Roger's Blog on MQ, Java, C, etc… | A blog about WebSphere MQ, Java, C and other things developers or MQAdmins need to know.

Where’s the MQ Security?

February 15, 2012 Roger Lacroix

I was at Wendy’s (in Canada) for lunch today and the cashier put the following flyer on my tray:

Of course, it made me smile because I recently wrote a blog item that MQ people still need to implement either SSL or a security exit in WMQ v7.1.

Maybe, I should create some T-Shirts with “Where’s the MQ Security?”.

If you are looking for a security product for WMQ then please have a look at MQ Authenticate User Security Exit (MQAUSX). MQAUSX offers application (or user) authentication of UserID and Password against a native OS system, LDAP server, Microsoft’s Active Directory, Quest Authentication Services (QAS), Centrify’s DirectControl or an encrypted MQAUSX FBA file. If interested, check out MQAUSX at http://www.capitalware.biz/mqausx_overview.html

Regards,
Roger Lacroix
Capitalware Inc.

IBM i (OS/400), Linux, MQ, Unix, Windows, z/OS Leave a comment

LibreOffice 3.5 Released

February 14, 2012 Roger Lacroix

LibreOffice has just released LibreOffice v3.5.
http://www.libreoffice.org

LibreOffice is a comprehensive, professional-quality productivity suite that you can download and install for free. There is a large base of satisfied LibreOffice users worldwide, and it’s available in more than 30 languages and for all major operating systems, including Microsoft Windows, Mac OS X and Linux (Debian, Ubuntu, Fedora, Mandriva, Suse, …).

Regards,
Roger Lacroix
Capitalware Inc.

Linux, Mac OS X, Open Source, Windows Leave a comment

Very Cool: PortableApps.com

February 10, 2012 Roger Lacroix

I just came across PortableApps.com and was amazed by what I found. I have no idea how I have never heard of them before now!! (It has been around since 2004.)
http://portableapps.com

PortableApps.com is the world’s most popular portable software solution allowing you to take your favorite software with you. A fully open source and free platform, it works on any portable storage device (USB flash drive, iPod, memory card, portable hard drive, etc). With millions of users all over the world and a full collection of open source software as well as compatible freeware and commercial software and partners in the software and hardware industry, PortableApps.com is the most complete solution for life on the go.

Regards,
Roger Lacroix
Capitalware Inc.

Open Source, Windows Leave a comment

IBM announces End of Support for WebSphere MQ v6.0

February 10, 2012 Roger Lacroix

IBM has announced that support for WebSphere MQ v6.0 will end on September 30th, 2012.
http://www.ibm.com/support/docview.wss?uid=swg21584325&myns=swgws&mynp=OCSSFKSJ&mync=R

If you are running WebSphere MQ v6.0 on any of the following platforms then you will need to migrate to WebSphere MQ v7.0 to have support for WebSphere MQ.

AIX
HP-UX (Itanium)
HP-UX (PA-RISC)
iSeries (IBM i or OS/400)
Linux (POWER)
Linux (x86)
Linux (x86-64)
Linux (zSeries)
Linux (zSeries s390x)
Solaris (SPARC)
Solaris (x86-64)
Windows
z/OS

Regards,
Roger Lacroix
Capitalware Inc.

IBM i (OS/400), Linux, MQ, Unix, Windows, z/OS Leave a comment

Free IBM e-book: Thinking outside the data warehouse

February 8, 2012 Roger Lacroix

IBM is giving away free copies of the e-book: Thinking outside the data warehouse
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=sw-infomgt&S_PKG=500018646

Thinking outside the data warehouse: How businesses increase agility, boost performance and lower TCO

Regards,
Roger Lacroix
Capitalware Inc.

General Leave a comment

MQAUSX LDAP on Linux x86 & Linux x64

February 1, 2012 Roger Lacroix

When MQAUSX first supported LDAP authentication, Capitalware used Novell’s LDAP Libraries for C for AIX, HP-UX, Solaris, Linux x86, Linux x64 (x86 64-bit) and Windows. Several years ago, for AIX, HP-UX and Solaris platforms, we switched to the native/included client LDAP libraries that are available for each OS (Operating System).

This week, a weird bug was discovered in the native/included OpenLDAP Client on Linux for zSeries. OpenLDAP has deprecated ldap_init() function in favor of ldap_initialize() function. Even though ldap_init() function is still supported by OpenLDAP, the client LDAP library crashes when it is used on Linux for zSeries. Therefore, I am going to switch the ldap call from ldap_init() to ldap_initialize() on all platforms that use OpenLDAP.

MQAUSX LDAP is supported on 4 Linux distributions: x86, x64, Power and zSeries. But of course there are always wrinkles: MQAUSX LDAP uses 2 different LDAP clients on the various Linux distributions.

Linux x86 and Linux x64 use Novell’s LDAP Libraries for C
Linux on Power and Linux on zSeries use the native/included OpenLDAP

So, to be consistent on all Linux distributions, MQAUSX LDAP will only use OpenLDAP in all future releases.

So, what does this mean for customers?

Starting with v1.5.2.7, MQAUSX will no longer include Novell’s LDAP Libraries for Linux x86 or Linux x64
If you wish to use MQAUSX LDAP (v1.5.2.7 or higher) on Linux x86 or Linux x64 then the “openldap-clients” package must be installed on your Linux server. There is a high probability that this package is already installed on your Linux server. A quick way to check is to issue the following Linux command:

rpm -q -a | grep -i ldap

Please let me know if you have any questions or comments.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, Linux, MQ Leave a comment

Mozilla Firefox 10.0 Released

January 31, 2012 Roger Lacroix

Mozilla Firefox has just released Mozilla Firefox v10.0.
http://www.mozilla.com/firefox/

Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. To display web pages, Firefox uses the Gecko layout engine, which implements most current web standards in addition to several features that are intended to anticipate likely additions to the standards

Regards,
Roger Lacroix
Capitalware Inc.

Linux, Mac OS X, Open Source, Windows Leave a comment

MQAUSX/MQSSX versus WMQ v7.1 CHLAUTH

January 30, 2012 Roger Lacroix

Last week, there was a robust/lively discussion on the MQSeries List Server regarding Derek Hornby’s question of (see http://comments.gmane.org/gmane.network.mq.devel/13985):

In the MQ V7.1 base install, a channel authentication record is created which is a “block user list” for all channels, and the block is on a User List of *MQADMIN

So I created a User Map record which allows the following:

- Channel Profile: MON.CHANNEL Address: 10.123.99.99 Client User: “monitor” MCAUser: “mqm”
– so I could allow my monitor program running on a client box to have “mqm” privileges against the Queue Manager
– but it gives me a 2035 (“MQ channel blah was blocked from address blah”) unless I remove the default block user list….

I thought the specific “allow” record which switches client ID “monitor” to MCAUser “mqm” would override the “block” record, but, unfortunately, it does not. (but it really should!)

And T.Rob Watt said:

Instead, keep the default rule and add another *blocking* rule to allow administrators on your specific channel:

set chlauth(MON.CHANNEL) TYPE(BLOCKUSER) USERLIST('nobody')

The final solution as given by T.Rob Watt was to add the following channel authentication records:

SET CHLAUTH('MON.CHANNEL') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) WARN(NO) ACTION(ADD)
SET CHLAUTH('MON.CHANNEL') TYPE(ADDRESSMAP) ADDRESS('10.123.99.99') USERSRC(CHANNEL) ACTION(ADD)

And T.Rob Watt commented:

So, yes, if somebody deletes the default *MQADMIN rule or defines a rule that overrides it to allow admin access AND DOES NOTHING ELSE then I suppose you are correct “the nobody rule opens a big security hole.” But I think it’s pretty clear that the intent was NEVER to define that rule without some kind of strong authentication. If any doubt remains, I’ll temporarily switch to HTML so I can write it in 80-point red letters:

ADMIN ACCESS MUST BE STRONGLY AUTHENTICATED

Here are my thoughts: if you need to implement authentication (or some filtering mechanism via an exit) with WMQ v7.1 channel authentication records then why not just use one solution?

How can you accomplish this (answering Derek’s question) with either MQAUSX or MQSSX? Simple, just use the following IniFile keywords with MQAUSX or MQSSX:

UseAllowIP = Y
AllowIP = 10.123.99.99;10.123.99.111
UseAllowUserID = Y
AllowUserID = monitor
Allowmqm = N
UseProxy = Y
ProxyFile=C:\Capialware\MQAUSX\proxy.txt

And in the proxy.txt file you would have:

monitor = mqm

Lines 1 & 2 of the IniFile define what incoming IP addresses will be allowed (the user can also use wildcards). Lines 3, 4 & 5 of the IniFile define what UserID is to be allowed. Lines 6 & 7 of the IniFile define that a Proxy file is to be used and the name and location of the Proxy file.

Hence, these simple, clear and easy keywords totally lock down the channel without requiring any MQ rules or other 3rd party products.

What is the difference between MQAUSX and MQSSX? MQAUSX provides full UserID and Password authentication whereas MQSSX is a filtering mechanism (no authentication).

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), Linux, MQ, Unix, Windows, z/OS Leave a comment

Where’s the Security?

January 23, 2012 Roger Lacroix

Over the last 2 months, all of the sudden, I have “where’s the security?” phrase running through my head. Instead of that little old lady from the 80′s Wendy’s commercial saying “Where’s the beef?”, I have her in my head saying “Where’s the security?”.

Back in 2005, when I first starting selling Capitalware’s MQ Authenticate User Security Exit (MQAUSX) and MQ Standard Security Exit (MQSSX) MQ security products, I hit major head winds, because almost all companies were under the impression that MQ was secure by default. These companies assumed that MQ was a complete security solution. It has taken me, T.Rob Watt and many others 7 years to convince companies that they need to do more than simply install MQ. They need to implement SSL or an MQ security exit or both.

With the introduction of WebSphere MQ (WMQ) v7.1, all of a sudden, everyone AGAIN thinks that all they need to do is install WMQ v7.1 and magically their MQ environment is secure. I am sorry to break everyone’s bubble, but that is not the case.

I am not going to blame IBM, oh wait, yes I am. Once again, IBM’s marketing machine is over zealously selling WMQ as an “out of the box secure messaging product”. Think of Monty Python and the “nudge, nudge, wink, wink” routine (well, WMQ is developed in Hursley, England).

There are some new security features in WMQ v7.1 and T.Rob Watt has done a great write up of the new features at http://t-rob.net/2011/10/18/wmq-security-in-v7-1/

Before drawing any conclusions regarding the new security features and/or benefits in WMQ v7.1, please take a moment to review the information that is out there.

MQAUSX offers application (or user) authentication of UserID and Password against a native OS system, LDAP server, Microsoft’s Active Directory, Quest Authentication Services (QAS), Centrify’s DirectControl or an encrypted MQAUSX FBA file. If interested, check out MQAUSX at http://www.capitalware.biz/mqausx_overview.html

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), Linux, MQ, Unix, Windows, z/OS Leave a comment

Advanced Workflow with MQ File Mover (How To #6)

January 16, 2012 Roger Lacroix

And now for something completely different. In this blog posting, I will show you how to create an MQFM Workflow to do something other than move files with MQ.

Lets say you have an online backup service or a cloud service where you want to backup important files to. So lets create an MQFM Workflow to handle this business process. Here are the tasks that need to be completed:

Compress all of the files and directories that will be backed up
Encrypt the compressed file so that prying eyes do not know what we have
ftp the file to the remote site
Delete the local compressed and encrypted files

This following example was tested on Windows. It can be easily adopted for Unix, Linux, Mac OS X or IBM i servers.

Step #1: On the Windows server, in the jobs directory, create a file called ftp_offsite_1.xml and copy the following into the file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE MQFM_Job SYSTEM "MQFM_Job.dtd">
<MQFM_Job>
  <Job name="ftp">
    <Command wait='y'>ftp.exe</Command>
    <Parm>-n</Parm>
    <Parm>-s:ftp_cmds_1.txt</Parm>
    <Parm>offsite.server.com</Parm>
  </Job>
</MQFM_Job>

The MQFM Job XML defines how to run an external command. For the Windows ftp program, it requires 3 parameters. The 2nd parameter points to a file that will be defined in Step #2 (below). The 3rd parameter contains the URL of the remote ftp server. You will need to update it with your ftp server’s URL.

Step #2: On the Windows server, in the MQFM install directory, create a file called ftp_cmds_1.txt and copy the following into the file:

user roger mypwd
prompt off
binary
cd offsite
put C:\temp\offsite\mydata.enc
quit

The above ftp commands will login into the remote ftp server, set the transfer type, change directory to offsite then upload the file. Note: The first line should contain your UserID and Password for your offsite/cloud service.

Step #3: On the Windows server, in the MQFM install directory, create a file called mqfm_offsite_1.xml and copy the following into the file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE MQFM_Workflow SYSTEM "MQFM_Workflow.dtd">
<MQFM_Workflow>
  <Global>
    <Property name="my_zip_file" value="C:\temp\offsite\mydata.zip" />
    <Property name="my_enc_file" value="C:\temp\offsite\mydata.enc" />
  </Global>

  <Actions>

    <Zip file="${my_zip_file}">
      <File>C:\data</File>
    </Zip>

    <EncryptFile file="${my_enc_file}" keysize="128"
               passphrase="this is 8 secret words for my script">
      <File>${my_zip_file}</File>
    </EncryptFile>

    <Execute xmlfile="ftp_offsite_1.xml" />

    <Delete>
      <File>${my_enc_file}</File>
      <File>${my_zip_file}</File>
    </Delete>

  </Actions>
</MQFM_Workflow>

The above MQFM Workflow has 4 actions. When MQFM is started, it will compress the files and directories located at C:\data\, next it will encrypt the zip file. The Execute Action will run an ftp command to upload the file to a remote server. Finally, the last action will delete the compressed and encrypted files.

Step #4: On the Windows server, to run the the MQFM Workflow, issue the following command:

./mqfm.sh mqfm_offsite_1.xml

This blog demonstrates how easy it is to create an MQFM Workflow to process business tasks.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), Java, Linux, Mac OS X, MQ, MQ File Mover, Open Source, Unix, Windows Leave a comment

Search for:
Recent Posts
Recent Comments
Archives
Categories
- C
- Capitalware
- Database
- General
- IBM i (OS/400)
- iPhone, iPad & iPod Touch
- Java
- JMS
- Linux
- Mac OS X
- MQ
- MQ File Mover
- Open Source
- Operating Systems
- Unix
- Windows
- z/OS
Capitalware
Blog Calendar
February 2012

M T W T F S S

« Jan

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29
WebSphere MQ
- Knowledge Collection: Install/Migration for WebSphere MQ February 22, 2012
- CSQY270E UNRECOGNIZED MESSAGE NUMBER February 21, 2012
- Education: Join webcast on WebSphere MQ V7.1 Multi-Version - First Steps February 20, 2012
- Difference between message.setJMSDeliveryMode and producer.setDeliveryMode (JMS) February 20, 2012
- Cobol program receives OC4 ( U4083-02 ) CEEPLPKA + X'D2258' February 20, 2012
- WMQ FTE: when transferring a file into a queue, getting rc 2085 when using clustered queue, or rc 2082 when using alias to a clustered queue February 16, 2012
- Queue Manager Terminates ABEND122 after CANCEL of RRSBATCH February 14, 2012
- IC81367: COBOL PROGRAMS COMPILED USING ZWMQBIN.MQMCB, FAIL ON THE CONSULT LINK DIRECTIVE IN WMQ V5.3.1.8 FOR HP NONSTOP. February 14, 2012
- WebSphere MQ Listener exclusive use of a port February 13, 2012
- MQJMS2013 (V6) JMSWMQ2013 (V7) invalid security authentication (RC 2035) February 13, 2012
developerWorks: Blogs
- This Loop is Not so Transient February 21, 2012
- CHLAUTH feature in MQ 7.1 February 15, 2012
- IMS and CICS - Exploring z/OS together February 10, 2012
- If you use Fix Central, find your IBM ID February 2, 2012
- Tips for searching the Information Center February 1, 2012
- You have a question about WODM, maybe it's a FAQ January 30, 2012
- Are your WebSphere MQ JMS subscribers receiving duplicate messages? Maybe you should use cloned subscriptions. January 26, 2012
- WebSphere DataPower SOA Appliances videos in IEA January 24, 2012
- What's new in WebSphere MQ Explorer V7.1: Part 2 January 20, 2012
- WebSphere MQ Logs not at the capacity you need? January 19, 2012
T.Rob’s Store and Forward
- GWC Webinar posted January 19, 2012
- Previous security lab reposted November 10, 2011
- Credit card security fail November 2, 2011
- Encrypting passwords in config files – secure or not? October 24, 2011
- WMQ Security in v7.1 October 18, 2011
- Posted WMQ v7.1 “What’s New” presentation October 11, 2011
- WSTC 2011 WMQ/WMB presentations October 6, 2011
- Guest blogger @ WebSphere User Group August 11, 2011
- Blog and podcast to resume April 24, 2011
- Hang on – switching hosting providers April 23, 2011

February 2012
M	T	W	T	F	S	S
« Jan
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

Recent Posts

Recent Comments

Archives

Categories

Capitalware

Blog Calendar