WebSphere MQ

MQ and SSL

Neil Kolban
IBM Corp
[email protected]

October 31st 2002 © 2002 IBM Corporation

 WebSphere MQ

Overview

ƒ Part I – Overview of security goals and SSL

ƒ Part II – The MQ SSL story

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Security

ƒ Goals of security
– Confidentiality
– Message integrity
– Endpoint Authentication

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Encryption (1)

ƒ Encryption
– Data confidentiality
– Plain text vs Cipher text

Plaintext Cyphertext Plaintext

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Encryption (2)

ƒ Encryption Plain Cipher

– Data confidentiality A T
– Plain text vs Cipher text
B M

ƒ Encryption C I

– ƒE(Plain) = Cipher D N
– Example: ƒE(“HEAD”) = “BQTN” E Q
F C
ƒ Decryption
– ƒD(Cipher) = Plain G D

– Example: ƒD(“BQTN”) = “HEAD” H B

I A

… …

Z R

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Cipher keys (1)

Encryption Decryption

Plaintext Ciphertext Plaintext

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Cipher keys (2)

ƒ Keys
–Shared secret key Plain Cipher Cipher Cipher
K=1 K=2 K=n
–Symmetric cryptography
A T N O
–Common algorithms
B M T W
–DES
C I Y E
–RC2
–RC4 D N C T
E Q P S
ƒ Encryption F C S C
–ƒE(Plain, Key) = Cipher
G D U I
–ƒE(“HEAD”, 2) = “LPNC” H B L N
I A E F
ƒ Decryption
–ƒD(Cipher, Key) = Plain … … … …

–ƒD(“LPNC”, 2) = “HEAD” Z R M H

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Public Key Cryptography (1)

Public key Private key

Encryption Decryption

Plaintext Ciphertext Plaintext

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Public Key Cryptography (2)

ƒ Two keys
– One public (known to everyone)
– One private (known only to you)
– Common algorithms
– RSA
– Diffie-Hellman
– Asymmetric cryptography
ƒ ƒE(Plain, Keypublic) = Cipher
ƒ ƒD(Cipher, Keyprivate) = Plain
ƒ Keys are asymmetric
ƒ Relatively expensive to use

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Security

ƒ Goals of security

– Confidentiality

– Message integrity

– Endpoint Authentication

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Message Digest (1)

ƒ Input → arbitrary length message

ƒ Output → fixed length string
ƒ Attributes
– Irreversibility
– Collision resistance
ƒ Other names for this
– Hashing
– Checksum
ƒ Common algorithms
– MD5
– SHA

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Message Digest (2)

ƒ ƒH(Message) = HashData
ƒ ƒH(Message1) ≠ ƒH(Message2)
→ Message1 ≠ Message2

Message
Digest
h

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Digital Signature (1)

ƒ Digital Signature built from

– Message Digest
– Public key encryption
ƒ Used to prove that a message has not been tampered with.

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Digital Signature (2)

h
Private Key

Private Key

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Digital Signature (3)

h
Public Key

?
h
Public Key

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Security

ƒ Goals of security
–Confidentiality

–Message integrity

–Endpoint Authentication

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Man in the middle attack

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Certificate Authority

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Certificates

ƒ Issued by CA
–VeriSign
–Entrust
–CyberTrust
–etc
ƒ Contains
–Subject Name
–Issuer Name
–X.500 distinguished names
ƒ X.509
–Common certificate exchange
format

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Security

ƒ Goals of security
– Confidentiality
– Message integrity
– Endpoint Authentication
ƒ Implement this design and you have SSL!!

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Part II MQ and SSL

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Data movement between queue managers

Queue Queue
Manager Manager
No SSL

Queue Queue
Manager Manager
With SSL

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Adding SSL Support

Queue Queue
Manager Channel Manager

TCP/IP Link TCP/IP

Queue Queue
Manager Channel Manager

SSL Encryption SSL

TCP/IP Link TCP/IP

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

MQ SSL Implementations

ƒ Supports SSL V3.0

ƒ Implemented using:

Java JSSE (Java Secure Socket Extension)

Windows SChannel

Unix ???

z/OS System SSL

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Channel Security

ƒ SSL can be used across channels

ƒ All kinds of channels supported
– Sender
– Receiver
– Cluster
– Client
– Etc
ƒ Specified on a per channel basis

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Key questions

ƒ Which CipherSpec shall be used?

– Cost of security
– Performance characteristics
ƒ Is client authentication required?
– Uni or bidirectional authentication
ƒ Names of accepted peers.
– Limit the names of channel initiators (SSL clients)

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Channel definitions

ƒ SSL either enabled or disabled by channel definition

ƒ New parameters for channel definitions
– Cypher spec (SSLCIPH)
– DN’s allowed (SSLPEER)
– Client authentication required (SSLCAUTH)

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

SSLCipherSpec (SSLCIPH) – Channel attribute

ƒ Name of the Cipher specification to use

ƒ If blank, no SSL
ƒ Same attribute value required on both ends of the channel

CipherSpec name Hash algorithm Encryption algorithm Encryption bits

NULL_MD5 MD5 None 0
NULL_SHA SHA None 0
RC4_MD5_EXPORT MD5 RC4 0
RC4_MD5_US MD5 RC4 40
RC4_SHA_US SHA RC4 128
RC2_MD5_EXPORT MD5 RC2 128
DES_SHA_EXPORT SHA DES 40
RC4_56_SHA_EXPORT1024 SHA RC4 56
DES_SHA_EXPORT1024 SHA DES 56
TRIPLE_DES_SHA_US SHA 3DES 128
TLS_RSA_WITH_AES_128_CBC_SHA SHA AES 128
TLS_RSA_WITH_AES_128_CBC_SHA SHA AES 256

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

SSLClientAuth (SSLCAUTH) - Channel attribute

ƒ Requestor to form channel considered the SSL Client

ƒ Defines if certificate from client is needed to form channel
ƒ Values:
– Required – Client authentication required
– Optional – Client authentication optional

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

SSLPeerName (SSLPEER) - Channel attribute

ƒ Distinguished names of the allowed partners

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Obtaining certificates

ƒ Certificates obtained from Commercial CA

ƒ Certificates for test environments
– OpenSSL
– MakeCert
– Java 1.4 Keytool
– IKeyMan

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Certificate Stores

ƒ Certificates stored in key repositories

ƒ Queue manager SSLKeyRepository (SSLKEYR) attributes specifies
Queue Manager’s location of its own certificate
ƒ MQ Client uses the MQSSLKEYR environment variable to specify
location of certificate store

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

The amqmcert command

ƒ Used to manage MQSeries certificate store

ƒ Adds certificates to store
ƒ Removes certificates from store
ƒ Lists certificates in store
ƒ Assigns certificate to queue manager

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

Performance

ƒ Nothing for nothing …

ƒ Extra CPU overhead for encrypted data
ƒ No official IBM numbers yet published
ƒ Performance expected to be equivalent to moving same quantity of
data over base SSL implementation
– Possibly better due to single handshake and reuse
– Overhead based on ciphersuite employed

WebSphere MQ & SSL © 2002 IBM Corporation

 WebSphere MQ

References
ƒ MQ Security Manual
ƒ SSL and TLS – Eric Rescorta
ƒ Java Secure Socket Extension (JSSE) Reference Guide
ƒ Web sites
http://home.netscape.com/eng/ssl3/ssl-toc.html

WebSphere MQ & SSL © 2002 IBM Corporation