MQ

 View Only

  • 1.  USERID Authentication in B2B MQ

    Posted Tue December 07, 2021 02:34 PM
    We are planning for a B2B solution for one of our applications.

    We will use a dedicated VPN pipe between the companies.  We are planning to use public/private key Certs, and IP checking when connection QMGR to QMGR channels.  And encrypting the data in motion.  

    Clients will be authenticated when they connect.  The Windows Domains will not be shared, and there is zero trust between the 2, so USERIDs and Passwords are not shared or trusted.    

    How do we authenticate the application (userid) putting the message on the remote system, when we only have the inbound message?

    ------------------------------
    Glen Larson
    Lead Systems Engineer
    Progressive Insurance
    Colorado Springs CO
    (719) 432-1360
    ------------------------------


  • 2.  RE: USERID Authentication in B2B MQ

    IBM Champion
    Posted Wed December 08, 2021 03:49 AM

    Hi Glen,

    I just want to confirm exactly what you mean by your question, so that I know I am answering the right thing. You have mentioned both QMGR-QMGR channels and client connected applications. Then you have asked, "how do we authenticate the application (userid) putting the message on the remote system, when we only have the inbound message?".

    Do you wish to apply authentication on the remote system? Do you have control of the remote system? Or do you wish to apply authentication to the message that was already put on the remote system, and has travelled to your own system over a QMGR-QMGR channel - is that what you mean by "inbound message"?

    I assume from your statement of zero trust when talking about clients, you perhaps also have zero trust between the remote queue manager and your queue manager? Is that correct? Is that where your question comes from? You have no trust over the authentication done on the remote system and you want to apply your own authentication locally as the message arrives over the QMGR-QMGR channel?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: USERID Authentication in B2B MQ

    Posted Wed December 08, 2021 12:29 PM
    HI Morag,

    So the client authentication will be vendor application, using MQ Client on vendor servers, connecting to vendor QMGRs/servers using vendor authentication.

    the messages will be sent to us via QMGR to QMGR sender/receiver channels.

    So the msg headers will have the userid authenticated by the vendor side.  

    When this is in house, we trust the userid in the msg header since we have control from the application server to the back end.

    We have zero trust between our windows domain, and the vendor's domain.  Our security team would like to authenticate the USERID in the message header. Since the MQ Clients are not connection to our QMGRs, we can not enforce the authentication of the MQ Client to ensure the USERID can be trusted.

    ------------------------------
    Glen Larson
    Lead Systems Engineer
    Progressive Insurance
    Colorado Springs CO
    (719) 432-1360
    ------------------------------

    Original Message


  • 4.  RE: USERID Authentication in B2B MQ

    IBM Champion
    Posted Wed December 08, 2021 04:58 PM

    As @Mark Taylor has already noted, Advanced Message Security (AMS) is one of the ways you can authenticate a message coming from another system. This is authenticating the sender of the message by their Distinguished Name (DN) from their certificate. It does not touch or change the user ID inside the message.

    Do you currently use the user ID inside the message for authorization purposes downstream? Do you need to ensure the user ID inside the message conforms to some set of rules? Does your channel use it for target queue authorization checks? If not, AMS may be all your need. If you need to alter the user ID to be something else, then you will need to look into a Message Exit.

    Cheers,
    Morag​



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 5.  RE: USERID Authentication in B2B MQ

    Posted Wed December 08, 2021 04:50 AM
    Sounds like AMS might be useful here - when the app GETs the message, you will know that it was signed by a known entity, configured in the getting side's policy.

    ------------------------------
    Mark Taylor
    Winchester
    ------------------------------

    Original Message


  • 6.  RE: USERID Authentication in B2B MQ

    Posted Wed December 08, 2021 12:30 PM
    Thanks Mark,  I will read up on features of AMS, and see if that fits our requirements

    ------------------------------
    Glen Larson
    Lead Systems Engineer
    Progressive Insurance
    Colorado Springs CO
    (719) 432-1360
    ------------------------------

    Original Message


  • 7.  RE: USERID Authentication in B2B MQ

    IBM Champion
    Posted Wed December 08, 2021 03:08 PM
    Hi Glen,

    <Vendor_Plug>
    If you are going to go down the encryption/signing path then you should also have a look at Capitalware's MQ Message Encryption (MQMR).  It can encrypt and/or sign messages put to a queue and/or topic.

    Capitalware offers free 60-day trial of MQMR for a POC which includes free support.
    </Vendor_Plug>

    later
    Roger

    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON Canada
    https://capitalware.com
    ------------------------------

    Original Message


  • 8.  RE: USERID Authentication in B2B MQ

    Posted Wed December 08, 2021 03:30 PM
    Thanks Roger, we will consider this as an option if AMS doesn't satisfy our requirements

    ------------------------------
    Glen Larson
    Lead Systems Engineer
    Progressive Insurance
    Colorado Springs CO
    (719) 432-1360
    ------------------------------

    Original Message


  • 9.  RE: USERID Authentication in B2B MQ

    Posted Wed December 08, 2021 03:23 PM
    Thanks Josh for the link to the Red Book.  we have considered the message exit, but would prefer to use standard MQ facilities.  Since we can not control the other side, we prefer to avoid code that can go stale due to changes beyond our control.   We will look at the features of AMS first, and try to come to an agreement using those feature first.

    ------------------------------
    Glen Larson
    Lead Systems Engineer
    Progressive Insurance
    Colorado Springs CO
    (719) 432-1360
    ------------------------------

    Original Message