ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportDoes AMS protect message logs?

Post new topicReply to topic
Does AMS protect message logs? View previous topic :: View next topic
Author Message
bruce2359
PostPosted: Fri Jun 03, 2022 3:34 am Post subject: Does AMS protect message logs? Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Client is asking how to protect MQs qmgr message log data in the Windows/UNIX file system from snoopers. Does AMS do this? Is there a 3rd-party solution?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Jun 03, 2022 7:55 pm Post subject: Re: Does AMS protect message logs? Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

bruce2359 wrote:
Client is asking how to protect MQs qmgr message log data in the Windows/UNIX file system from snoopers. Does AMS do this? Is there a 3rd-party solution?

I suppose it depends what they mean by "message log". If they mean the transactional log that is written by the queue manager, then yes, if your messages are AMS protected before arriving and not decrypted until after leaving the queue manager then the queue manager has no way of seeing, and thus writing, unprotected data to the log. This would normally be how AMS was used, with the messages only in their decrypted state inside the application processes (whether putting or getting).

If you're referring to some kind of message tracking log written by applications, then that rather depends on when the application writes to the log. If they are a authorised recipient of an AMS protected message, then the application will be given the message decrypted, and could at that point write the decrypted message data to some application log.

If you mean something else when you say "message log" please elaborate so that further comment can be made.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Fri Jun 03, 2022 8:40 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

The usual log files used by the qmgr for persistent messages, qmgr restart, S000001.LOG, S000002.LOG, …

With AMS, when an app MQPUTS a persistent message, is it written clear text to the log then encrypted by AMS as it is put to the queue?

AMS marketing refers to AMS securing “messages at rest in queues” with TLS-like certs and such. Would seem to be an oversight for AMS not to apply the same TLS-like processes to the logged image of the message.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Jun 03, 2022 8:45 pm Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

bruce2359 wrote:
The usual log files used by the qmgr for persistent messages, qmgr restart, S000001.LOG, S000002.LOG, ...

Those would indeed be the queue manager transaction log. Thank you for the clarification.

bruce2359 wrote:
With AMS, when an app MQPUTS a persistent message, is it written clear text to the log then encrypted by AMS as it is put to the queue?

No. It is not in the clear by the time it is handed over to the queue manager. The encryption takes place in the application process before it leaves the application process and is given to the queue manager's agent process to put to the queue. The queue manager never has the clear text.

bruce2359 wrote:
AMS marketing refers to AMS securing "messages at rest in queues" with TLS-like certs and such. Would seem to be an oversight for AMS not to apply the same TLS-like processes to the logged image of the message.

See above answers. Which TLS-like processes are you imagining need to be applied that are not? Please be clear what it is you are referring to.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Sat Jun 04, 2022 5:17 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Does AMS also protect messages at rest in qmgr logs?

Which is written to logs, the clear text image or encrypted image?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sat Jun 04, 2022 6:16 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

bruce2359 wrote:
Does AMS also protect messages at rest in qmgr logs?

Which is written to logs, the clear text image or encrypted image?



hughson wrote:

The encryption takes place in the application process before it leaves the application process and is given to the queue manager's agent process to put to the queue. The queue manager never has the clear text.

_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sat Jun 04, 2022 6:26 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Morag,
How about in the cases where one must use MCA Interception?
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=ams-message-channel-agent-mca-interception

Use Case: MQ Client is DataPower where MQ AMS cannot be installed. The MQ Client channel uses classic TLS (SSL) to protect the data on the wire. And MQ AMS MCA Interception is used on this client channel to encrypt the data before its placed on the queue.

A few minutes of googling and I am still not clear in this particular case where the "classic" TLS encryption for the channel ends and the MCA Interception for AMS begins. In this case, is there some period of time where the message is in plain text? And if yes, is it vulnerable to be traced or logged by the queue manager in plain text?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Sat Jun 04, 2022 4:07 pm Post subject: Re: Does AMS protect message logs? Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

bruce2359 wrote:
Is there a 3rd-party solution?

Have a look at MQ Message Encryption (MQME). MQME will encrypt the messages which means the message payload in the queue file and MQ recovery log files are encrypted (i.e. data at rest is encrypted). Hence, snoopers will see nothing.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
hughson
PostPosted: Sat Jun 04, 2022 7:09 pm Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

PeterPotkay wrote:
How about in the cases where one must use MCA Interception?
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=ams-message-channel-agent-mca-interception

Use Case: MQ Client is DataPower where MQ AMS cannot be installed. The MQ Client channel uses classic TLS (SSL) to protect the data on the wire. And MQ AMS MCA Interception is used on this client channel to encrypt the data before its placed on the queue.

A few minutes of googling and I am still not clear in this particular case where the "classic" TLS encryption for the channel ends and the MCA Interception for AMS begins. In this case, is there some period of time where the message is in plain text? And if yes, is it vulnerable to be traced or logged by the queue manager in plain text?

In the case of AMS MCA Interception, the message is TLS decrypted before it can be AMS Encrypted. Both these steps happen in the MCA process, so before the message is written to the queue (and thus written to the log) it is encrypted, but it does spend a small period of time within the amqrmppa process in its un-encrypted state.

Therefore I suppose it is vulnerable to be traced by the amqrmppa process in the clear at that time if someone traced out data buffers at the right (or wrong) point in the workflow, but I would hope someone in IBM thought about that. There is always the possibility that someone on-box could dump out the contents of the memory of an amqrmppa process and could find the decrypted data if they timed it right. This is the downside of MCA Interception as I'm sure you realise.

Certainly it is not in the clear in the transaction logs, because it is encrypted prior to the MQPUT crossing to the "QMgr" from the "MCA". In this sense, think about the MCA/amqrmppa process as the "application" in AMS terms, even though you might also think of it as part of the "Queue Manager".

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
PeterPotkay
PostPosted: Sun Jun 05, 2022 5:40 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Thanks for clarifying that, Morag.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Jun 05, 2022 8:20 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Curiosity and insomnia combined to lead me to this T-Rob youtube MQ AMS post https://youtu.be/UzNME8KvQwY
He states that messages remain secured (encrypted/hashed) from MQPUT to MQGET, including in qmgr message logs.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Sun Jun 05, 2022 9:09 pm Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

bruce2359 wrote:
Curiosity and insomnia combined to lead me to this T-Rob youtube MQ AMS post https://youtu.be/UzNME8KvQwY
He states that messages remain secured (encrypted/hashed) from MQPUT to MQGET, including in qmgr message logs.

yes that would agree with all the other answers you have seen on this thread.

I think that settles it then. The messages are encrypted when they are in the queue manager transaction log (what you call the message log).

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
bruce2359
PostPosted: Mon Jun 06, 2022 4:04 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Thank you.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportDoes AMS protect message logs?
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.