In WebSphere MQ, there are three methods of providing security:

1. The Object Authority Manager (OAM)
2. User-written, or third party, channel exists
3. Channel security using Secure Sockets Layer (SSL)

The Object Authority Manager (OAM): This is automatically installed and enabled for each queue manager you create, unless you specify otherwise. All actions performed by an application connected to a queue manager are authenticated by the queue manager by a component called OAM. Every time an application attempts any action against a WebSphere MQ object, the OAM ensures that the identity under which that application is connected to QM has been set to allow the type of access it is requesting on the object. The QM interrogates the operating environment to discover the user id associated with the application, it exploits the security feature of the underlying operating system, using operating system user and group id.

Benefit/risk: OAM is very easy to maintain as it is default functionality of MQ, and correlate with Local OS security system. But this option doesn’t provide direct flexibility to extend the authentication and authorization in our own way, and also it’s not fully secure because if anybody knows the credential of QM and OS user can easy to access the queue(s).

User-written, or third party, channel exists: WebSphere enables to use the components supplied with WebSphere or write your own component to extend/change the behavior of WebSphere MQ such as Authorization Service, MQPUT, MQGET, Data conversion exits, Channel exits. About the authorization service, as said OAM is active by default, and we do not have to do anything to configure it but we can use the authorization service interface to create other component or replace or augment the OAM. Third party components are available in the market to do the MQ authentication, one of the best is http://www.capitalware.biz/mqausx_overview.html

Benefit/risk: This option provides flexibility to change the behavior as required, but it will require special attention because of maintenance of additional component(s), May be hard to manage.

Channel security using Secure Sockets Layer (SSL): The SSL protocol provides industry-standard channel security, with protection against eavesdropping, tempering, and impersonation. SSL uses public key and symmetric techniques to provide message privacy and integrity and mutual authentication. SSL channels provide an excellent way to protect messages as they move from one QM to another.

IBM is offering ‘WebSphere MQ Extended security edition’ (http://www-306.ibm.com/software/integration/wmq/securityedition/) to solve the problems related to authentication of users and there authorization to queues and messages etc. It employs a certificate based security infrastructure which provides authentication, authorization and audition for WMQ network. This means messages can be digitally signed and/or encrypted for their entire lifetime inside WMQ.

Benefit/risk: This option is very flexible and enable us to secure the system in almost all ways, Managing this is again required special attention but as SSL is now industry-standard, satisfying our almost all requirements, and also IBM is offering the related component, I think going with this option will be very beneficial.

Comments are closed