are automatically exported to the repository and copied into local
databases as they are required.
However, if for some reason you cannot distribute certificates through a
shared central repository—as may be the case in many business-to-business
situations—administrators can export selected certificates in a signed
PKCS#7 format message.
Note: The signer of a PKCS#7 message must be using a third-party private
key/public key pair verified through a certificate or certificates.
To export certificates to a PKCS#7 file:
Windows and UNIX Local administrators are presented with a list of all PathWAI
Secure users (that is, those holding third-party public and private keys) and
must provide the user ID of the certificate holder and the name of the
PKCS#7 file to which the certificate should be exported. The Global
Administrator is presented with a list of all certificates stored in both trusted
and nontrusted databases, including stand-alone, or verification, certificates,
not just the certificates for PathWAI Secure users.
OS/390Local and Global administrators must know in advance the user IDs
they wish to export.
In addition to specifying the user ID and PKCS#7 file name, the Global
Administrator can also specify that the certificate be exported with a Trusted
flag. Local administrators cannot export stand-alone certificates nor export
certificates as trusted.
Typically, this command is used to export certificates needed to establish the
verification chain for message-embedded public keys.
In the case of a PDS dataset, if you do not allocate a member name, the
member name will be allocated dynamically. PDSs are particularly handy
because you allocate the dataset only once and can then target different
member names to contain keys from different platforms if you want.
Note: If you have already imported remote administrators’ public keys to this
system, the dataset has already been allocated.
OS/390 KMFADM Main Menu > Manage Users > Import User
On OS/390 , the name of the dataset from which the keys are being imported
must be fully qualified, without quotes. If a PDS is specified, the member
name is required.
On Windows and UNIX , to specify a directory other than the current directory,
you must specify the fully qualified name of the file from which the key is to
be imported into the database. For example:
mqs_adm -i C:\mqsecure\export\export_keys
mqs_adm -i /home/mqsecure/export_keys
Importing certificates
If certificates are stored in a central LDAP repository, they are automatically
imported to local nodes as needed to verify signatures. However, if your site
uses PKCS#7 files to distribute certificates, they must be imported onto local
nodes manually.
To import a signed PKCS#7 file:
Revoking Keys
Overview
Third-party keys are revoked by the certifying authority that issued them, by
publishing the serial number of the public key certificate in a revocation list
(CRL). Key holders are reinstated when the serial number no longer appears
in the CRL.
PathWAI Secure-generated keys are revoked by the administrator of the node
on which they were issued, using the administrative utility. Revoking users’
keys invalidates the associated PathWAI Secure user ID and password.
This section discusses how PathWAI Secure-generated keys are revoked.
local databases are refreshed (see “Refreshing the user key database” on page
132).
If you are not using an LDAP repository, you must export the invalidated keys
to all nodes with which the keys have been previously exchanged, via a flat
file or a queue manager (see “Distributing Public Keys and Certificates” on
page 117). Until then, the previous public keys are still valid on the target
systems.
To revoke a local user:
OS/390 KMFADM Main Menu > Manage Users > Revoke Users
Windows and UNIX mqs_adm -d, mqs_admc -d
attempt to import the user’s public key into the local machine (for example, to
use to encrypt a message), PathWAI Secure recognizes that a revoked local
user is being reinstated using a foreign public key and the import fails.
However, there are circumstances where you may want to do exactly that. For
example, you may move an application from one machine to another and
want to reinstate its user ID on the local database. In this case, you can force
the deletion of the user record.
To force deletion of a user ID:
OS/390 KMFADM Main Menu > Manage Users > Delete Users
Windows and UNIX mqs_adm -d -t, mqs_admc -d -t
Note: This command may be used to delete users holding only PathWAI
Secure-generated keys.
Overview
The local user key database is created (or initialized) as part of the process of
registering the administrator.The administrator’s user ID, password, and
public/private key pair is the first information to be stored in it.
In addition, each local database maintains information about the user IDs and
associated key pairs for its own users. It also stores the public keys for all users
(“foreign” users) with which its host communicates.
The user key database is stored on disk, in encrypted form. Only PathWAI
Secure can communicate with the user key database manager.
Windows and UNIX Copy mqss.usr and any *.cdx, *.dbf, and *.fpt files to
back-up files
Use the IDCAMS utility program to perform a REPRO
OS/390
function and create a back-up dataset of
&hilevdsn.USERS, where &hilevdsn is the highest-level
qualifier for PathWAI Secure datasets.
Note: You can use samples USRREPRO and
USRRESTO, located in dataset &hilevdsn.TMFSAMP, to
assist you in the backup/restore process.
OS/390 KMFADM Main Menu > Manage User Key Database >
Re-encrypt user key database
Windows and UNIX mqs_adm -k, mqs_admc -k
Note: On OS/390, LSR must be turned off before you can re-encrypt the
database.
Using the create/specify command when a database already exists causes the
database to be deleted and a new database initialized.
Resetting the user key database removes all user IDs from the user key
dataset. You might want to use this function, for example, when moving from
a test environment to a production environment to ensure that no previous
IDs or keys are left behind, or to clean up a database which contains many
revoked IDs.
If you have previously exported keys to an LDAP repository, you will not be
able to reset the local user key database unless you have a viable connection
to the LDAP repository at the time you issue the reset command.
Candle recommends that you make a backup of the user key database before
you invoke this command.
You must enter the LDAP user ID prefixed by cn=. For example:
LDAP Update User ID: cn=manager
4 Repository
Overview
This chapter provides information on managing the Candle-provided LDAP
repository. It documents how to:
n start and stop the LDAP server
n change the port number, user ID and password used to access the
repository
n backup the repository
n delete the repository
If you are using an LDAP repository provided by another vendor, please
consult the product documentation for this information.
Chapter Contents
Using an LDAP Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Managing the LDAP Repository on Windows NT . . . . . . . . . . . . . . . . . . 137
Starting or stopping the LDAP server . . . . . . . . . . . . . . . . . . . . . . . . 137
Resetting the LDAP respository port, user ID, and password. . . . . . . 137
Backing up the LDAP repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Managing the LDAP Repository on UNIX . . . . . . . . . . . . . . . . . . . . . 141
Managing the LDAP Repository on UNIX. . . . . . . . . . . . . . . . . . . . . . . . 141
Starting or stopping the LDAP server . . . . . . . . . . . . . . . . . . . . . . . . 141
Resetting the LDAP repository port, ID, and password . . . . . . . . . . . 141
Backing up the LDAP repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Deleting the LDAP repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Important: If you change the user ID and password required to access the
LDAP repository, you must reset it on every instance of PathWAI
Secure that exports keys to the repository. See “Resetting the LDAP
user ID and password” on page 133 for instructions.
To reset the port, ID, or password:
1. Access the configuration utility:
Start > Programs > PathWAI Secure for WebSphere MQ >
PathWAI Secure for WebSphere MQ Configuration Tool
2. Click the LDAP Utilities tab.
3. Click the Unconfigure Local LDAP Service radio button, then click
Apply.
When the LDAP server has been unconfigured, a message appears. Click OK
to dismiss the message.
4. Select the Configure Stand-Alone LDAP tab. If necessary:
– In the Port Number field, specify the new port number.
– In the LDAP User ID field, specify a new user ID.
– In the LDAP Password field, specify the new password.
5. Click Apply to configure the repository with the new ID or password.
A message appears to inform you when the LDAP repository has been
updated. Click Yes to view the configuration file; click No to dismiss the
dialog.
The LDAP server is restarted once the repository is configured.
The configuration tool provides a default location and name for the backup
file. You can:
– accept the default
– type in the fully specified name for the backup file
– use the browse button to navigate to the directory where you want to put
the backup file
3. Click Apply to execute the backup operation.
You will see a message informing you when the backup has been completed
successfully. Click OK to dismiss the message.
GUI mode
To reset the LDAP port, user ID, or password in GUI mode:
1. Access the PathWAI Secure Configuration tool by entering the following
command on the command line:
MQConfig
The configuration tool appears.
2. Select the LDAP Utilities tab.
3. Click the Unconfigure Local LDAP Service radio button, then click
Apply.
When the LDAP server has been unconfigured, a message appears. Click OK
to dismiss the message.
4. Select the Configure Stand-Alone LDAP tab. As necessary:
– In the Port Number field, specify the new port number
– In the LDAP User ID field, specify a new user ID if you wish to change it.
– In the LDAP Password field, specify the new password.
5. Click Apply to configure the repository with the new ID or password.
A message appears to inform you when the LDAP repository has been
updated. Click Yes to view the configuration file; click No to dismiss the
dialog.
The LDAP server is restarted once the repository is configured.
Text mode
To reset the ID and password in text mode:
1. Access the configuration utility by entering the following command from the
command line:
MQConfig -l
After the runtime settings and the CLASSPATH are displayed, the message
Starting PathWAI Secure Command Line Configuration...
appears, followed by a series of prompts.
2. Accept the defaults for all prompts by pressing Enter until the following
prompt is displayed:
Port Number(Default is : current_port):
– To change the port number, enter the new port number at the prompt.
– To keep the current default, press Enter.
3. The following prompt appears:
GUI mode
To back up the LDAP repository manually:
1. Access the PathWAI Secure Configuration tool:
MQConfig
2. Select the LDAP Utilities tab.
3. Click the Backup Local Database radio button.
The configuration tool provides a default location and name for the backup
file. You can:
– accept the default
– type in the fully specified name for the backup file
– use the browse button to navigate to the directory where you want to put
the backup file
4. Click Apply to execute the backup operation.
You will see a message informing you when the backup has been completed
successfully. Click OK to dismiss the message.
Manual mode
To back up the LDAP database manually:
ä Export the existing database to LDIF format in an export file:
ldapsearch -b "" -h ldap_addr -p ldap_port "cn=*" >
exportfilename
where:
ldapaddr is the host name or IP address of the LDAP host
ldapport is the port number of the LDAP server
exportfilename is the name you want to give to the backup database
GUI mode
To delete the LDAP repository in GUI mode:
1. Access the PathWAI Secure Configuration tool:
MQConfig
2. Select the LDAP Utilities tab.
3. Click the Delete Local Database radio button, then click Apply.
The repository and all associated files are deleted and the LDAP server is
stopped and unconfigured.
Manual deletion
To delete the LDAP repository manually:
1. Stop the LDAP server
ldapstop -h ldap_addr -p ldap_port -D cn=user_ID -w
password
where:
ldapaddr is the host name or IP address of the LDAP host
ldapport is the port number of the LDAP server
user_ID is the user ID required to administer the LDAP repository
password is the password for the administrative user ID
Overview
This chapter provides instructions for invoking PathWAI Secure’s security
services on a node-to-node or channel-specific basis in a WebSphere MQ
network using channel exits. For information on implementing security on an
application-by-application basis using PathWAI Secure’s APIs, please refer to
the PathWAI Secure for WebSphere MQ Programmer’s Guide.
Chapter contents
Securing Messages Using PathWAI Secure Channel Exits . . . . . . . . . . . . 148
Setting Channel Exit Definition Parameters. . . . . . . . . . . . . . . . . . . . . . . 151
Securing Autodefined Cluster Sender Channels . . . . . . . . . . . . . . . . . . . 155
Overview
PathWAI Secure channel exit programs provide authentication and encryption
of messages traveling over an WebSphere MQ network on a node-to-node or
channel-specific basis. Channel exits can also be used to verify the identity of
communicating nodes (platform mutual authentication) or individual channel
users (channel mutual authentication) before channels are activated.
To invoke PathWAI Secure security services at the channel exit level, an
WebSphere MQ administrator sets channel exit definition parameters which
specify:
n where to locate the appropriate PathWAI Secure channel exit program
n what type of security PathWAI Secure should apply
The WebSphere MQ channel definition parameters specified vary according
to channel type and the security required, as summarized in Table 5 on page
149.
Platform mutual authentication uses the public and private keys of the
administrator IDs associated with the sending and receiving queue managers
to authenticate the platform connection. Before you begin configuring the
channels, the administrator ID public keys involved must have been
exchanged (see ““Managing the Local User Key Databases” on page 131 and
the PathWAI Secure for WebSphere MQ Installation Guide).
Channel mutual authentication uses the public and private keys of the
channel authentication IDs associated with the sending and receiving ends of
the channel to authenticate the channel connection. Before you begin
configuring the channels, the channel authentication ID public keys involved
must have been exchanged. (see “Distributing Public Keys and Certificates”
on page 117 and the PathWAI Secure for WebSphere MQ Installation Guide).
Channel mutual authentication for cluster channels uses the public and
private keys of the cluster authentication IDs associated with the sending and
receiving ends of the channel to authenticate the channel connection. Before
you begin configuring the channels, the cluster authentication ID public keys
involved must have been exchanged. (see “Distributing Public Keys and
Encrypt &
Authenticate Authenticate Encrypt Authenticate
Channel Type Connection Message Message Message*
CHLTYPE(SDR) SCYEXIT MSGEXIT SCYEXIT SCYEXIT
MSGDATA(A) MSGEXIT MSGEXIT
MSGDATA(E) MSGDATA(EA)
CHLTYPE(RCVR) SCYEXIT MSGEXIT SCYEXIT SCYEXIT
MSGDATA(A) MSGEXIT MSGEXIT
MSGDATA(E) MSGDATA(EA)
Encrypt &
Authenticate Authenticate Encrypt Authenticate
Channel Type Connection Message Message Message*
CHLTYPE(RQSTR) SCYEXIT MSGEXIT SCYEXIT SCYEXIT
MSGDATA(A) MSGEXIT MSGEXIT
MSGDATA(E) MSGDATA(EA)
CHLTYPE(SVR) SCYEXIT MSGEXIT SCYEXIT SCYEXIT
MSGDATA(A) MSGEXIT MSGEXIT
MSGDATA(E) MSGDATA(EA)
*Note: The order of the signing/authentication (A) and encryption/decryption (E) operations is
determined by the order in which they are specified: EA encrypt then sign, AE sign then encrypt.
Logging failures
Any failures of an authentication or encryption operation in the channel exits
result in the message being diverted to the PathWAI Secure problems queue,
SYSTEM.MQSECURE.PROBLEMS. A message is logged to the channel exit
log explaining the diversion and to where, along with an error message
specifying why the operation failed.
Exit chaining
WebSphere MQ for OS/390 does not support chained exits.
If you are already using the MSGEXIT, the only way to specify PathWAI
Secure channel exits is by writing an exit in-house that issues an OS/390
LOAD of the PathWAI Secure load module specific to the functionality
required (MQSSEXIT for message exit, for example). The PathWAI Secure exit
can then be driven through the standard C function prototype applicable to
WebSphere MQ channel exits. The prototype is found in the WebSphere MQ
Intercommunication manual.
RCVEXIT(‘MQS_EXIT(Rec_Exit)’)
SENDEXIT(‘MQS_EXIT(Send_Exit)’)
UNIX
For channel type CLNTCONN:
SCYEXIT(’&mqsdirunx/lib/mqsexitc(Sec_Exit)’) (for platform mutual
authentication)
SCYEXIT(’&mqsdirunx/lib/mqsexitc(Chl_Exit)’) (for channel mutual
authentication)
RCVEXIT(’&mqsdirunx/lib/mqsexitc(Rec_Exit)’)
SENDEXIT(’&mqsdirunx/lib/mqsexitc(Send_Exit)’)
For channel types CLUSSDR/CLUSRCVR:
SCYEXIT(’&mqsdirunx/lib/mqs_exit(Sec_Exit)’) (for platform mutual
authentication)
SCYEXIT(’&mqsdirunx/lib/mqs_exit(Clu_Exit)’) (for channel mutual
authentication for cluster channels)
MSGEXIT(’&mqsdirunx/lib/mqs_exit(MQS_Exit)’)
RCVEXIT(’&mqsdirunx/lib/mqs_exit(Rec_Exit)’)
SENDEXIT(’&mqsdirunx/lib/mqs_exit(Send_Exit)’)
where &mqsdirunx is the directory where you installed PathWAI Secure.
For all other channel types:
SCYEXIT(’&mqsdirunx/lib/mqs_exit(Sec_Exit)’) (for platform mutual
authentication)
SCYEXIT(’&mqsdirunx/lib/mqs_exit(Chl_Exit)’) (for channel mutual
authentication)
MSGEXIT(’&mqsdirunx/lib/mqs_exit(MQS_Exit)’)
RCVEXIT(’&mqsdirunx/lib/mqs_exit(Rec_Exit)’)
SENDEXIT(’&mqsdirunx/lib/mqs_exit(Send_Exit)’)
where &mqsdirunx is the directory where you installed PathWAI Secure.
These parameters are case-sensitive.
If you
specify A sender A receiver
A signs authenticates
E encrypts decrypts
AE signs then encrypts decrypts then authenticates
EA encrypts then signs authenticates then decrypts
The exit program determines whether the message channel agent (MCA) is
receiving or sending in order to decide what security function needs to be
implemented. For example, if A (signing/authentication) is specified for the
value of the MSGDATA parameter of a sending MCA, the program
determines that the channel is sending and signs the messages. If the channel
is receiving, the program authenticates the message.
The receiver must be configured to invoke the same services as the sender
and the parameters must be specified in the same order on both ends of the
channel.
To specify Use
connection authentication SCYEXIT
To specify Use
message encryption SCYEXIT, MSGEXIT, and MSGDATA(E), or
SCYEXIT, SENDEXIT/RCVEXIT, and
SENDDATA(E)/RCVDATA(E)
message encryption then SCYEXIT, MSGEXIT, and MSGDATA(AE), or
signing SCYEXIT, SENDEXIT/RCVEXIT, and
SENDDATA(AE)/RCVDATA(AE)
Example
The following example provides instructions for configuring a sender channel,
HQAIX1.TO.REMNT5, so that whenever it is presented with a message to
send to REMNT5, it signs the message before sending it. The receiver end of
the channel must be configured in the same way.
1. Start the queue manager:
strmqm HQAIX1
2. Start the command processor for the queue manager:
runmqsc HQAIX1
3. Configure the channel as follows:
A. Use the MSGEXIT parameter to tell the channel where to find the
PathWAI Secure channel exit program.
B. Use the MSGDATA parameter to tell the channel exit program to sign all
messages before sending them.
alter channel(HQAIX1.TO.REMNT5) CHLTYPE(SDR) MSGDATA(A)
MSGEXIT(’/users/mfhqaix1/mqsecure/mqs_exit(MQS_Exit)’)
4. Shut down the command processor for the queue manager:
end
Overview
Special considerations apply when you are securing messages through
channels in an WebSphere MQ cluster using cluster receiver/cluster sender
channel pairs and the cluster sender side of the channel is autodefined.
In this situation, the local queue manager obtains the definition of the cluster
receiver channel from the Cluster Repository and uses it as a template for the
cluster sender definition. The cluster receiver definition channel exit
definitions are used as a basis for the cluster sender channel exit
specifications.
However, the cluster receiver channel exit specifications may be inappropriate
for the platform where the cluster sender is being defined because of the
platform-specific naming convention applicable to the exits. This situation
obtains when a mixture of OS/390 and non-OS/390 (UNIX or Windows)
queue managers are members of a cluster.
For example, if an OS/390 cluster receiver channel definition is used to
autodefine a cluster sender channel on UNIX, the 1–8 character load module
name of the OS/390 channel exit is used as the corresponding exit name in
the cluster sender definition. Since this name format is invalid on UNIX (and
Windows), the OS/390 exit name must be converted to its equivalent,
acceptable name on the target platform.
PathWAI Secure provides a channel autodefine exit (CHADEXIT) that can be
specified as part of the queue manager definition.
Using CHADEXIT, channel exit names are converted as shown in Table 6.
Appendixes 159
160 PathWAI Secure for WebSphere MQ Administrator’s Guide, Version 300
A CASP Secure Connector
Overview
This appendix introduces Candle Application Services Pac Secure Connector
and provides instructions for its use. It also presents three scenarios which
illustrate how you can implement CASP Secure Connector.
Note: The functionality of CandleNet eBP is now available in the Candle
Application Services Pac (CASP) toolkit. CASP uses CASP Secure
Connector in the same manner as CandleNet eBP. Throughout this
appendix, any references to CASP are also applicable to CandleNet
eBP.
Appendix contents
About CASP Secure Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Using MQSecure Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configuring MQSecure Connection Using Secure Side Files . . . . . . . . . . 170
Configuring MQSecure Connection Programmatically . . . . . . . . . . . . . . 173
Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Modes of operation
CASP Secure Connector can operate in either of two modes: unattended or
interactive.
Unattended mode allows for operation in which an application is autostarted
and obtains its security credentials without interaction with a user. In
unattended mode, an application obtains the password associated with the
PathWAI Secure user ID from a secure side file, which is generated using a
command line utility provided by Secure Connector. Values for encryption
operations can also be specified in the secure side file.
Clnt01.ssf BS01.ssf
BE01.ssf
password password
LDAP
eBP
Client Clnt01
Business Service Svc01
Component BC01
Element BE01
PathWAI PathWAI
Secure PathWAI Secure
Secure
User Key Public key Clnt01 User Key
Database Public key BE01 Database
Message signed with private key Clnt 01 Message authenticated with public key
and encrypted with public key BE01 Clnt01 and decrypted with private key
Message authenticated with public key BE01 Message signed with private key BE01
and decrypted with private key Clnt01. and encrypted with public key Clnt01.
FIGURE 11. Business Flow Using Put Only and Get Only Security
Server 1 kmlxcilsg
Security applied only
on get operations
Server 3
Client
Server 4
kmlxcils
Security applied kmlxcilsp
on both put and Security applied only
get operations Server 4 on put operations
Default operation
To facilitate ease of operation, CASP Secure Connector uses the following
defaults:
n Messages are both signed and encrypted.
n The sender PathWAI Secure user ID defaults to the name of the CASP
business element (for server applications) or the CASP client (for client
applications).
n The destination PathWAI Secure user ID defaults to the name of the client
or business element the message will be delivered to in the next message
hop.
n The password associated with an PathWAI Secure user ID is retrieved
from a secure side file.
n Symmetric keys are reused 1000 times or for 5 minutes, whichever comes
first.
n The default ILS (kmlxcils) performs security operations when receiving
and sending CASP messages. Specialized ILSs are available for
performing send only (kmlxcilsp) and receive only (kmlxcilsg)
security to facilitate the cases where a complex business flow is only
vulnerable to attack on parts of the flow.
You can override the default settings by specifying override values in a side
file or by passing them programmatically in an CASP application.
Note: Messages secured using CASP Secure Connector can only be signed
and encrypted, in that order. They cannot be encrypted and then
signed.
Run-time paths
A CASP application which uses CASP Secure Connector must have both the
CASP directories and the PathWAI Secure bin and dll (Windows) or lib
(UNIX) directories set in its execution and library runtime paths.
LDAP repository
Candle recommends that if you decide to use an LDAP repository for public
user key distribution, you use the same LDAP repository used by CASP. That
way, the applications are dependent upon a single external service.
To enable PathWAI Secure to use the same repository as CASP, the PathWAI
Secure schema must be imported into the CASP LDAP repository. This is
achieved during PathWAI Secure installation by specifying the LDAP server
host and port of the existing CASP LDAP server. Alternatively, if you have an
existing PathWAI Secure installation, you can use the PathWAI Secure
Configuration Tool’s Seed LDAP tab to specify the appropriate host and port
details.
For more information on using the CASP LDAP repository, see your site
CASP administrator, the PathWAI Secure Installation Guide, and the Roma
BSP™ Directory Services User’s Guide (Version 3.0) or the CandleNet eBP
Administrator™ Directory Services User’s Guide (Version 3.1).
For more information on managing key distribution using an LDAP
repository, see “Exporting keys to an LDAP repository” on page 118 and
“Managing the Candle LDAP Repository” on page 135.
MQSecure passwords
MQSecure passwords are required to access the private keys used to sign
(sender) and decrypt (receiver) messages. Passwords are specified at the time
new MQSecure user IDs are created.
In order to let applications run unattended, by default, MQSecure Connection
supplies MQSecure passwords to eBP applications through secure side files.
However, they may also be passed programmatically via any method
implemented by an application programmer, using the structure
KXCMQSECINFO (see “Configuring MQSecure Connection
Programmatically” on page 173).
For information on creating, storing, and securing secure side files, see
“Configuring MQSecure Connection Using Secure Side Files” on page 170.
kmlxcilsg Apply security only on get operations and put clear text message on
put.
kmlxcilsp Apply security only on put operations and perform no security
checks on get operations.
Overview
By default, MQSecure Connection obtains the passwords associated with
MQSecure user IDs from a secure side file. This allows applications to apply
security transparently, without need for operator intervention, and enables
applications which have already been written and compiled to use the security
facilities without any modification.
These files may also be used to override all other default settings. They may
contain sender and destination user IDs which can be used to override the
default sender and destination user IDs. This allows multiple clients and
servers to use the same MQSecure IDs and passwords. In addition, these files
can also be used to configure MQSecure Connection to
n accept unencrypted messages
n encrypt only specified ranges of message text, via tags or offset
n specify symmetric key reuse
Candle provides a command-line utility to produce the secure side files.
Passwords may also be obtained by any method determined by an
application developer, and all settings except symmetric key reuse may be
overriden programmatically (see “Configuring MQSecure Connection
Programmatically” on page 173).
-f Specifies the name that should be given to the secure side file.
Files are named for the business element or client, or the default
file kmlxcuid. The utility adds the fixed extension.ssf.
-p Specifies the password associated with the MQSecure user ID
-u (optional) Indicates the MQSecure user ID associated with the eBP
server or client sending the message. Default is the same as the
name of the eBP business element or client record.
-d (optional) Specifies the override user ID of the client or business
element the message will be delivered to in the next message hop
-r (optional) Indicates use of range encryption using the specified left
and right delimiters to mark the portion the message that is
encrypted.
Note: If the string used as a delimiter includes control characters
in the operating system command syntax, you must quote them in
the manner prescribed in the reference manual for the operating
system.
-o (optional) Indicates use offset-based range encryption using the
specified offset and length of the text to be encrypted.
Note: For messages encrypted using secure side files, only a
single offset/length range may be specified. If you want to specify
multiple ranges, you must configure PathWAI Secure operations
programmatically.
-a (optional) Allows unencrypted messages to be received
-s (optional) Only sign all outgoing messages
-e (optional) Only encrypt all outgoing messages
-c (optional) Indicates number of symmetric key reuses and time to
expiration (in seconds). If no value is set, the number of reuses is
1000 and the maximum interval is 300 seconds.
For example:
kmlxcssf -u bankClnt01 -p SecretClPwd -f bankClnt01
Overview
To set the values for MQSecure Connection operations programmatically, you
must reference the CandleNet eBP MQSecure Connection header file
kmlxcils.h in your eBP client or server applications and create an
MQSecure Connection data structure, KXCMQSECINFO.
You pass the data structure to PathWAI Secure Connection via an eBP data
buffer, KXCILSOPT, using the C function kxcSetILSDdata or other
language equivalents. You address this buffer at PathWAI Secure Connection
via the “type” and “method” defines.
For more information, refer to the CandleNet™ eBP Programmer’s Guide for
Procedural Languages or the CandleNet™ eBP Programmer’s Guide for
Object-Oriented Languages, as appropriate.
kmlxcils.h
The header file kmlxcils.h is located in mqsecure\samp (Windows) or
mqsecure/samp (UNIX), where mqsecure is the directory where
MQSecure is installed.
KXCMQSRANGE—Range structure
This structure is optionally provided in a array to define a number of ranges of
a message that should selectively be encrypted. For example, when XML
messages are processed, only the value of certain XML fields will want to be
encrypted.
The address of the array of KXCMQSRANGE structures is stored in the
KXCMQSECINFO field pRange and the number of range elements is stored
in NumRanges when the Security field includes the setting
KXCMQSECTYPE_OFFSET_ENCRYPT.
/****** ***** ***** ***** ***** **** ***** ***** ***** ***** ***** ***/
/* Bui ld th e dat a str uctur e th at pa sses infor matio n fro m */
/* the appl icati on to the MQSe cure ILS. */
/***** ***** ***** ***** ***** **** ***** ***** ***** ***** ***** ****/
KXCMQSE CINFO MyMq sOpts = { KX CMQSE CINFO _DEFA ULT } ;
Usage Scenarios
Overview
The following scenarios are based on an hypothetical CandleNet eBP banking
solution. The solution consists of a number of eBP client applications that
receive authenticated and validated requests from a Web application. These
clients then issue requests to a number of eBP server applications, which
perform business functions such as “check balance” and “transfer funds”.
The bank needs to ensure authentication of the requests received by the
server applications as well as ensuring the privacy of the requests and
responses. MQSecure offers this security at minimal cost and with no impact
to the ongoing application development.
Transparent Solution
This solution requires no application modification or development. It allows
for unattended operation: an application is autostarted via CandleNet eBP
application management facilities and obtains its security credentials without
any user interaction.
In this implementation, an MQSecure user ID is created for each eBP client
and business element that is exchanging messages in the secure service.
The following steps outline the setup and operation of this solution.
1. Install CandleNet eBP on each node on which eBP applications will be
hosted, configuring them to use an LDAP server, for example HS010.
2. Create eBP client applications and client records “bankClnt01” and
“bankClnt02”, each of which has full MQSecure Connection security
(kmlxcils) enabled as an inline service.
3. Create eBP server application and business element records “bankSrv01”
and “bankSrv02”, each of which has full MQSecure Connection security
(kmlxcils) enabled as an inline service.
4. These business elements are configured in the eBP Directory
Administrator under the business service “doTransSvc”.
Locate the side files in the directories in which the eBP clients and server
applications are run, or in the default CANDLE_ROMA_HOME\ssf (Windows)
or CANDLE_ROMA_HOME/ssf (UNIX) directory on the respective hosts.
Now when either of the clients sends a message it is signed with the client’s
private key (obtained by accessing the associated password from the side file
whose name matches that of the client) and encrypted using the public key of
the target server. When the server receives the message, it is decrypted using
the server’s private key (obtained by accessing the password in the associated
side file) and authenticated using the client’s public key.
When the server sends a response to the client, it is signed using the server’s
private key and encrypted using the public key of the target client. When the
client receives the response, it is decrypted using the client’s private key
obtained and authenticated as being sent by a trusted server.
Note that eBP client and server applications will attempt to open and retrieve
their respective MQSecure passwords from the side file named <eBP
client / business element name>.ssf when the application
initializes. However failure to open the file is not reported until the first
attempt to send or receive a message via CandleNet eBP is made. This is
because MQSecure Connection is not aware until that point if the application
is going to pass the password programmatically, as in the interactive solution.
clients and business elements must have the MQSecure Connection ILS
enabled. The user IDs for both senders and receivers are provided to
MQSecure Connection by the secure side files.
Note that in this solution all client and server applications that are using a
common MQSecure ID must reside on the same machine. This is because
MQSecure user IDs must be unique enterprise-wise: the private key associated
with an ID can only be held in one MQSecure database and that database can
only be accessed locally.
The following steps outline the setup and operation of this solution.
1. Install CandleNet eBP on each node on which eBP applicaitons will be
hosted, configuring them to use an LDAP server, for example HS010.
2. Create eBP client applications and client records “bnkClnt01” and
“bnkClnt02”, each of which has full MQSecure Connection security
(kmlxcils) enabled as an inline service.
3. Create eBP server applications and business element records “bnkSrv01”
and “bnkSrv02”, each of which has the MQSecure Connection ILS
(kmlxcils) enabled as an inline service.
4. These business elements are configured in eBP under the business service
“doBnkTransSvc”.
5. Install MQSecure and set up public key distribution to the existing eBP
LDAP repository (HS010).
6. Create MQSecure user IDs “bankClnts” on the eBP client host (HC01)
and “bankSrvs” on the eBP server host (HS01) and publish their public
keys to the central LDAP repository.
7. Create the clients’ secure side file, kmlxcuid.ssf on HC01 with:
– the password for MQSecure user ID “bankClnts”
– the MQ Secure alternative (override) sender ID, “bankClnts”
– the MQSecure alternative (override) destination ID, “bankSrvs”
For example:
kmlxcssf -u bankClnts -p SecretClPwd -f bankClnts -d
bankSrvs
Locate the side file in the directory in which the eBP clients are run or in the
default Candle home ssf directory.
point if the application will pass the password via a method other than a
secure side file.
Interactive solution
This solution requires a minimal amount of application development to
achieve MQSecure integration, but allows the banking applications to use an
interactive or other secure method of obtaining their security credentials.
The setup and operation of this scenario is identical to the transparent
solution with the exception that the MQSecure credentials are obtained from
the application code rather than the secure side files.
The following outlines the setup and operation of this solution.
1. Install eBP, if necessary.
2. Install MQSecure and set up public key distribution to the existing
CandleNet eBP LDAP server.
3. Create eBP client application and client records “bankClnt01” and
“bankClnt02”, each of which has MQSecure Connection enabled by
specifying kmfxcils on the Inline Services tab of its properties settings.
4. Create eBP server application and business element records
“bankSrv01” and “bankSrv02” under the business services “getBalSvc”
and “doTransSvc”, respectively. Each business element has MQSecure
Connection enabled by specifying kmfxcils on the Inline Services tab
of its properties settings.
5. The eBP client and server applications reference the MQSecure
Connection header file kmfxcils.h so they can create an MQSecure
Connection data structure, KXCMQSECINFO. This structure is populated
with the password associated with the user ID of the respective client or
server, obtained as determined by the application developer. This
structure also indicates whether message signing and/or encryption should
be performed.
6. The structure is passed to the MQSecure connection via an eBP data
buffer KXCILSOPT using the C function KXCSETILSDATA or other
language equivalents.
kmlxcils
Security applied on both
get and put operations Server2
getRequest() putResponse()
Server4
putResponse() Server3
Server1
getRequest()
Server5
putResponse() getRequest()
putRequest()
Client
getResponse()
No security overhead
kmlxcils kmlxcilsp on processing of internal
Security applied on both Security applied only messages on safe
get and put operations on put operations transport
Secure
Clear text
messages
B
Overview
This appendix documents the utility programs supplied with PathWAI Secure.
Appendix Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Administrative Utilities for Distributed Systems . . . . . . . . . . . . . . . . . . . . 189
Administrative Utility for OS/390 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Public Key Monitor for Distributed Systems . . . . . . . . . . . . . . . . . . . . . . 204
Public Key Monitor for OS/390 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Validation Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Database Conversion Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Utilities 187
Introduction
Introduction
Overview
PathWAI Secure supplies utilities that support key administration for both
distributed platforms and OS/390. It also provides utilities that monitor special
WebSphere MQ queues to import public keys from remote systems and
programs that can be used to validate or test your PathWAI Secure
configuration.
n mqs_adm (server), mqs_admc (client), and KMFADM (OS/390)—
Provide administrative functions such as registration and revocation of
user IDs and keys, and creation and distribution of keys.
n mqs_read and KMFREAD—Public key monitor function
n mqdirect and mqdirecc—Programs using PathWAI Secure direct APIs
that can be used to test configuration and to troubleshoot problems
n mqs_op (server), mqs_opc (client), and MQS@OP (OS/390)—
Programs using PathWAI Secure integrated APIs that can be used to test
configuration and to troubleshoot problems
Description
All of the PathWAI Secure administrative functions on UNIX and Windows
systems are conducted using mqs_adm (for servers) or mqs_admc (for
clients).
The administrative functions supported are:
n registration of user IDs and generation or importation of user
public/private key pairs, certificates, and certificate revocation lists
n distribution of keys (import and export) and certificates
n revocation of PathWAI Secure-generated and keys
n resynchronization of local and LDAP user key databases
n re-encryption of user key database
mqs_adm and mqs_admc are command line utilities. Their functions are
invoked using the parameters documented in Table 7 on page 190. You can
also enter the parameters for all the functions you want to execute at one time
from the command line without waiting for prompts. This allows system
administrators who need to perform multiple configuration tasks to collect all
the administrative commands in a single file and execute them with one
keystroke. (Refer to “Command syntax” on page 199 for the syntax for
entering commands without prompts.)
Parameters
Note: If you want mqs_adm or mqs_admc to translate imported or exported
user records to or from a special code page, you must set the
MQSECURE_CCSID environment variable to the appropriate local
code page prior to invoking mqs_adm or mqs_admc. On Windows
NT, use the set command or the System/Environment panel in the
control panel settings. On Windows, use the set command prior to
invoking mqs_adm or mqs_admc, or add the set command to
autoexec.bat. On UNIX, use setenv (C-shell) or export (Korn-Shell).
Utilities 189
Administrative Utilities for Distributed Systems
Utilities 191
Administrative Utilities for Distributed Systems
Utilities 193
Administrative Utilities for Distributed Systems
Utilities 195
Administrative Utilities for Distributed Systems
Utilities 197
Administrative Utilities for Distributed Systems
Command syntax
You can enter mqs_adm and mqs_admc parameters without waiting for the
prompts. The parameters and parameter switches shown in brackets ([ ]) are
optional. However, if one of the following parameters is specified, they must
all be specified.
For example, if you specify the system administrator ID and password on the
command line for the key generation function, you must enter all the required
parameters (user ID and password) on the command line.
mqs_adm(c) [adminID adminPwd] -a -f filename
mqs_adm(c) [adminID adminPwd] -d [userid]
mqs_adm(c) [adminID adminPwd] -d [userid] -t
mqs_adm(c) [adminID adminPwd] -e [userid] -f filename
mqs_adm(c) [adminID adminPwd] -e [userid] -c -f filename
mqs_adm(c) [adminID adminPwd] -e [userid] -m qmgr
[-q qname]
mqs_adm(c) [adminID adminPwd] -e [userid] -r
Utilities 199
Administrative Utilities for Distributed Systems
Utilities 201
Administrative Utility for OS/390
Description
KMFADM is the REXX equivalent of mqs_adm and mqs_admc on
distributed platforms. It is used to perform the following administrative
functions:
n registration of user IDs and generation or importation of user
public/private key pairs, certificates, and certificate revocation lists
n distribution (import and export) of keys and certificates
n revocation of PathWAI Secure-generated and keys
n resynchronization of local and LDAP user key databases
n re-encryption of user key database
Where is
&apfdsn. APF-authorized dataset name
&cleds. C language environment dataset
&hilevdsn. High-level dataset name
Where is
&mqauthds. WebSphere MQ authorization dataset
&mqloadds. WebSphere MQ load dataset
&mqnlsds. WebSphere MQ national language support dataset
&rexxdsn. Rexx executable PDS
&tsouid the TSO user ID
Utilities 203
Public Key Monitor for Distributed Systems
Description
The mqs_read utility acts as the processor of the
SYSTEM.MQSECURE.COMMAND queue, which receives signed messages
containing public keys sent by other systems via a queue manager (see
“Exporting keys via a queue manager” on page 120). This program is
triggered through normal MQSeries triggering on distributed systems.
When the program gets a signed message from the command queue, it inserts
(or updates) the public key into the user key database. Aside from the
mqs_adm function to import keys, this is the only program that can update
or add keys to the user key database.
Description
The KMFREAD utility is the REXX equivalent of mqs_read on the
distributed platforms. KMFREAD acts as the processor of the
SYSTEM.MQSECURE.COMMAND queue, which receives signed messages
that contain public keys sent by other systems via a queue manager. It uses
variables established using KMFADM.
Note: The MQSeries administrator should ensure that the
SYSTEM.MQSECURE.COMMANDS queue is sufficiently secured.
This is especially important in client/server configurations, where each
PathWAI Secure client can also be an PathWAI Secure administrator.
Aside from the KMFADM function to import keys, this is the only program
that can update or add keys to the user key database.
Invoking KMFREAD
This utility can be invoked from either ISPF or native TSO. After the program
gets the message from the command queue, it inserts (or updates) the public
key into the user key database. KMFREAD is located at:
’&hilevdsn.TMFEXECF(KMFREAD)’
or
’&hilevdsn.TMFEXECV(KMFREAD)’
Make the following changes before using KMFREAD:
Utilities 205
Public Key Monitor for OS/390
Validation Programs
Overview
Candle provides a set of validation programs that can be used to exercise the
direct and integrated API functions. They are intended as services aids,
typically used when working with Candle support personnel or when verifying
installation.
The mqdirect (servers) and mqdirecc (clients) programs use direct API
functions. The mqs_op (server), mqs_opc (client), or MQS@OP (on
OS/390 systems) programs use the integrated API functions.
Table 17 on page 209 shows a sample JCL for running the MQDIRECT and
MQDIRECC validation programs on OS/390.
Syntax
mqdirect {-s|e|r|g|w|x|y|z}
mqdirecc {-f filename}
[-c count]
{-q qname}
[-m qmgrname]
{-l msglen}
[-t trailers]
Parameters
Utilities 207
Validation Programs
Return codes
See “PathWAI Secure Messages and Return Codes” on page 222.
//*
//* THIS STEP EXECUTES THE MQDIRECT SAMPLE PROGRAM
//*
//MQINDIR EXEC PGM=MQDIRECT,
// PARM=(’userid password destid -w -M QMGR -q TEST.Q
-F DD:INDD’)
//STEPLIB DD DISP=SHR,DSN=MQSECURE.TMFLOAD
// DD DISP=SHR,DSN=MQSERIES.TLIB.SCSQAUTH
// DD DISP=SHR,DSN=MQSERIES.TLIB.SCSQANLE
//MQSSUSRx DD DUMMY
//SYSOUT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSPRINT DD SYSOUT=*
//SYSMDUMP DD SYSOUT=*
//INDD DD DISP=SHR,DSN=MQSECURE.MESSAGE(MED)
Where userid and password are the PathWAI Secure user ID and password of the sender, and
destid is the PathWAI Secure ID of the receiver for which the message is encrypted.
Syntax
mqs_op {-s|e|r|g}
mqs_opc {-f filename}
[-c count]
{-q qname}
[-m qmgrname]
{-l msglen}
[-t trailer]
Utilities 209
Validation Programs
Parameters
Return Codes
None.
Description
kmfconv converts a PathWAI Secure user key database from Version 210
format to Version 300 format. This is necessary because in Version 300 the
database records have become longer. You cannot use a Version 210
database with PathWAI Secure Version 300 unless it has been converted.
If you migrated to Version 300 from an earlier version, you converted your
databases when you installed PathWAI Secure on each node. However, you
may have backed up databases in Version 210 format. You must convert
these databases before you can use them.
OS/390
On OS/390, kmfconv is shipped as &hilev.TMFSAMP(KMFCONV).
To convert a database :
1. Modify the JCL according to instructions in the JCL.
2. Submit the JCL.
Utilities 211
Database Conversion Program
Note: To use the new database, ensure that its name is pointed to by the
USERS DD in MFSSRVR and specified in KMFADM. (You may want
to rename the old database prior to running the job and ensure that
the new database has the same name as the database it replaces.)
C
Overview
This appendix provides advice for troubleshooting problems frequently
encountered by PathWAI Secure users.
Appendix contents
PathWAI Secure–LDAP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
PathWAI Secure Hardware Crypto Interface . . . . . . . . . . . . . . . . . . . . . . 215
Transmission Failures in OS/390 Client Connections. . . . . . . . . . . . . . . . 219
UNIX Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Troubleshooting 213
PathWAI Secure–LDAP Connection
Initialization error 1
This error occurs when PathWAI Secure cannot read the two LDAP system
variables:
MQSECURE_LDAP_SERVER_ADDRESS
MQSECURE_LDAP_SERVER_PORT
Consult “LDAP Repository” on page 41 for platform-specific instructions on
setting these system variables.
Overview
By design, PathWAI Secure reverts to using software if it finds during
initialization that the hardware is not available, not configured correctly, or
malfunctioning. (The hardware fault detection capabilities available to the
software are limited.) If you experience a problem with PathWAI Secure that
you believe is related to hardware support, the most expedient way to
circumvent it is by disabling hardware encryption using the PathWAI Secure
configuration tool (UNIX and Windows) or removing the setting of the
environment variable MQSECURE_HARDWARE_ENABLED, or setting it to
NULL (OS/390, UNIX, and Windows). (Refer to “Hardware Encryption” on
page 45 for instructions on enabling and disabling hardware encryption.)
PathWAI Secure will then revert to using software for all cryptographic
operations.
If you are using Windows/NT/2K with a 4758 crypto co-processor installed,
configuring PathWAI Secure back to using software after having configured for
hardware may cause errors in other applications that use CCA. Check the
setting for the PATH environment variable at the system level. The directories
containing the support libraries for the 4758 must come before the PathWAI
Secure libraries. The order of these libraries on your system path depends on
the order of installation of PathWAI Secure and the 4758 support code.
Reorder the libraries so the PathWAI Secure libraries appear after the IBM
4758 libraries.
Messages
The following messages indicate problems with hardware encryption:
CCA_Install: CCA Service not available
CCPOpen: CCA load failed, Errno: 2 A file or directory in
the path name does not exist.
CCA_Install: CCA RTE library missing
Troubleshooting 215
PathWAI Secure Hardware Crypto Interface
Troubleshooting
PathWAI Secure issues these messages when the environment variable
MQSECURE_HARDWARE_ENABLED has been set to either ADAPTER1 or
S390 and initialization of the hardware device has failed. This error can occur
for any of the following reasons:
n Hardware device not installed or installation incorrect or incomplete.
– Windows and UNIX : Review the installation process for the hardware
cryptographic coprocessor and verify that all the necessary steps
completed successfully. Verify that the adapter is installed on the
platform from which you are trying to access it.
– OS/390 : Review the microcode settings from the Hardware
Management Console (HMC) to verify that the adapter has been
properly configured. You should consult with your IBM representative
for this step.
– OS/390 : OS/390 Integrated Cryptographic Service Facility (ICSF)
system procedure is not started or not properly installed. Review the
ICSF installation procedure to verify that it was successfully
completed. You may need to manually start the ICSF procedure if
your installation has not configured it to start automatically. Review
your system log to determine if a hardware problem with the crypto
coprocessor prevented ICSF from initializing. Use the ISPF interface
to ICSF to verify that the hardware is available and functioning.
– OS/390 : Verify that your RACF administrator has granted permission
to the following CCA Services required by PathWAI Secure:
– OS/390 : Both the Channel Initiator started task and the PathWAI
Secure administrator must be authorized to use these services. All the
listed services must be authorized, even if you do not anticipate using
them all.
– OS/390 : When application-to-application security is used and
hardware is enabled, all applications using the PathWAI Secure direct
and indirect APIs will use the facility. Therefore, any job or started task
which uses the APIs must:
1. Have RACF authorization to use the services listed above, and
2. Be able to LOAD PathWAI Secure load library members
KMFQC390 and KMFQM390. To facilitate the LOAD, these two
members must reside in at least one of the following:
– a load library which is allocated to the job via JOBLIB or
STEPLIB DD statements,
– the link library (defined during system generation by the
LNKLSTxx member of SYS1.PARMLIB), or
– the system's link pack area (defined during system
generation).
n A problem with the hardware device prevents PathWAI Secure from using
it
Run hardware diagnostics on the coprocessor, if available. Use the
administrative utility provided by the device's manufacturer or another
application to verify functionality.
Caution: Crypto hardware devices are designed to be tamper-resistant. If
an attempt is made to penetrate the device's secure shell, or if its batteries
Troubleshooting 217
PathWAI Secure Hardware Crypto Interface
Troubleshooting 219
UNIX Problems
UNIX Problems
D
Overview
This appendix contains PathWAI Secure messages and return codes. For
convenience, it also contains the RSA BSAFE return codes. As an PathWAI
Secure user, you may also see WebSphere MQ return codes. Please refer to
the appropriate WebSphere MQ documentation for the definitions of these
return codes.
Any failures of an authentication or encryption operation in the channel exits
result in the message being diverted to the PathWAI Secure problems queue,
SYSTEM.MQSECURE.PROBLEMS. A message is logged to the channel exit
log explaining the diversion and to where, along with an error message
specifying why the operation failed.
Errors returned as a result of the failure of authentication and encryption
operations in application-to-application operations must be handled by the
applications. The PathWAI Secure APIs return an error code that can be
converted to an actual message. The application should interpret the error
code and log the message.
Appendix Contents
PathWAI Secure Messages and Return Codes . . . . . . . . . . . . . . . . . . . . . 222
BSAFE Return Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Server Messages
0 SUCCESS
Operation was successful.
512–550 See “Crypto_C return codes” on page 236.
1025 NO_MEMORY
No memory available.
1026 VRFY_INVALID_SENDER
Sending user ID is invalid or unknown.
1027 VRFY_MSG_MODIFIED
Message has been modified.
1028 USERID_NO_MATCH
Retyped user ID different.
1029 INVALID_PASSWORD
Password is invalid and/or incorrect.
1030 OUT_BUF_SHORT
Output buffer is too short.
1031 INVALID_TRAILER
Trailer is invalid.
1032 INVALID_TR_VERSION
Invalid trailer version.
1033 TRAILER_APPL
Application trailer detected.
1034 TRAILER_NODE
Node trailer detected.
1035 NO_RANGES
No encryption ranges found.
1036 INVALID_RANGE_PTR
Encryption range array is invalid.
1037 INVALID_RANGE
Encryption range found outside message.
1038 INVALID_REQUEST
Invalid PathWAI Secure indirect API request.
1039 INVALID_CHARSET
Invalid character set.
1040 USERID_BLANK
user ID is blank.
1041 PASSWORD_BLANK
Password is blank.
1042 PASSWORD_NO_MATCH
Retyped password is different.
1043 OVERLONG_INPUT
Input buffer too long.
1044 CANCELLED
Request cancelled by user.
1045 INVALID_UPDATE_REQ
Update request not Valid.
1046 TOO_MANY_CLIENTS
Too many clients open at the same time.
1047 INVALID_CLIENT
Invalid client handle detected.
1048 INVALID_UINFO
Buffer invalid for import users.
1049 USERID_IS_REVOKED
user ID has been revoked.
1050 NO_USERS_EXPORTED
No users available for export.
1051 NO_EXPORT_ADMIN_KEY
Export of the administrator key is invalid.
1052 NO_EXPORT_FOREIGN_KEY
Export of foreign user keys is invalid.
1053 PRIVATE_KEY_OUT_OF_SYNCH
Private keys are out of synchronization.
1054 CONV_TABLES_NOTFOUND
Unable to find code page conversion tables.
1055 NO_SCYEXIT
SCYEXIT not defined.
1056 CONV_TABLES_INTERNAL_ERROR
Internal error doing code page conversion.
1057 CONV_TABLES_OPEN_FAILED
Unable to open a conversion table file.
1058 CONV_TABLES_READ_FAILED
Incorrect length read for a conversion table file.
1059 CONV_TABLES_MQSSDIR_NOTFOUND
Conversion table processing unable to find MQSSDIR.
1060 CONV_TABLES_NO_LOCAL_CCSID
Local CCSID not set.
1061 SECURITY_SEQUENCE_MISMATCH
Security exit processing sequence error.
1062 RANDOM_NUMBER_MISMATCH
Mismatch in security exit random numbers.
1063 GENERATE_RANDOM_NUMBER_BAD
Random number generation failure.
1064 BAD_SECURITY_PHASE_NUMBER
Security Message sequence number not 1–4.
1065 SECURITY_EXCHANGE_INCOMPLETE
All phases of security exchange not completed.
1066 ADMIN_ID_ALREADY_DEFINED
Administrator ID has already been defined—invalid request.
1067 OUTOFSYNC_EXITDATA
Exitdata parameters are out of sync.
1068 NULL_NUMTRAILERS
The number of trailers is not specified for PathWAI Secure
Get.
1069 INVALID_NUMTRAILERS
The number of trailers is specified incorrectly for PathWAI
Secure Get.
1070 NULL_SALT_ADDRESS
The salt pointer is null
1071 KMFPUTENV_INVALID_INPUT
Input to internal function KMFPutEnv is invalid.
1072 PUPRKEY_TOKEN_FAILED
CCA_PuPrKeyToken function failed.
1073 PUBLIC_KKEY_TOKEN_FAILED
CCA_PublicKeyToken function failed.
1074 PKA_ENCRYPT_FAILED
CCA_PKAEncrypt failed.
1075 PKA_DECRYPT_FAILED
CCA_PKADecrypt failed.
1076 CSNBOWH_FAILED
CSNBOWH one-way hash failed.
1077 CSNDDSV_FAILED
CSNDDSV digital signature verify failed.
1078 CSNDDSG_FAILED
CSNDDSG digital signture generate failed.
1079 CSNDPKI_FAILED
CSNDPKI PKA key import failed.
1080 CSNBRNG_FAILED
CSNBRNG generate random number failed.
1081 CSNDPKB_FAILED
CSNDPKB build key token failed.
1082 INVALID_INPUT_PARAMETER
Invalid input parameters.
1084 LDAP_WRITE_USER_FAILED
Write of public key to LDAP repository failed.
1085 LDAP_DELETE_USER_FAILED
Delete of public key from LDAP repository failed.
1086 USER_ID_ALREADY_DEFINED
User ID already defined to LDAP from another platform.
1087 LDAP_OPEN_FAILURE
Inactive LDAP server address and/or port specified.
1088 LDAP_UNKNOWN_ATTRIBUTE
Requested attribute not defined to LDAP.
1089 LDAP_VERIFY_FAILED
Unable to authenticate LDAP entry.
1090 CSNBCKM_FAILED
CCA function CSNBCKM failed.
1091 CSNBDEC_FAILED
CCA function CSNBDEC (decipher) failed.
1092 TDES_KEY_INVALID
Invalid TDES key.
1093 TDES_BUFFER_INVALID
Invalid TDES buffer.
1094 CSNBENC_FAILED
CCA function CSNBENC failed.
1095 CCPOPEN_BAD_CRYPTOCP
Invalid call to CCPOPEN, bad cryptoCP.
1096 CCPOPEN_ERROR_REASON
Error in CCPOpen, reason code stored.
1097 CCPOPEN_HARDWARE_NOT_SET
Hardware support not requested.
1098 DECRYPT_RESTRICTED
Decryption failed, algorithm restricted.
1099 LDAP_CONNECTION_NOT_REQUIRED
Product not configured to connect to LDAP repository.
1100 THREAD_STORAGE_NOT_ACQUIRED
Thread specific storage could not be acquired.
1101 THREAD_STORAGE_NOT_AVAILABLE
Existing thread storage could not be found.
1102/ LDAP_CONNECTION_NOT_DEFINED
LDAP environmental variable(s) not defined.
1103 CH_AUTH_REMOTE_SUFFIX_MISSING
Signed message received from ID missing channel
authentication ID suffix.
1104 CH_AUTH_REMOTE_ID_INVALID_CHL_NAME
Signed message received from ID without channel name.
1105 CH_AUTH_REMOTE_SUFFIX_INVALID
Signed message received from ID without standard suffix
1106 CH_AUTH_SUFFIX_MISMATCH
Signed message received from remote ID with suffix matching
local ID.
1107/ SEC_EXIT_UNKNOWN_EXITREASON
Unknown value encountered for ExitReason.
1108 GET_MQSDATA_PTR_FAILED
GetMQSDataPtr call failed.
1109 HARDWARE_NOT_SUPPORTED
Cryptographic hardware not supported on this platform.
1110 FILENAME_TOO_LONG
File name too long.
1111 TDES_PAD_ERROR
Triple-DES software pad byte count error
1112 SIGNING_ALGORITHM_UNKNOWN
Environment variable MQSECURE_SIGNING_ALGORITHM
setting not recognized.
1113 CLUSTER_AUTH_CHANNEL_NAME_MISMATCH
Clustering authentication user ID channel name invalid.
1114 CLUSTER_AUTH_INPUT_PARM_MISSING
Clustering authentication input parameter missing
1115 CLUSTER_AUTH_FIRST_QUALIFIER_MISSING
Clustering authentication user ID first qualifier missing
1116 CLUSTER_AUTH_FIRST_QUALIFIER_INVALID
Clustering authentication user ID first qualifier invalid
1117 CLUSTER_AUTH_CHANNEL_NAME_MISSING
Clustering authentication user ID channel name missing
1118 CLUSTER_AUTH_THIRD_QUALIFIER_MISSING
Clustering authentication user ID third qualifier missing
1119 CLUSTER_AUTH_THIRD_QUALIFIER_INVALID
Clustering authentication user ID third qualifier invalid
1120 THREAD_STORAGE_NOT_ALLOCATED
Thread-level storage has not been allocated
1121 SYMMETRIC_ALGORITHM_UNSUPPORTED
Symmetric encryption algorithm not supported.
1122 USERID_DELETE_FAILED
Deletion of user ID from database failed.
1123 JNI_GETBYTEARRAY_BAD
JNI GetByteArrayElements() returned NULL.
1124 JNI_GETSTRINGUTF_BAD
JNI GetStringUTFChars() returned NULL.
1125 JNI_NEWBYTEARRAY_BAD
JNI NewByteArray() returned NULL.
1126 JNI_NEWSTRINGUTF_BAD
NI NewStringUTF() returned NULL.
1127 CHANNEL_SECURITY_SETTING_MISMATCH
Channel definition PUTAUT(CTX) or PUTAUT(ALTMCA)
required.
1128 CHANNEL_SECURITY_SETTING_INVALID
MQSECURE_CHANNEL_SECURITY variable setting not
recognized.
1129 MCA_USER_IDENTIFIER_TOO_SHORT
PathWAI Secure User ID too long for MCA User Identifier>
1130 MQMD_USER_IDENTIFIER_TOO_SHORT
PathWAI Secure User ID too long for Message Descriptor User
Identifier.
1131 INVALID_CONTEXT
Unable to establish certificate context.
1132 AVA_NOT_FOUND
Certificate field matching the attribute–value assertion
specified for PathWAI Secure user ID not found.
1133 MQSECURE_ID_MAPPING_ATTRIBUTE_UNKNOWN
Environment.variable setting not recognized.
1134 OVERLAPPING_RANGES
Overlapping encryption ranges specified.
1135 RANGES_NOT_ASCENDING
Encryption ranges not specified in ascending order by offset.
1136 NO_BASE_CERTIFICATE
Neither PathWAI Secure ID nor Subject Name supplied.
1137 CONFLICTING_CHAIN_PARMS
Both PathWAI Secure ID and Subject Name supplied.
1138 MAPPING_RECORD_NOT_FOUND
Certificate mapping database record not found.
1139 MAPPING_INDEX_RECORD_NOT_FOUND
Certificate mapping database index record not found.
1140 CERTIFICATE_NOT_FOUND
Certificate not found in certificate database.
1141 USER_CERTIFICATE_REQUIRED
User specified that certificate is always required for message
embedding, but the certificate was unavailable.
1142 INVALID_CERT_TABLE
Invalid certificate table
1143 EMBED_CERTS_NOT_VERIFIED
Could not verify embedded certificate(s).
1144 PKCS12FILE_OPEN_PROBLEM
Problem encountered opening PKCS#12 file for input.
1145 ADMIN_NOT_CERTIFIED
Administrator must have certificate to export to PKCS#7 file.
1146 NO_DELETE_PKI_USER
CRLs must be updated/imported to revoke users imported
from third-party certificate authority.
1147 TRUST_POINT_NOT_FOUND
Certificate verification chain could not be built to requested
trust point.
1148 OCSP_NO_STATU
Internal OCSP error
1149 OCSP_CERT_REVOKED
OCSP Responder reports certificate is revoked.
1150 OCSP_CERT_NOT_REVOKED
OCSP Responder reports certificate is not revoked.
1151 OCSP_CERT_REVOCATION_UNKNOWN
OCSP Responder reports certificate status unknown.
1540 BUFFER_TOO_LONG
User key buffer too long.
1541 DUPLICATE_KEY
Duplicate keys detected.
1542 TOO_MANY_RECORDS
Too many user key database records.
1543 END_OF_FILE
End of user key database detected.
1544 DBSRV_DOWN
User key database server is down.
1545 UPDATE_NOT_CACHED
User key database cache not updated.
1546 IMPORT_ADMIN_NOT_FOUND
Import administrator not in the user key database.
1547 DB_ALREADY_CONVERTED
Input database already converted
1548 DB_EMPTY
Input database is empty
2000 MQSeries error code
0 Routine successful.
8 Unknown execution environment.
12 Queue manager name missing.
14 PathWAI Secure load library name missing.
16 PathWAI Secure load library error.
18 PathWAI Secure user key database cluster name missing.
20 PathWAI Secure user key database cluster name error.
22 User key suffix too long or not valid.
60 TSO allocate failure encountered for the user key database
cluster.
Symbolic Description
512 BE_ALGORITHM_ALREADY SET The value of the algorithm object has
already been set by a call to
B_SetAlgorithmInfo, or by an algorithm
parameter generation.
513 BE_ALGORITHM_INFO Invalid format for the algorithm
information in the algorithm object
514 BE_ALGORITHM_NOT_INITIALIZED The algorithm object has not been
initialized by a call to the Init procedure.
515 BE_ALGORITHM_NOT_SET The algorithm object has not been set by
a call to B_SetAlgorithmInfo.
516 BE_ALGORITHM_OBJ Invalid algorithm object
517 BE_ALG_OPERATION_UNKNOWN Unknown operation for an algorithm or
algorithm info type
518 BE_ALLOC Insuffucient memory
519 BE_CANCEL The operation was cancelled by the
surrender function.
520 BE_DATA Generic data error
521 BE_EXPONENT_EVEN Invalid even value for the public exponent
in key-pair generation.
522 BE_EXPONENT_LEN Invalid exponent length for public
exponent in key-pair generation
523 BE_HARDWARE Cryptographic hardware error.
524 BE_INPUT_DATA Invalid encoding format for input data
525 BE_INPUT_LEN Invalid total length for input data
526 BE_KEY_ALREADY_SET The value of the key object has already
been set by a call to B_SetKeyInfo, or by
a key generation.
Symbolic Description
527 BE_KEY_INFO Invalid format for the key information in
the key object.
528 BE_KEY_LEN Invalid key length.
529 BE_KEY_NOT_SET The key object has not been set by a call
to B_SetKeyInfo, or by a key generation.
530 BE_KEY_OBJ Invalid key object
531 BE_KEY_OPERATION_UNKNOWN Unknown operation for a key info type
532 BE_MEMORY_OBJECT Invalid internal memory object
533 BE_MODULUS_LEN Unsupported modulus length for a key or
for algorithm parameters
534 BE_NOT_INITIALIZED Algorithm is improperly initialized.
535 BE_NOT_SUPPORTED The algorithm chooser does not support
the type of key information in the key
object for the specified algorithm.
536 BE_OUTPUT_LEN The maximum size or the output buffer is
too small to receive the output.
537 BE_OVER_32K The data block exceeds 32,767 bytes.
538 BE_RANDOM_NOT_INITIALIZED The random algorithm has not been
initialized by a call to B_RandomInit.
539 BE_RANDOM_OBJ Invalid algorithm object for the random
algorithm.
540 BE_SIGNATURE The signature does not verify.
541 BE_WRONG_ALGORITHM_INFO The required algorithm information is not
in the algorithm object.
542 BE_WRONG_KEY_INFO The required key information is not in the
key object.
543 BE_INPUT_COUNT Update called an invalid number of times
for input of data.
544 BE_OUTPUT_COUNT Update called an invalid number of times
for output of data.
Symbolic Description
545 BE_METHOD_NOT_IN_CHOOSER The algorithm chooser doesn’t contain
the algorithm method for the algorithm
specified by the previous call to
B_SetAlgorithmInfo.
546 BE_KEY_WEAK The key data supplied would generate a
known weak key.
547 BE_EXPONENT_ONE. The value of the public exponent cannot
be 1
548 BE_BAD_POINTER Invalid pointer.
549 BE_BAD_PASSPHRASE Invalid password.
550 BE_AM_DOMESTIC_ONLY An attempt was made to call a function
that is not available in the export version
of Crypto-C.
551 BE_BAD_SEEDING Bad seeding was passed to an
AI_X931Random object.
Symbolic Description
Symbolic Description
Symbolic Description
Symbolic Description
Symbolic Description
Symbolic Description
Symbolic Description
Symbolic Description
E Customer Support
Introduction
Candle Corporation is committed to producing top-quality software products
and services. To assist you with making effective use of our products in your
business environment, Candle is also committed to providing easy-to-use,
responsive customer support.
Precision, speed, availability, predictability—these terms describe our
products and Customer Support services.
Included in this Guide to Candle Customer Support is information about the
following:
Base Maintenance Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
– Telephone Support
– eSupport
– Description of Severity Levels
– Service-level objectives
– Recording and monitoring calls for quality purposes
– Customer Support Escalations
– Above and Beyond
Enhanced Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
– Assigned Support Center Representative (ASCR)
– Maintenance Assessment Services (MAS)
– Multi-Services Manager (MSM)
Customer Support Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . 254
– Link to Worldwide Support Telephone and E-mail information
Overview
Candle offers a comprehensive Base Maintenance Plan to ensure that you
realize the greatest value possible from your Candle software investments. We
have more than 200 technicians providing support worldwide, committed to
being responsive and to providing expedient resolutions to support requests.
Technicians are available worldwide at all times during the local business day.
In the event of an after-hours or weekend emergency, our computerized call
management and forwarding system will ensure that a technician responds to
Severity One situations within one hour. For customers outside of North
America, after-hours and weekend support is provided in English language
only by Candle Customer Support technicians located in the United States.
Telephone support
Candle provides consistently reliable levels of service—thanks to our
worldwide support network of dedicated experts trained for specific products
and operating systems. You will always work with a professional who truly
understands your problem.
We use an online interactive problem management system to log and track all
customer-reported support requests. We give your support request immediate
attention by routing the issue to the appropriate technical resource, regardless
of geographic location.
Level 0 Support is where your call to Candle Customer Support is first
handled. Your support request is recorded in our problem management
system, then transferred to the appropriate Level 1 support team. We
provide Level 0 manual interaction with our customers because we
support more than 170 products. We feel our customers would prefer
personal interaction to a complex VRU or IVR selection menu.
Level 1 Support is the service provided for initial support requests. Our
Level 1 team offers problem determination assistance, problem analysis,
problem resolutions, installation assistance, and preventative and
corrective service information. They also provide product usage
assistance.
eSupport
In order to facilitate the support process, Candle also provides eSupport, an
electronic full-service information and customer support facility, via the World
Wide Web at www.candle.com/support/. eSupport allows you to open a new
service request and update existing service requests, as well as update
information in your customer profile. New and updated service requests are
queued to a support technician for immediate action. And we can respond to
your request electronically or by telephone—it is your choice.
eSupport also contains a continually expanding knowledge base that
customers can tap into at any time for self-service access to product and
maintenance information.
The Candle Web Site and eSupport can be accessed 24 hours a day, 7 days
a week by using your authorized Candle user ID and password.
Overview
Our Base Maintenance Plan provides a high level of software support in a
packaged offering. However, in addition to this plan, we have additional
fee-based support services to meet unique customer needs.
The following are some examples of our added-value support services:
n Assigned Support Center Representative Services (ASCR)
– An assigned focal point for managing support escalation needs
– Proactive notification of available software fixes
– Proactive notification of product version updates
– Weekly conference calls with your ASCR to review active problem
records
– Monthly performance reviews of Candle Customer Support service
levels
– Optional on-site visits (extra charges may apply)
n Maintenance Assessment Service (MAS)
– On-site assessment services
– Advice about product maintenance and implementation
– Training your staff to develop efficient and focused procedures to
reduce overall cost of ownership of your Candle software products
– Analysis of your Candle product environment: versions, updates,
code correction history, incident history and product configurations
– Reviews to ensure that purchased Candle products and solutions are
used effectively
n Multi-Services Manager (MSM)
Multi-Services Manager provides highly valued services to customers
requiring on-site full time expertise to complement their technical
resources.
– Dedicated on-site Candle resource (6 months or one year) at your site
to help ensure maximum use and effectiveness of your Candle
products
G
A digital envelope A ”package”
composed of a message encrypted by a
authentication The act of verifying symmetric key and the symmetric key
information such as identity, ownership, itself, encrypted using the receiver’s
or authorization. public key.
digital signature The encryption of a
message digest with a private key. Used
C for verifying the identify of the sender
certificate See digital certificate of the message.
channel exit A program that performs Data Encryption Standard (DES) A
additional processing at a defined place block cipher developed by IBM and the
in the processing carried out by the U.S. government in the 1970s as an
message channel agent (MCA). official standard.
E
D
encryption The transformation of
digital certificate See also root plain text into an apparently less
certificate, trusted certificate readable form through a mathematical
Glossary 255
process. The encrypted text may be read M
by anyone who has the key that decrypts
the ciphertext. MCA See message channel agent
H N
hash function A function that takes a node-to-node security Secures a
variable sized input and has a fixed size message as it travels across a single
output. physical channel connection from a
source machine to a target machine.
K
key In traditional cryptography, a key is O
the system or pattern used to encode or OCSP See online certificate status
decode text. In digital cryptography, a protocol
key is a variable value applied using an
algorithm to a string or block of text or online certificate status protocol
other data to encrypt or decrypt it. See (OCSP) A protocol for sending
also private key, public key, secret requests for certificate status to an online
key. server, or responder.
Glossary 257
258 PathWAI Secure for WebSphere MQAdministrator’s Guide, Version 300
Index
Symbols resetting default 54
&cleds, 202 setting
&hilevdsn 202 OS/390 56
&mqloadds 202 UNIX 55
Windows 54
&mqsauthds 202
asymmetric keys
&tsiud.ispf.ispprof dataset 202
default modulus 54, 95
.dbb 145
description of 26
specifying length (mqs_adm) 196
Numerics attribute–value assertions 60
4758 Cryptographic Coprocessor 45 authentication 24
4958 crytographic accelerator 45 of channel IDs 100
of cluster IDs 100
A PathWAI Secure-generated keys 96
activing channel autodefine exits 156 third-party keys 96
administrative utilities 92–93 autodefine exits 155–156
administrator’s keys autodefine exits (CHADEXIT),
initializing 197, 198 activating 156
administrators autodefined cluster sender channels 155
about 98 AVAs see attribute–value assertions
deleting 128
registering 110–113 B
revoking 128 backing up LDAP repository
administrators’ keys on UNIX 143
exporting to a file 190 Windows NT 138
Adobe portable document format 13 backing up user key database 131
Advanced Encryption Standard (AES) 25 BSAFE return codes 236
AES (RijnDael) algorithm 25 Business Directory Service 137
APIs
and range encryption 33 C
when to use 33, 34
CandleAgent 141
application-to-application security 33
CandleNet eBP MQSecure Connection, see
ASCR
CASP Secure Connector
assigned support center
CASP Secure Connector 162–185
representative 252
usage scenarios 179–185
assigned support center representative
certificate embedding 78
ASCR 252
asymmetric key length configuring on OS/390 83
Index 259
D
Index 261
G
G integrity, message 31
generating administrator’s keys 197, 198 ISPF PROFILE 202
Global Administrator
about 98 K
registering 104–109 key management 91–133
using PathWAI Secure-generated key option 38
keys 105 key pairs
using third-party keys 106 creating 194, 195
KMFADM
H description 202
hardware encryption invoking 202
configuring KMFADM functions
OS/390 48 Change Password 103
UNIX (GUI) 46 Export Local Public Keys 119
UNIX (text mode) 47 Export user to file 120
Windows 45 Export user to q-mgr 121
devices 45
Import users 126
hardware encryption, configuring ??–48
List Users 101 , 102
hashing algorithm
Re-encrypt user key database 132
configuring on OS/390 59
Refresh All Public Keys 132
hashing algorithms
configuring on UNIX (GUI) 57 Reset user key database 132
configuring on UNIX (text mode) 58 Revoke Users 129 , 130
configuring on Windows 57 Set/Reset LDAP Repository 133
MD5 57 kmfconv 211
SHA-1 57 KMFREAD 121, 205
description 205
invoking 205
I KMFREAD return codes 234
IBM MQSeries 206 kmlxcils 167
ID mapping kmlxcils.h 173
about 60
kmlxcilsg 168
configuring
kmlxcilsp 168
OS/390 62
UNIX (GUI) 61 KXCILSOPT 173
UNIX (text mode) 62 KXCLONG 175
Windows 61 KXCMQSECINFO 173
IDs KXCMQSRANGE 176
channel authentication 100 range structure 177
cluster authentication 100 kxcSetILSDdata 173
importing public keys 124, 195, 196 KXCULONG 173, 174, 177
initializing administrator’s keys 197, 198 KXCUSHORT 177
integrated function calls 34 kxsserv 141
integrity 24
L M
LDAP connection, configuring maintenance assessment service
OS/390 43 MAS 252
UNIX (GUI) 42 Manage Candle Services dialog 137
UNIX (text mode) 43 managing keys 91–133
Windows 41 managing the LDAP repository 135–145
LDAP repository MAS
backing up (UNIX) 143 maintenance assessment service 252
backing up (Windows NT) 138 KXCCHAR 175, 176
deleting (UNIX) 144 MD5 hashing algorithm 57
deleting (Windows NT) 139 message digest 31
managing 135–145 message encryption 32
LDAP repository host name message integrity, ensuring 31
resetting on MQSecure node (OS/390) 39 MFSSRVR 39
resetting on MQSecure UNIX node (text modulus size 54, 95
mode) 43 configuring on OS/390 56
LDAP repository password configuring on UNIX 55
resetting on host (UNIX) 141–143 configuring on Windows 54
resetting on host (Windows NT) 137 -l parameter 54
resetting on MQSecure node 133, 198 overriding default 54
LDAP repository port number modulus–exponent format 54
resetting on host (UNIX) 141–143 MQConfig 42, 46, 51, 57, 61, 64, 71, 76,
resetting on host (Windows NT) 137 81, 86
resetting on MQSecure node (OS/390) 39 MQConfig -l 52, 58, 62, 65, 72, 76, 82, 87
resetting on MQSecure UNIX node (text MQConfig -l command 43
mode) 43
mqdirecc 207
LDAP repository user ID
mqdirecc return codes 224–245
resetting on host (UNIX) 141–143
mqdirect 207
resetting on host (Windows NT) 137
mqdirect return codes 224–245
resetting on MQSecure node 133, 198
mqs_adm
LDAP server
-d 129, 130, 190
about 141
-e -f 120
starting (UNIX) 141
-e -r 119
starting (Windows NT) 137
-g 114, 194, 195
stopping (UNIX) 141
-i 126
stopping (Windows NT) 137
-k 132
LDAP user ID 133
-p 103
LE370 Load Lib 205
-s 132
list users command 101 , 102
-s -r 133
listing registered users 101, 199
-u 102
mqs_adm parameters 189
mqs_admc
Index 263
N
Index 265
S
V
verification
PathWAI Secure-generated keys 96
third party-keys 96
verification chain
Index 267
W