Security

  1. Security

  2. About this book

  3. Who this book is for

  4. What you need to know to understand this book

  5. Terms used in this book

  6. How to use this book

  7. Summary of changes

  8. Changes for this edition (plug-in version 6.0.2.11)

  9. Changes for the previous editions (SC34-6588-01 and SC34-6588-02)

  10. Introduction

  11. Security services

  12. Identification and authentication

  13. Access control

  14. Confidentiality

  15. Data integrity

  16. Non-repudiation

  17. Planning for your security requirements

  18. Basic considerations

  19. Authority to administer WebSphere MQ

  20. Authority to work with WebSphere MQ objects

  21. Channel security

  22. Additional considerations

  23. Queue manager clusters

  24. WebSphere MQ Publish/Subscribe

  25. WebSphere MQ internet pass-thru

  26. Link level security and application level security

  27. Link level security

  28. Application level security

  29. Comparing link level security and application level security

  30. Protecting messages in queues

  31. Queue managers not running in controlled and trusted environments

  32. Differences in cost

  33. Availability of components

  34. Messages in a dead letter queue

  35. What application level security cannot do

  36. Obtaining more information

  37. Cryptographic concepts

  38. Cryptography

  39. Message digests

  40. Digital signatures

  41. Digital certificates

  42. What is in a digital certificate

  43. Requirements for personal certificates

  44. Certification Authorities

  45. Distinguished Names

  46. How digital certificates work

  47. Obtaining personal certificates

  48. How certificate chains work

  49. When certificates are no longer valid

  50. Public Key Infrastructure (PKI)

  51. The Secure Sockets Layer (SSL)

  52. Transport Layer Security (TLS) concepts

  53. Secure Sockets Layer (SSL) concepts

  54. An overview of the SSL handshake

  55. How SSL provides authentication

  56. How SSL provides confidentiality

  57. How SSL provides integrity

  58. CipherSuites and CipherSpecs

  59. The Secure Sockets Layer in WebSphere MQ

  60. WebSphere MQ security provisions

  61. Access control

  62. Authority to administer WebSphere MQ

  63. Authority to administer WebSphere MQ on UNIX and Windows systems

  64. Authority to administer WebSphere MQ on i5/OS

  65. Authority to administer WebSphere MQ on z/OS

  66. Authority checks on z/OS

  67. Command security and command resource security

  68. MQSC commands and the system command input queue

  69. Access to the queue manager data sets

  70. Obtaining more information

  71. Authority to work with WebSphere MQ objects

  72. When authority checks are performed

  73. Alternate user authority

  74. Message context

  75. Authority to work with WebSphere MQ objects on i5/OS, UNIX systems, and Windows systems

  76. Distributed channels as queue manager objects

  77. Using PCF to access OAM commands

  78. Authority to work with WebSphere MQ objects on z/OS

  79. Channel security

  80. WebSphere MQ SSL support

  81. Channel attributes

  82. Channel status attributes

  83. Queue manager attributes

  84. The authentication information object (AUTHINFO)

  85. The SSL key repository

  86. Protecting WebSphere MQ client key repositories

  87. Refreshing a key repository

  88. Resetting SSL secret keys

  89. Federal Information Processing Standards (FIPS)

  90. WebSphere MQ client considerations

  91. Working with WebSphere MQ internet pass-thru (IPT)

  92. Support for cryptographic hardware

  93. Other link level security services

  94. Channel exit programs

  95. Security exit

  96. Message exit

  97. Send and receive exits

  98. Obtaining more information

  99. The SSPI channel exit program

  100. SNA LU 6.2 security services

  101. Session level cryptography

  102. Session level authentication

  103. Conversation level authentication

  104. Support for conversation level authentication in WebSphere MQ on i5/OS, UNIX systems, and Windows systems

  105. Conversation level authentication and WebSphere MQ for z/OS

  106. Obtaining more information

  107. Providing your own link level security

  108. Security exit

  109. Identification and authentication

  110. Access control

  111. MCAUserIdentifier

  112. WebSphere MQ Object Authority Manager user authentication

  113. Confidentiality

  114. Message exit

  115. Identification and authentication

  116. Access control

  117. Confidentiality

  118. Data integrity

  119. Non-repudiation

  120. Other uses of message exits

  121. Send and receive exits

  122. Confidentiality

  123. Data integrity

  124. Other uses of send and receive exits

  125. Access Manager for Business Integration

  126. Introduction

  127. Access control

  128. Identification and authentication

  129. Data integrity

  130. Confidentiality

  131. Non-repudiation

  132. Obtaining more information

  133. Providing your own application level security

  134. The API exit

  135. The API-crossing exit

  136. The role of the API exit and the API-crossing exit in security

  137. Identification and authentication

  138. Access control

  139. Confidentiality

  140. Data integrity

  141. Non-repudiation

  142. Other ways of providing your own application level security

  143. Working with WebSphere MQ SSL support

  144. Set up SSL communications

  145. Task 1: Using self-signed certificates

  146. The steps required to complete task 1

  147. 1. Prepare the key repository on each queue manager

  148. 2. Create a self-signed certificate for each queue manager

  149. 3. Add the self-signed certificate to the key repository

  150. 4. Extract a copy of each certificate

  151. 5. Exchange certificates

  152. 6. Add partner's certificate to the key repository

  153. 7. Define sender channel

  154. 8. Define a transmission queue

  155. 9. Define a receiver channel

  156. 10. Start the channel

  157. Result of task 1

  158. Verifying task 1

  159. Task 2: Using CA-signed certificates

  160. The steps required to complete task 2

  161. 1. Prepare the key repository on each queue manager

  162. 2. Request a CA-signed certificate for each queue manager

  163. 3. Add the Certification Authority's certificate to the key repository

  164. 4. Add the CA-signed certificate to the key repository

  165. 5. Define sender channel and associated transmission queue

  166. 6. Define receiver channel

  167. 7. Start the channel

  168. Result of task 2

  169. Verifying task 2

  170. Extensions to this task

  171. Task 3: Anonymous queue managers

  172. The steps required to complete task 3

  173. 1. Remove QMA’s personal certificate

  174. 2. Refresh the SSL environment (if necessary)

  175. 3. Allow anonymous connections on the receiver

  176. Result of task 3

  177. Verifying task 3

  178. Extensions to this task

  179. Working with the Secure Sockets Layer (SSL) on i5/OS

  180. Digital Certificate Manager (DCM)

  181. Accessing DCM

  182. Assigning a certificate to a queue manager

  183. Set up a key repository

  184. Creating a new certificate store

  185. Stashing the certificate store password

  186. Working with a key repository

  187. Locating the key repository for a queue manager

  188. Changing the key repository location for a queue manager

  189. When changes become effective

  190. Obtaining server certificates

  191. Creating CA certificates for testing

  192. Requesting a server certificate

  193. Adding server certificates to a key repository

  194. Managing digital certificates

  195. Transferring certificates

  196. Exporting a certificate from a key repository

  197. Importing a certificate into a key repository

  198. Removing certificates

  199. Configuring cryptographic hardware

  200. Mapping DNs to user IDs

  201. Working with the Secure Sockets Layer (SSL) on UNIX and Windows systems

  202. Using iKeyman, iKeycmd, and GSKCapiCmd

  203. Set up a key repository

  204. Accessing your key database file

  205. Accessing your key database file on Windows

  206. Accessing your key database file on UNIX

  207. Working with a key repository

  208. Locating the key repository for a queue manager

  209. Changing the key repository location for a queue manager

  210. Locating the key repository for a WebSphere MQ client

  211. Specifying the key repository location for a WebSphere MQ client

  212. When changes become effective

  213. Obtaining personal certificates

  214. Creating a self-signed personal certificate

  215. Requesting a personal certificate

  216. Receiving personal certificates into a key repository

  217. Managing digital certificates

  218. Transferring certificates

  219. Extracting a CA certificate from a key repository

  220. Extracting the CA part of a self-signed certificate from a key repository

  221. Adding a CA certificate (or the CA part of a self-signed certificate) into a key repository

  222. Exporting a personal certificate from a key repository

  223. Importing a personal certificate into a key repository

  224. Importing from a Microsoft .pfx file

  225. Importing from a PKCS #7 file

  226. Delete a personal certificate from a key repository

  227. Configuring for cryptographic hardware

  228. Managing certificates on PKCS #11 hardware

  229. Requesting a personal certificate for your PKCS #11 hardware

  230. Importing a personal certificate to your PKCS #11 hardware

  231. Mapping DNs to user IDs

  232. Migrating SSL security certificates in WebSphere MQ for Windows

  233. Working with the Secure Sockets Layer (SSL) on z/OS

  234. Set the SSLTASKS parameter

  235. Set up a key repository

  236. Ensuring CA certificates are available to a queue manager

  237. Working with a key repository

  238. Locating the key repository for a queue manager

  239. Specifying the key repository location for a queue manager

  240. Ensuring the CHINIT has the correct read access

  241. When changes become effective

  242. Obtaining personal certificates

  243. Creating a self-signed personal certificate

  244. Requesting a personal certificate

  245. Creating a RACF signed personal certificate

  246. Adding personal certificates to a key repository

  247. Managing digital certificates

  248. Transferring certificates

  249. Exporting a personal certificate from a key repository

  250. Importing a personal certificate into a key repository

  251. Removing certificates

  252. Delete a personal certificate from a key repository

  253. Renaming a personal certificate in a key repository

  254. Working with Certificate Name Filters (CNFs)

  255. Set up a CNF

  256. Working with Certificate Revocation Lists and Authority Revocation Lists

  257. Set up LDAP servers

  258. Configuring and updating LDAP servers

  259. Accessing CRLs and ARLs

  260. Accessing CRLs and ARLs with a queue manager

  261. Accessing CRLs and ARLs on i5/OS

  262. Accessing CRLs and ARLs using WebSphere MQ Explorer

  263. Accessing CRLs and ARLs with a WebSphere MQ client

  264. Accessing CRLs and ARLs with the Java client and JMS

  265. Checking CRLs and ARLs

  266. Manipulating authentication information objects with PCF commands

  267. Keeping CRLs and ARLs up to date

  268. Certificate validation and trust policy design on UNIX and Windows systems

  269. Basic certificate policy

  270. Basic CRL policy

  271. Basic path validation policy

  272. Standard policy (RFC-3280)

  273. Standard CRL policy

  274. Standard path validation policy

  275. Working with CipherSpecs

  276. Specifying CipherSpecs

  277. Obtaining information about CipherSpecs using WebSphere MQ Explorer

  278. Alternatives for specifying CipherSpecs

  279. Considerations for WebSphere MQ clusters

  280. Specifying a CipherSpec for a WebSphere MQ client

  281. Specifying a CipherSuite with the Java client and JMS

  282. Understanding CipherSpec mismatches

  283. WebSphere MQ rules for SSLPEER values

  284. Understanding authentication failures

  285. Cryptographic hardware

  286. Trademarks