Original Message:
Sent: Fri April 05, 2024 12:44 AM
From: Morag Hughson
Subject: Protecting data-encryption key for MQ AMS
I agree with Mark's reply. To consider the strength of the encryption key to be too weak is not a defect. The key strength is working exactly as documented. So raising a PMR/case with IBM is not the correct route to take as that is for reporting things that do not work as advertised.
To ask for a functional enhancement, that is a new feature, to make the encryption key strength stronger than that documented, you should raise what used to be known as an RFE (Request For Enhancement) which is now called an Idea. The link for non-IBMers to submit an Idea is here.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu March 28, 2024 03:59 AM
From: Péter Bősze
Subject: Protecting data-encryption key for MQ AMS
Hi Morag,
we had a look at runamscred and it looks really promising - one could use a HW-Box to store the protected key.
The original enquiry was triggered by the requirements of PCI DSS Compliance, and it seems our biggest issue is the strength of encryption on the key:
https://www.ibm.com/docs/en/ibm-mq/9.3?topic=files-limits-protection-through-password-encryption
Do you think raising a PMR on IBM on this matter would lead to a result here?
Cheers,
Peter
------------------------------
Péter Bősze
Swisscom (Schweiz) AG
Original Message:
Sent: Fri March 22, 2024 07:16 AM
From: Morag Hughson
Subject: Protecting data-encryption key for MQ AMS
Hi Péter,
I tried replying about 12 hours ago, but for some reason my reply has never showed up so I will try again now.
Have you read about this: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=mq-protecting-passwords-in-component-configuration-files
This was a feature added fairly recently, so you might not be aware of it.
I think it might be what you need.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu March 21, 2024 12:49 PM
From: Péter Bősze
Subject: Protecting data-encryption key for MQ AMS
Dear all,
due to data protection regulations it is required to protect our MQ 9.3 AMS data-encryption key with a separately stored key-encryption key.
The default setup - as far we understand it - stashes the password in the same folder as the key repository.
The requirement is to protect the key with some sort of password management solution or a vault - that provides an equally strong security from an external location.
We'd be grateful if you could share your experiences / best practices for this.
Best regards,
Peter
------------------------------
Péter Bősze
Swisscom (Schweiz) AG
------------------------------