Imagine your messages wearing superhero capes! In my blog, we'll spill the beans on how SSL and MQ team up to keep your info safe and sound. It's like your messages whispering secrets in a secret code which only they can understand. Ready for the secret handshake of the digital world? Let's dive in!
#SSLonMQ #TechXchange #MQoni
What is SSL?
SSL (Secure Socket Layer) is a protocol that allows computer systems to talk to each other on the internet safely. SSL provides Encryption, Integrity & authentication.
What is MQ?
MQ (Message Queue) is part of a middleware that makes asynchronous communication between the applications easier.
Why do we need SSL in MQ?
Because MQ provides the channel authentication & the link level encryption which means that the messages are encrypted when they are transferred across the network but not on the queues.
Now, how does SSL work?
Client & the server work together to establish a secure encrypted connection. The steps involved are listed below:
ClientHello:
- The MQ client initiates the SSL handshake by sending a "ClientHello" message to the MQ server.
- This message contains details about the SSL/TLS version, supported cipher suites, includes a string of arbitrary bytes, called “client random number” & other relevant information.
ServerHello:
- In response to the "ClientHello," the MQ server sends a "ServerHello" message.
- The server selects the highest SSL/TLS version and the most secure cipher suite supported by both the client and server.
- The text also contains a string of random bytes generated by the server referred to as “server random number”.
Server Certificate:
- The MQ server provides its digital certificate to the client.
- This certificate includes the server's public key, and it is typically signed by a trusted Certificate Authority (CA).
- The client validates the certificate to ensure the authenticity of the MQ server.
Key Exchange:
- The MQ client generates a random pre-master secret.
- Using the server's public key from the certificate, the client encrypts the pre-master secret.
- The client sends the encrypted pre-master secret to the MQ server.
Server Decryption:
- The MQ server receives the encrypted pre-master secret.
- The server decrypts the pre-master secret using its private key.
- Both the client and server now share the same pre-master secret.
Session Key Generation:
- Both the MQ client and server independently use the pre-master secret, along with other exchanged data, to generate a common "session key" using the "client random number" & the "server random number".
- This session key will be used for symmetric encryption and decryption of messages during the secure MQ session.
Finished:
- Both the MQ client and server exchange "Finished" messages.
- These messages signal the completion of the SSL handshake and the beginning of the encrypted MQ session.
Secure Data Exchange:
- With the session key established, both the MQ client and server can securely exchange messages.
- Messages are encrypted using the agreed-upon session key, ensuring confidentiality and integrity in the communication between the MQ components.
In summary, the SSL handshake in the context of MQ involves securing the communication channels between the MQ client and server, allowing for the exchange of messages in a secure and protected manner.
Attributes that are required to configure SSL for your IBM MQ on IBM i
- SSLKEYR & SSLKEYRPWD are the two queue manager attributes for enabling SSL where
SSLKEYR is the path of the key repo for the queue manager &
SSLKEYRPWD is the password of the key repo for the queue manager
- SSLCIPH, SSLCAUTH & SSLPEER are the channel attributes for enabling a SSL channel where
SSLCIPH is the Cipherspec for an SSL connection where the same has to be used on both ends of a channel
SSLCAUTH is about client authentication over SSL &
SSLPEER is the peer name used for the channel negotiation
Note: Cipherspec (Cipher Specification) refers to a set of parameters that define the cryptographic algorithms used for encryption and decryption. It specifies the rules for how data should be encrypted and decrypted during secure communication.
A typical Cipherspec includes the following components:
- Key Exchange Algorithm:
- Specifies the algorithm used to securely exchange cryptographic keys between the communicating parties. Example: RSA
- Symmetric Encryption Algorithm:
- Specifies the algorithm used for encrypting and decrypting the actual data being transmitted. Common symmetric encryption algorithms include AES (Advanced Encryption Standard) and 3DES (Triple Data Encryption Standard).
- Message Authentication Code (MAC) Algorithm:
- Specifies the algorithm used to generate a MAC, which is a small piece of information added to the message to ensure its integrity and authenticity. Common MAC algorithms include HMAC (Hash-based Message Authentication Code).
- Hash Algorithm:
- Specifies the algorithm used for hashing during the SSL handshake. Hashing is crucial for integrity checks and creating digital signatures. Common hash algorithms include SHA-256 (Secure Hash Algorithm 256-bit) and SHA-384.
Here's an example of a Cipherspec: TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256 indicates that the RSA algorithm is used for key exchange, AES-128 for symmetric encryption, and SHA-256 for the message authentication code.
During the SSL/TLS handshake between a client and a server, they negotiate and agree upon a Cipherspec that both support. This negotiation ensures that both MQ client & the server have a common set of rules for securing their communication. The strength and security of the chosen Cipherspec have a significant impact on the overall security of the encrypted communication channel.
In conclusion, implementing SSL with MQ adds a layer of security to the communication between different components within the MQ environment. The SSL protocol ensures that data exchanged between MQ clients and servers is encrypted and secure, protecting it from unauthorised access and tampering. Implementing SSL is a fundamental step toward enhancing the overall security posture of MQ environments.
In my next blog, I will brief about the configuration steps involved in enabling SSL on MQ.