ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ AMS on Client Only

Post new topic  Reply to topic
 MQ AMS on Client Only « View previous topic :: View next topic » 
Author Message
JosephGramig
PostPosted: Mon May 17, 2021 1:03 pm    Post subject: MQ AMS on Client Only Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

I have not had a chance to download just the MQ Client (not from the server media) and try AMS.

What I have expects the AMS files for the user at the MQ Client (errors in /var/mqm/errors files).

As I read it, the KC indicates that AMS is included in MQ Client download. True?

If so, does that mean the MQ Client is doing all the AMS work and then sending the message? As in, is it encrypted?

Last, most examples are connecting with a user ID and password. Is that required?
Back to top
View user's profile Send private message AIM Address
hughson
PostPosted: Mon May 17, 2021 9:23 pm    Post subject: Re: MQ AMS on Client Only Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

JosephGramig wrote:
I have not had a chance to download just the MQ Client (not from the server media) and try AMS.

What I have expects the AMS files for the user at the MQ Client (errors in /var/mqm/errors files).


The keystore.conf file (which configures where, and what type, the keystore is) would be on the MQ Client machine, as would the keystore.

JosephGramig wrote:
As I read it, the KC indicates that AMS is included in MQ Client download. True?


I also believe this to be the case.

JosephGramig wrote:
If so, does that mean the MQ Client is doing all the AMS work and then sending the message? As in, is it encrypted?


When you use AMS, all encryption is done before the message leaves the application process. This therefore means that the encryption must indeed be taking place at the MQ Client. One exception to this is the feature known as MCA interception where the AMS encryption is only applied when the message reaches the SVRCONN. This is to cope with older clients (or stubborn business partners!?) who can't/won't apply AMS at their client application.

JosephGramig wrote:
Last, most examples are connecting with a user ID and password. Is that required?


The choice to use a user ID and password is unrelated to the choice to use AMS, you may use one without the other, or both together as your requirements dictate. The Quick Start AMS examples don't use a user ID and password.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
PeterPotkay
PostPosted: Tue May 18, 2021 4:29 am    Post subject: Re: MQ AMS on Client Only Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

hughson wrote:


JosephGramig wrote:
If so, does that mean the MQ Client is doing all the AMS work and then sending the message? As in, is it encrypted?


When you use AMS, all encryption is done before the message leaves the application process. This therefore means that the encryption must indeed be taking place at the MQ Client. One exception to this is the feature known as MCA interception where the AMS encryption is only applied when the message reaches the SVRCONN. This is to cope with older clients (or stubborn business partners!?) who can't/won't apply AMS at their client application.

Cheers,
Morag


It also solves for IBM DataPower since IBM only ships that with plain MQ Client installed and there is no way to replace/upgrade the MQ Client independently on a DataPower appliance.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue May 18, 2021 7:30 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

@Morag Thanks. I'm going to just scp the same contents of my users .mqs directory that I built and tested for BINDINGs mode. I also tested with the client versions of those programs and was miss lead by the fact that they worked. That was because it must be clearly using the same setup in the .mqs directory.

Now I see how AMS is reading the config and keystore which mqm:mqm cannot. It is doing it as the ID of the MQI or BINDINGs process. I guess.

@Peter Your statement was not clear "plain MQ client". If the client is not EOS, I bet it does have the AMS code in it. I would not be sure about z/OS, iSeries and maybe that is what you are saying about DP. If DP can't do that, then I would consider that a defect.

In general, I wonder where the config file goes when the Qmgr is configured to use LDAP for AUTHREC and what not?
Back to top
View user's profile Send private message AIM Address
hughson
PostPosted: Tue May 18, 2021 2:36 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

JosephGramig wrote:
@Morag Thanks. I'm going to just scp the same contents of my users .mqs directory that I built and tested for BINDINGs mode. I also tested with the client versions of those programs and was miss lead by the fact that they worked. That was because it must be clearly using the same setup in the .mqs directory.

Yes, if you have the keystore.conf pointed to by the env var, then the application will use that.

JosephGramig wrote:
Now I see how AMS is reading the config and keystore which mqm:mqm cannot. It is doing it as the ID of the MQI or BINDINGs process. I guess.

AMS is all in the application space yes.

JosephGramig wrote:
@Peter Your statement was not clear "plain MQ client". If the client is not EOS, I bet it does have the AMS code in it. I would not be sure about z/OS, iSeries and maybe that is what you are saying about DP. If DP can't do that, then I would consider that a defect.

Peter is correct, the DP client does not do AMS.

JosephGramig wrote:
In general, I wonder where the config file goes when the Qmgr is configured to use LDAP for AUTHREC and what not?

Could you expand on this question? What exactly is your query. You put the keystore.conf wherever you want and point at it with MQS_KEYSTORE_CONF env var. This does not matter how the queue manager is configured for anything. It is on the client machine and the queue manager has no control over it.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
JosephGramig
PostPosted: Thu May 27, 2021 5:33 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

@MoragHughson OK, now that you mention and it makes sense that the AMS work is in the application space, I see that it does not matter if the Qmgr is using OAM or LDAP for AUTHRECs and such.

My next step is to test the feature between an AMS Qmgr and non-AMS Qmgr that will decrypt or encrypt msgs. There is a new setting on the channel for this. In this case, I think the AMS work will happen in the MCA space.

BTW if you know, when I specify two or more folks that can GET the msg, will it encrypt the msg twice or as many receivers? I just don't see how it would work otherwise.
Back to top
View user's profile Send private message AIM Address
markt
PostPosted: Thu May 27, 2021 6:47 am    Post subject: Reply with quote

Knight

Joined: 14 May 2002
Posts: 502

This is somewhat simplified but fundamentally, the encryption of a message has two parts - a short "key" that is itself encrypted and the actual message body which is encrypted using that key.

So the recipient has to first decrypt the key and then use that to decrypt the real body. There are multiple copies of the encrypted key, one for each recipient based on their certificates and public keys. But the body itself is only encrypted once. Therefore there's only a small growth in the data as each additional potential recipient is defined.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Thu May 27, 2021 7:19 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

Thanks markt,

Now I understand how that can work (and clearly does). I will do my homework on the AMS-Qmgr to non-AMS-Qmgr flow.

Often, there are old Qmgrs that cannot do AMS but need to play in the mix until they can be decommissioned.
Back to top
View user's profile Send private message AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ AMS on Client Only
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.