MQ

Dear all,

due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.

The default setup - as far we understand it - stashes the password in the same folder as the key repository.

The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.

We'd be grateful if you could share your experiences / best practices for this.

Best regards,

Peter

Hi Péter,

I tried replying about 12 hours ago, but for some reason my reply has never showed up so I will try again now.

Have you read about this: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-protecting-passwords-in-component-configuration-files

This was a feature added fairly recently, so you might not be aware of it.

I think it might be what you need.

Cheers,
Morag

Dear all,

due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.

The default setup - as far we understand it - stashes the password in the same folder as the key repository.

The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.

We'd be grateful if you could share your experiences / best practices for this.

Best regards,

Peter

Hi Péter,

I tried replying about 12 hours ago, but for some reason my reply has never showed up so I will try again now.

Have you read about this: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-protecting-passwords-in-component-configuration-files

This was a feature added fairly recently, so you might not be aware of it.

I think it might be what you need.

Cheers,
Morag

Dear all,

due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.

The default setup - as far we understand it - stashes the password in the same folder as the key repository.

The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.

We'd be grateful if you could share your experiences / best practices for this.

Best regards,

Peter

Hi Morag,

we had a look at runamscred and it looks really promising - one could use a HW-Box to store the protected key.

The original enquiry was triggered by the requirements of PCI DSS Compliance, and it seems our biggest issue is the strength of encryption on the key:

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=files-limits-protection-through-password-encryption

Do you think raising a PMR on IBM on this matter would lead to a result here?

Cheers,

Peter

Hi Péter,

I tried replying about 12 hours ago, but for some reason my reply has never showed up so I will try again now.

Have you read about this: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-protecting-passwords-in-component-configuration-files

This was a feature added fairly recently, so you might not be aware of it.

I think it might be what you need.

Cheers,
Morag

Dear all,

due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.

The default setup - as far we understand it - stashes the password in the same folder as the key repository.

The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.

We'd be grateful if you could share your experiences / best practices for this.

Best regards,

Peter

Hi Morag,

we had a look at runamscred and it looks really promising - one could use a HW-Box to store the protected key.

The original enquiry was triggered by the requirements of PCI DSS Compliance, and it seems our biggest issue is the strength of encryption on the key:

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=files-limits-protection-through-password-encryption

Do you think raising a PMR on IBM on this matter would lead to a result here?

Cheers,

Peter

Hi Péter,

I tried replying about 12 hours ago, but for some reason my reply has never showed up so I will try again now.

Have you read about this: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-protecting-passwords-in-component-configuration-files

This was a feature added fairly recently, so you might not be aware of it.

I think it might be what you need.

Cheers,
Morag

Dear all,

due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.

The default setup - as far we understand it - stashes the password in the same folder as the key repository.

The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.

We'd be grateful if you could share your experiences / best practices for this.

Best regards,

Peter

I agree with Mark's reply. To consider the strength of the encryption key to be too weak is not a defect. The key strength is working exactly as documented. So raising a PMR/case with IBM is not the correct route to take as that is for reporting things that do not work as advertised.

To ask for a functional enhancement, that is a new feature, to make the encryption key strength stronger than that documented, you should raise what used to be known as an RFE (Request For Enhancement) which is now called an Idea. The link for non-IBMers to submit an Idea is here.

Cheers,
Morag

Hi Morag,

we had a look at runamscred and it looks really promising - one could use a HW-Box to store the protected key.

The original enquiry was triggered by the requirements of PCI DSS Compliance, and it seems our biggest issue is the strength of encryption on the key:

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=files-limits-protection-through-password-encryption

Do you think raising a PMR on IBM on this matter would lead to a result here?

Cheers,

Peter

Hi Péter,

I tried replying about 12 hours ago, but for some reason my reply has never showed up so I will try again now.

Have you read about this: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-protecting-passwords-in-component-configuration-files

This was a feature added fairly recently, so you might not be aware of it.

I think it might be what you need.

Cheers,
Morag

Dear all,

due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.

The default setup - as far we understand it - stashes the password in the same folder as the key repository.

The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.

We'd be grateful if you could share your experiences / best practices for this.

Best regards,

Peter