MQSeries Security

[bmaki]

I am trying to implement the security features for MQSeries. Specifically, the DCE Login and encryption. I am confused on what I have to do to use the DCE Login and I can't use the sample channel exit given with MQSeries for encryption because I don't have the GSS-API's, so I either need to know where I can get the GSS-API's or I need to know how to implement it using PGP. Any help would be greatly appreciated.

Thanks,
Brook [sig][/sig]

 

[pmeekin]

Forgive me if I have misunderstood you but in order to use the DCE exit you need to have an existing, running DCE infrastructure. This is an extremely non-trivial piece of work and includes such things as a DCE directory service as well as a DCE security server etc (I've now reached the extent of my knowledge of DCE!).

You talk aboutboth logon and encryption. I haven't looked at the DCE exit but these would normally be handled at two levels by MQSeries - the (so-called) Security Channel exit and by the Send and Receive exits (or possibly a Message channel exit). The Security exit would handle logon and authentication and the others would do the encryption (and message signing/authentication if you needed it).

It is perfectly possible to use the same piece of code to do both jobs but I wouldn't generally recommend it.

Channel exits in themselves are not complicated although for the Security exit you need to get your exchange sequence sorted out.

I wrote a Security exit for OS/390, Solaris and WinNT which uses DES to encrypt a random string and challenges the other end to decrypt it - simple but for my purposes adequate authentication. If you think it would help, e-mail me for a copy at mqs@moonray.org. Alternatively there are a few similar exits knocking about on the Web including a Support pac which uses Entrust's toolkit.

Finally, check out the IBM Redbook on MQ Security exits.

Hope this helps,
Paul [sig][/sig]