View Only

Use of AT-TLS with IBM MQ – Why and How

By Matt Sunley posted Fri October 15, 2021 03:57 AM


Connectivity is king


Connectivity needs are exploding. Every day more systems and services need connecting. There are new information sources, new systems of engagement and new services that can be deployed anywhere. Businesses who adapt fastest are winning market share and increasing customer acquisitions, and this leads to intense pressure to reduce the time and cost of developing new value. But moving at speed to capture new opportunity cannot come at the cost of security. Every new connection between systems and applications represents a new point of vulnerability. Data loss or breaches are extremely costly, with direct financial impacts, reputational damage, and regulatory fines. Businesses must protect their apps and data or risk losing trust, making security strategy a key focus in modern IT environments.


Protecting data in flight


A key aspect of data security is how to protect data as it moves over the network between different systems, applications, and services, both within a business and during data exchange with business partners. Data sent over the network has more chance of being attacked by hackers or unauthorised third parties. Due to this, security protocols such as Transport Layer Security (TLS) have been introduced.


Network security is a critical requirement for enterprise messaging technology such as IBM MQ, which is designed to provide secure and reliable intra- and inter-company communications over a distributed computing network. MQ is inherently a cross-platform technology with many customer topologies spanning a wide variety of different on-premises and cloud environments – relying on the network to do so.


TLS is designed to provide data integrity (data hasn’t changed) and privacy (to prevent eavesdropping or tampering) for data communications over the network. MQ has enabled use of TLS (and its predecessor SSL) for many years, constantly evolving to support the latest versions as they have been introduced over time, as well as deprecating older, less secure variants (such as SSL V3). MQ provides the facility to configure TLS for message traffic between different queue managers as well as for direct connections by client applications.


Introducing Application Transparent Transport Layer Security (AT-TLS)


AT-TLS can create a secure session on behalf of an application and provide encryption and decryption of data based on policy statements rather than requiring that the application provides its own TLS implementation.


AT-TLS on z/OS provides a single GUI-based administration interface for TLS protection across many different z/OS workloads, systems, and sysplexes, which makes pervasive encryption easier to administer. It relies on System SSL, providing a powerful and flexible approach to applying strong TLS protection to your z/OS TCP/IP connections. TLS and System SSL are regularly updated to provide the latest TLS features via the Network Configuration Assistant.


Business benefits of AT-TLS


The main benefit of using AT-TLS for MQ messaging workloads is to reduce the operational costs associated with managing the security configuration of an MQ environment. Use of AT-TLS across a range of applications and subsystems provides a single consistent means of TLS administration, rather than use of specific approaches tailored to each individual application or subsystem. In MQ’s case, this replaces the need to manage specific MQ CipherSpec configurations at the channel level.


Another benefit is to reduce the costs of application development. As the name implies, AT-TLS is transparent to applications that are benefiting at either end of the network hop. Those applications do not need to integrate directly with System SSL and gain access to any new features by changing AT-TLS policy, not code.


Finally, with continual focus on efficiency in the use of System SSL, applications (and MQ) automatically benefit from ongoing performance improvements made in each iteration of the platform. This helps to optimize throughput and response times to help meet business objectives such as SLAs. My colleague, Tony Sharkey, has just published a performance focused blog that you can check out here.


Scenarios with hybrid MQ environments


The MQ team have tested and documented several supported scenarios for AT-TLS including communications between queue managers running on z/OS, between z/OS and distributed as well as direct client connections. For detailed descriptions of these scenarios and associated configuration steps, please see the following topic in IBM Documentation: