Contents

Figures
Tables
About this book
Who this book is for
What you need to know to understand this book
Terms used in this book
How to use this book
Summary of changes
Changes in this edition (SC34-6588-00)
Introduction
Security services
Identification and authentication
Access control
Confidentiality
Data integrity
Non-repudiation
Planning for your security requirements
Basic considerations
Authority to administer WebSphere MQ
Authority to work with WebSphere MQ objects
Channel security
Additional considerations
Queue manager clusters
WebSphere MQ Publish/Subscribe
WebSphere MQ internet pass-thru
Link level security and application level security
Link level security
Application level security
Comparing link level security and application level security
Obtaining more information
Cryptographic concepts
Cryptography
Message digests
Digital signatures
Digital certificates
What is in a digital certificate
Requirements for personal certificates
Certification Authorities
Distinguished Names
How digital certificates work
Public Key Infrastructure (PKI)
The Secure Sockets Layer (SSL)
Transport Layer Security (TLS) concepts
Secure Sockets Layer (SSL) concepts
An overview of the SSL handshake
How SSL provides authentication
How SSL provides confidentiality
How SSL provides integrity
CipherSuites and CipherSpecs
The Secure Sockets Layer in WebSphere MQ
WebSphere MQ security provisions
Access control
Authority to administer WebSphere MQ
Authority to administer WebSphere MQ on UNIX and Windows systems
Authority to administer WebSphere MQ on i5/OS
Authority to administer WebSphere MQ on z/OS
Authority to work with WebSphere MQ objects
When authority checks are performed
Alternate user authority
Message context
Authority to work with WebSphere MQ objects on i5/OS, UNIX systems, and Windows systems
Authority to work with WebSphere MQ objects on z/OS
Channel security
WebSphere MQ SSL support
Channel attributes
Channel status attributes
Queue manager attributes
The authentication information object (AUTHINFO)
The SSL key repository
Protecting WebSphere MQ client key repositories
Refreshing a key repository
Resetting SSL secret keys
Federal Information Processing Standards (FIPS)
WebSphere MQ client considerations
Working with WebSphere MQ internet pass-thru (IPT)
Support for cryptographic hardware
Other link level security services
Channel exit programs
Security exit
Message exit
Send and receive exits
Obtaining more information
The SSPI channel exit program
SNA LU 6.2 security services
Session level cryptography
Session level authentication
Conversation level authentication
Providing your own link level security
Security exit
Identification and authentication
Access control
Confidentiality
Message exit
Identification and authentication
Access control
Confidentiality
Data integrity
Non-repudiation
Other uses of message exits
Send and receive exits
Confidentiality
Data integrity
Other uses of send and receive exits
Access Manager for Business Integration
Introduction
Access control
Identification and authentication
Data integrity
Confidentiality
Non-repudiation
Obtaining more information
Providing your own application level security
The API exit
The API-crossing exit
The role of the API exit and the API-crossing exit in security
Identification and authentication
Access control
Confidentiality
Data integrity
Non-repudiation
Other ways of providing your own application level security
Working with WebSphere MQ SSL support
Setting up SSL communications
Task 1: Using self-signed certificates
The steps required to complete task 1
Result of task 1
Verifying task 1
Task 2: Using CA-signed certificates
The steps required to complete task 2
Result of task 2
Verifying task 2
Extensions to this task
Task 3: Anonymous queue managers
The steps required to complete task 3
Result of task 3
Verifying task 3
Extensions to this task
Working with the Secure Sockets Layer (SSL) on i5/OS
Digital Certificate Manager (DCM)
Accessing DCM
Assigning a certificate to a queue manager
Setting up a key repository
Creating a new certificate store
Stashing the certificate store password
Working with a key repository
Locating the key repository for a queue manager
Changing the key repository location for a queue manager
When changes become effective
Obtaining server certificates
Creating CA certificates for testing
Requesting a server certificate
Adding server certificates to a key repository
Managing digital certificates
Transferring certificates
Removing certificates
Configuring cryptographic hardware
Mapping DNs to user IDs
Working with the Secure Sockets Layer (SSL) on UNIX and Windows systems
Using iKeyman and iKeycmd
Setting up a key repository
Accessing your key database file
Working with a key repository
Locating the key repository for a queue manager
Changing the key repository location for a queue manager
Locating the key repository for a WebSphere MQ client
Specifying the key repository location for a WebSphere MQ client
When changes become effective
Obtaining personal certificates
Creating a self-signed personal certificate
Requesting a personal certificate
Receiving personal certificates into a key repository
Managing digital certificates
Transferring certificates
Deleting a personal certificate from a key repository
Configuring for cryptographic hardware
Managing certificates on PKCS #11 hardware
Mapping DNs to user IDs
Migrating SSL security certificates in WebSphere MQ for Windows
Working with the Secure Sockets Layer (SSL) on z/OS
Setting the SSLTASKS parameter
Setting up a key repository
Ensuring CA certificates are available to a queue manager
Working with a key repository
Locating the key repository for a queue manager
Specifying the key repository location for a queue manager
When changes become effective
Obtaining personal certificates
Creating a self-signed personal certificate
Requesting a personal certificate
Creating a RACF signed personal certificate
Adding personal certificates to a key repository
Managing digital certificates
Transferring certificates
Removing certificates
Working with Certificate Name Filters (CNFs)
Setting up a CNF
Working with Certificate Revocation Lists and Authority Revocation Lists
Setting up LDAP servers
Configuring and updating LDAP servers
Accessing CRLs and ARLs
Accessing CRLs and ARLs with a queue manager
Accessing CRLs and ARLs with a WebSphere MQ client
Accessing CRLs and ARLs with the Java client and JMS
Checking CRLs and ARLs
Manipulating authentication information objects with PCF commands
Keeping CRLs and ARLs up to date
Working with CipherSpecs
Specifying CipherSpecs
Obtaining information about CipherSpecs using WebSphere MQ Explorer
Alternatives for specifying CipherSpecs
Specifying a CipherSpec for a WebSphere MQ client
Specifying a CipherSuite with the Java client and JMS
Understanding CipherSpec mismatches
WebSphere MQ rules for SSLPEER values
Understanding authentication failures
Appendixes
Appendix A. Cryptographic hardware
Appendix B. Notices
Trademarks
Index