SlideShare a Scribd company logo

IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all)

T.Rob Wyatt
T.Rob Wyatt

This document summarizes the findings from research into security behaviors when using IBM MQ's password authentication (CONNAUTH) feature. It identifies five distinct behaviors exhibited by the interaction between CONNAUTH and CHLAUTH access control rules. The document provides recommendations for mandatory and avoid configurations when using CONNAUTH. It also warns that applying fix packs can cause failures or silently over-authorize users. The summary concludes by thanking two people for their contributions to testing and improving the tools and research presented.

Technology
1 of 28
Download to read offline
(and if you aren't careful may not work at all) T.Rob Wyatt, Senior Managing Consultant t.rob@ioptconsulting.com Follow on Twitter: @tdotrob MQ Blog: https://t-rob.net 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org
This deck is expected to change frequently over the course of the project. Please check back for the latest version. Although it will be posted on IMWUC and Slideshare, the authoritative source is https://t-rob.net/links This is v1.0, published on Dec 1, 2016 Known to-do’s as of Dec 1:  Re-test to eliminate any false results based on lack of backstop rule.  Re-test to eliminate results of possible MQ Explorer bug re: Compatibility Mode in early releases.  Write command-line tools to eliminate dependence on Explorer. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 2
 All tools for this project are maintained on GitHub. Please don’t be shy about sending pull requests. https://github.com/tdotrob/IBMMQ-passwd-auth  In consideration of corporate firewall blocking, the research and results matrix are posted in multiple formats on Google and for direct download. These are indexed from on my links page https://t-rob.net/links and will also change frequently.  Don’t let the fact that I provide consulting services stop you from contacting me informally to talk about this stuff. I am not participating in the community to promote my business. My business arose out of and exists to serve the MQ community, not the other way around. @tdotrob, LinkedIn, call 704-443-TROB(8762), or email: t.rob at IoPTConsulting dot com 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 3
Native MQ password authentication (CONNAUTH) introduced in IBM MQ v8.0 has gotten off to a rough start. As of Fix Pack 8.0.0.5, the interaction between CONNAUTH and CHLAUTH has exhibited 5 distinct behaviors. After applying Fix Packs some of these cause hard failures while others silently over-authorize client users, leaving the queue manager exposed. This webcast will present findings from our CONNAUTH/CHLAUTH security research as well as recommendations for MQ users and the audit community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 4
T.Rob Wyatt is an independent consultant who has been working with IBM MQ for over 20 years. Professionally he spends about half his time designing MQ architectures, clusters and HA solutions, and the other half focusing on security and figuring out how to break MQ. His latest project is mapping out MQ's security behaviors when using password authentication, which produced the findings presented in this webinar. T.Rob is a frequent speaker at IBM conferences and MQ Tech Conference, a prolific blogger, and was recognized as an IBM Champion in 2016 for his contributions to the MQ community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 5
 I’m going to make some claims about what are safe and unsafe practices regarding CONNAUTH configuration.  I’ll justify those with real-life examples.  There will be a Q&A at the end where any questions will be answered and I’ll defend any challenges to the claims. This is only a checkpoint and new information was coming to light right up to the webinar deadline. After the webinar, I’ll post this on my site and keep it up to date over time. CHECK BACK before distributing or re- presenting to make sure you have a current copy: https://t-rob.net/links 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 6
Based on my research, I consider the following to be mandatory configurations when using CONNAUTH.  ADOPTCTX(YES) in all cases.  ChlauthEarlyAdopt enabled in all cases.  Use a version of MQ at which Early Adopt is supported.  Define Morag’s “Backstop Rule” to establish a deny-by- default CHLAUTH policy.  Set PasswordProtection=always in the qm.ini Channels stanza.  Use TLS channels.  Use CHCKCLIENT(REQUIRED) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 7
At the opposite end of the scale are things to never do with CONNAUTH and CHLAUTH.  Don’t use permissive ADDRESSMAP rules.  Don’t use generic PEERMAP rules.  Don’t patch or upgrade without extensive testing.  Don’t disable CHLAUTH.  Don’t use a USERSRC(NOACCESS) mapping rule where a BLOCKUSER rule will work. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 8
Mandatory configurations 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 9
 With ADOPTCTX(NO) there is no meaningful connection between the ID authenticated by the password and that used for mapping and authorization.  With ADOPTCTX(NO) it is the client and not the MQ Admin who decides which ID the QMgr will act on.  ADOPTCTX(YES) is the only option that enforces the authenticated ID be used for OAM authorization.  Unfortunately, ADOPTCTX(YES) does NOT enforce that connection for CHLAUTH rules. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 10
As noted in the prior section, ADOPTCTX(YES) does NOT enforce that CHLAUTH rules operate against the password-authenticated ID.  IBM added ChlauthEarlyAdopt to enforce this behavior.  Requires the MQ Admin to explicitly alter the default configuration to obtain relief from a bug. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 11
 Implied by the previous slide.  Listed here in hopes that a mob of MQ Admins wielding pitchforks and torches will storm the castle and demand that the Knowledge Center track this and other Fix-Pack-specific features down to the Fix Pack level so that we can ascertain which provides the minimum level of support. (The KC entry for ChlAuthEarlyAdopt keeps disappearing and reappearing like the palace in Krull. It is currently on this page and has no mention of which MQ version first delivered it. It does say “To have the queue manager use this new behavior…” which makes no sense if you don’t know which Fix Pack delivered it since CONNAUTH was itself new in v8.0, the version for the page in question.) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 12
The (almost) secure-by-default CHLAUTH posture originally was to allow connections of non-admin users from all addresses. Since a new QMgr did not know about non-admin groups or users they could not sign on, even after defining new SVRCONN channels. The fact that CONNAUTH is set to IDPWOS by default breaks this assumption! Now when you define a new SVRCONN the other defaults allow anyone who can sign onto the MQ host (and if it uses AD, NIS+, LDAP, etc. that may be the entire corporate user database) to connect and nominate mqm as the MCAUSER. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 13
 QMgr by default points to IDPWOS AUTHINFO.  IDPWOS enables password validation by default, requires it for Admins.  ADOPTCTX(NO) by default allows the client to set a user ID other than the one they authenticate with their password.  MQ Admin defines SYSTEM.ADMIN.SVRCONN and a BLOCKUSER that omits *MQADMIN and suddenly ANYONE can become mqm.  D’oh! 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 14
MQ will encrypt your password when using a v8.0 or higher client and a v8.0 or higher QMgr, but…  Credentials are in the clear when using clients < v8.0 in all cases.  Credentials are in the clear even with clients at v8.0 and higher in compatibility mode! Your apps and users will still transmit their ID and password over the network willy-nilly, but at least the connection refusal will encourage them to disable compatibility mode. This also reduces (but not eliminate) variance in CHLAUTH behavior across versions and fixes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 15
11/30/2016Presented by IBM Middleware User Community https://imwuc.org 16
This way when your apps and users are transmitting their ID and password over the network willy-nilly in the clear, the MQ Admin can show steps taken to prevent sniffing them on the wire.  TLS encryption protects the credentials.  Anonymous clients support encryption without having to provision personal certs at each client.  Unfortunately, this removes the restriction on Compatibility Mode so the CHLAUTH behavior variance you must account for in your CHLAUTH design more than doubles. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 17
 With ADOPTCTX(YES), CHLAUTH rules cease to perform any mapping whatsoever. This requires a significantly different CHLAUTH security model versus when mapping is available.  The security models that are effective under mapping and under ADOPTCTX(YES) are antagonistic toward one another.  With CHCKCLIENT(OPTIONAL) the client gets to choose whether to authorize under CHLAUTH mapping, not the MQ Admin, and it is likely the CHLAUTH model fails to adequately secure at least one of these modes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 18
Avoid these like the plague 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 19
Because ADOPTCTX(YES) disables all mapping, rules that filter on addresses effectively whitelist all IDs that can authenticate with a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Example: You have a B2B gateway and before CONNAUTH you used ADDRESSMAP rules to designate some channels as internal-facing and some as external-facing. Applying that to a QMgr with CONNAUTH converts those rules so they now whitelist all password-validated IDs for all internal-facing and external-facing channels. They still restrict the channels to the IDs intended only now the attacker has the means to sign on to any account if they can obtain the password. Better get your asbestos raincoat on, the forecast calls for 80% chance of spearphishing attack. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 20
Because ADOPTCTX(YES) disables all mapping, rules that filter on generic certificate Distinguished Names effectively whitelist all IDs that can authenticate with a cert and a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Admittedly, this is MUCH better than permissive ADDRESSMAP rules, but if you have something like PEERMAP(“O=YourCompany”) it is still a much larger population of whitelisted ID than you probably intended. Note that even if you use a fully qualified DN, mapping is disabled and the ID that is authenticated need not have anything to do with the certificate presented. So if I’m a business partner whose cert you trust, I can still sign on as you if I know your password. Did we mention spearphishing attacks? 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 21
When I first undertook this research, I got a v8.0.0.0 virtual machine working with several accounts and CHLAUTH rules, then cloned it 5 more times, once for each Fix Pack. All of the resulting VMs worked except for v8.0.0.1. Although it had worked before the Fix Pack, after the maintenance and with no modifications to the MQ Explorer channels, stored IDs or passwords, it refused to authenticate under CONNAUTH. Hence the subtitle, “and if you aren't careful may not work at all” 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 22
 To commit to CONNAUTH is to commit to extensive regression testing after every maintenance or upgrade.  Due to the increased overhead, it may not be feasible for auditors and QSAs to enforce the 30/60/90 day security patch discipline called for by PCI and generally considered Best Practice.  If the 30/60/90 day deadlines are to be enforced, consider disabling CONNAUTH altogether.  Please consider contributing to the post-patch regression testing toolset being built on Github: https://github.com/tdotrob/IBMMQ-passwd-auth 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 23
 Because ADOPTCTX(NO) allows the client to nominate any ID to run under.  Because ADOPTCTX(YES) overrides the hard-coded MCAUASER.  Because SSLPEER doesn’t affect either of the above.  Because at this point you just ran out of security controls. I’d like to think this one didn’t need any justification. Please try not to disabuse me of that notion. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 24
 These rules sometimes operate against the MQCD user, sometimes against the MQCSP user, sometimes both.  When there is any variation at all in behavior, it is the client and not the MQ Admin who decides which ID is presented.  The exact behavior changes across versions and fixes, and by ChlauthEarlyAdopt settings.  Whichever ID is ultimately used can be overridden by an exit. BLOCKUSER rules are evaluated after all other rules. Their behavior has not been seen to vary. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 25
A Secure By Default CONNAUTH design would immediately on receipt of the connection request overlay the asserted User ID with the MQCSP User ID if present, then proceed with mapping and password validation as usual. There is no valid use case to implement MQ’s strongest-ever authentication and then fail to enforce that the authenticated ID be used for authorization. The use case that was given (migration) is better handled by forcing the password-authenticated user ID, and preserving mapping functionality so the MQ Admin (NOT the client!) can map the authenticated ID back to wasadmin or whatever it had been using before. With that in mind… 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 26
…if you can think of even ONE valid use case for ADOPTCTX(NO) tell me! Otherwise, please join me in telling, no begging, IBM to abandon backward compatibility in this case, make CONNAUTH enforce the authenticated ID, restore mapping functionality, and return MQ to a Secure-By-Default posture. If this is done I can use the improved controls to duplicate any functionality you currently use ADOPTCTX(NO) for and will do so, under contract, for free. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 27
More people deserve thanks than can be mentioned but a couple have gone the extra mile-and-a-half in support of this particular presentation… Josh McIver seems to find more security and other bugs than anyone else I know and has provided extensive documentation and verified many of the results. FJ Brandelik (you know him as fjbsaper) dove right into the code about 30 seconds after it hit Github and gave it a good test, bug fix, and upgrade. My eternal thanks to both of you for the assistance and high expectations for the project. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 28

Recommended

IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)Juarez Junior
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSMatt Leming
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesMorag Hughson
 
Fault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mqFault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mqDavid Ware
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryMarkTaylorIBM
 
IBM MQ Online Tutorials
IBM MQ Online TutorialsIBM MQ Online Tutorials
IBM MQ Online TutorialsBigClasses.com
 
WebSphere MQ tutorial
WebSphere MQ tutorialWebSphere MQ tutorial
WebSphere MQ tutorialJoseph's WebSphere Library
 
What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1Matt Leming
 

Recommended

IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)IBM MQ Overview (IBM Message Queue)
IBM MQ Overview (IBM Message Queue)Juarez Junior
 
What's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSWhat's New In MQ 9.2 on z/OS
What's New In MQ 9.2 on z/OSMatt Leming
 
WebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesMorag Hughson
 
Fault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mqFault tolerant and scalable ibm mq
Fault tolerant and scalable ibm mqDavid Ware
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryMarkTaylorIBM
 
IBM MQ Online Tutorials
IBM MQ Online TutorialsIBM MQ Online Tutorials
IBM MQ Online TutorialsBigClasses.com
 
WebSphere MQ tutorial
WebSphere MQ tutorialWebSphere MQ tutorial
WebSphere MQ tutorialJoseph's WebSphere Library
 
What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1What's new with MQ on z/OS 9.3 and 9.3.1
What's new with MQ on z/OS 9.3 and 9.3.1Matt Leming
 
Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ Systemmatthew1001
 
IBM Websphere MQ Basic
IBM Websphere MQ BasicIBM Websphere MQ Basic
IBM Websphere MQ BasicPRASAD BHATKAR
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsBiju Nair
 
IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?David Ware
 
IBM MQ V9 Overview
IBM MQ V9 OverviewIBM MQ V9 Overview
IBM MQ V9 OverviewMarkTaylorIBM
 
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersDavid Ware
 
IBM WebSphere MQ Introduction
IBM WebSphere MQ Introduction IBM WebSphere MQ Introduction
IBM WebSphere MQ Introduction ejlp12
 
IBM MQ High Availability 2019
IBM MQ High Availability 2019IBM MQ High Availability 2019
IBM MQ High Availability 2019David Ware
 
Cloud stack for_beginners
Cloud stack for_beginnersCloud stack for_beginners
Cloud stack for_beginnersRadhika Puthiyetath
 
IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2David Ware
 
Administracion de WebSphere MQ for zOS v7.0
Administracion de WebSphere MQ for zOS v7.0Administracion de WebSphere MQ for zOS v7.0
Administracion de WebSphere MQ for zOS v7.0Oscar V
 
IBM Think 2018: IBM MQ High Availability
IBM Think 2018: IBM MQ High AvailabilityIBM Think 2018: IBM MQ High Availability
IBM Think 2018: IBM MQ High AvailabilityJamie Squibb
 
Deploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudDeploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudRobert Parker
 
IBM Integration Bus High Availability Overview
IBM Integration Bus High Availability OverviewIBM Integration Bus High Availability Overview
IBM Integration Bus High Availability OverviewPeter Broadhurst
 
IBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/SubscribeIBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/SubscribeDavid Ware
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performanceMarkTaylorIBM
 
How To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachHow To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachShapeBlue
 
IBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptxIBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptxMatt Leming
 
IBM WebSphere MQ for z/OS - Security
IBM WebSphere MQ for z/OS - SecurityIBM WebSphere MQ for z/OS - Security
IBM WebSphere MQ for z/OS - SecurityDamon Cross
 
Where is My Message
Where is My MessageWhere is My Message
Where is My MessageMatt Leming
 
Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsT.Rob Wyatt
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows T.Rob Wyatt
 

More Related Content

What's hot

Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ Systemmatthew1001
 
IBM Websphere MQ Basic
IBM Websphere MQ BasicIBM Websphere MQ Basic
IBM Websphere MQ BasicPRASAD BHATKAR
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsBiju Nair
 
IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?David Ware
 
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersDavid Ware
 
IBM WebSphere MQ Introduction
IBM WebSphere MQ Introduction IBM WebSphere MQ Introduction
IBM WebSphere MQ Introduction ejlp12
 
IBM MQ High Availability 2019
IBM MQ High Availability 2019IBM MQ High Availability 2019
IBM MQ High Availability 2019David Ware
 
IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2David Ware
 
Administracion de WebSphere MQ for zOS v7.0
Administracion de WebSphere MQ for zOS v7.0Administracion de WebSphere MQ for zOS v7.0
Administracion de WebSphere MQ for zOS v7.0Oscar V
 
IBM Think 2018: IBM MQ High Availability
IBM Think 2018: IBM MQ High AvailabilityIBM Think 2018: IBM MQ High Availability
IBM Think 2018: IBM MQ High AvailabilityJamie Squibb
 
Deploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudDeploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudRobert Parker
 
IBM Integration Bus High Availability Overview
IBM Integration Bus High Availability OverviewIBM Integration Bus High Availability Overview
IBM Integration Bus High Availability OverviewPeter Broadhurst
 
IBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/SubscribeIBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/SubscribeDavid Ware
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performanceMarkTaylorIBM
 
How To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachHow To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachShapeBlue
 
IBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptxIBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptxMatt Leming
 
IBM WebSphere MQ for z/OS - Security
IBM WebSphere MQ for z/OS - SecurityIBM WebSphere MQ for z/OS - Security
IBM WebSphere MQ for z/OS - SecurityDamon Cross
 
Where is My Message
Where is My MessageWhere is My Message
Where is My MessageMatt Leming
 

What's hot (20)

Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ System
 
IBM Websphere MQ Basic
IBM Websphere MQ BasicIBM Websphere MQ Basic
IBM Websphere MQ Basic
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentals
 
IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?IBM MQ and Kafka, what is the difference?
IBM MQ and Kafka, what is the difference?
 
IBM MQ V9 Overview
IBM MQ V9 OverviewIBM MQ V9 Overview
IBM MQ V9 Overview
 
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
 
IBM WebSphere MQ Introduction
IBM WebSphere MQ Introduction IBM WebSphere MQ Introduction
IBM WebSphere MQ Introduction
 
IBM MQ High Availability 2019
IBM MQ High Availability 2019IBM MQ High Availability 2019
IBM MQ High Availability 2019
 
Cloud stack for_beginners
Cloud stack for_beginnersCloud stack for_beginners
Cloud stack for_beginners
 
IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2IBM MQ - What's new in 9.2
IBM MQ - What's new in 9.2
 
Administracion de WebSphere MQ for zOS v7.0
Administracion de WebSphere MQ for zOS v7.0Administracion de WebSphere MQ for zOS v7.0
Administracion de WebSphere MQ for zOS v7.0
 
IBM Think 2018: IBM MQ High Availability
IBM Think 2018: IBM MQ High AvailabilityIBM Think 2018: IBM MQ High Availability
IBM Think 2018: IBM MQ High Availability
 
Deploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the CloudDeploying and managing IBM MQ in the Cloud
Deploying and managing IBM MQ in the Cloud
 
IBM Integration Bus High Availability Overview
IBM Integration Bus High Availability OverviewIBM Integration Bus High Availability Overview
IBM Integration Bus High Availability Overview
 
IBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/SubscribeIBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performance
 
How To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachHow To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open Approach
 
IBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptxIBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptx
 
IBM WebSphere MQ for z/OS - Security
IBM WebSphere MQ for z/OS - SecurityIBM WebSphere MQ for z/OS - Security
IBM WebSphere MQ for z/OS - Security
 
Where is My Message
Where is My MessageWhere is My Message
Where is My Message
 

Viewers also liked

Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsT.Rob Wyatt
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows T.Rob Wyatt
 
What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)T.Rob Wyatt
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityT.Rob Wyatt
 
IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0Matthew White
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveMorag Hughson
 

Viewers also liked (7)

Let’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal Clouds
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
 
What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0
 
IBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep Dive
 

Similar to IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all)

Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDDavid Ware
 
Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Robert Parker
 
Whats new in MQ V9.1
Whats new in MQ V9.1Whats new in MQ V9.1
Whats new in MQ V9.1David Ware
 
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKitOMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKitOpen Mobile Alliance
 
MQTC 2016 - IBM MQ Security: Overview & recap
MQTC 2016 - IBM MQ Security: Overview & recapMQTC 2016 - IBM MQ Security: Overview & recap
MQTC 2016 - IBM MQ Security: Overview & recapRobert Parker
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger LabDev_Events
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...Lucy Huh Kerner
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventVikalp Bhalia
 
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...Robert Parker
 
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018Amazon Web Services
 
IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017Robert Parker
 
Running IBM MQ in the Cloud
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the CloudRobert Parker
 
f2f-overview12.ppt
f2f-overview12.pptf2f-overview12.ppt
f2f-overview12.pptwentaozhu3
 
f2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middlewaref2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middlewarendonikristi98
 
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...Stefan Richter
 
Iot hub agent
Iot hub agentIot hub agent
Iot hub agentrtfmpliz1
 

Similar to IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all) (20)

Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
 
RabbitMQ Status Quo Critical Review
RabbitMQ Status Quo Critical ReviewRabbitMQ Status Quo Critical Review
RabbitMQ Status Quo Critical Review
 
Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017Planning for MQ in the cloud MQTC 2017
Planning for MQ in the cloud MQTC 2017
 
Whats new in MQ V9.1
Whats new in MQ V9.1Whats new in MQ V9.1
Whats new in MQ V9.1
 
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKitOMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
OMA LwM2M Workshop - Matthias Kovatsch, OMA LwM2M DevKit
 
MQTC 2016 - IBM MQ Security: Overview & recap
MQTC 2016 - IBM MQ Security: Overview & recapMQTC 2016 - IBM MQ Security: Overview & recap
MQTC 2016 - IBM MQ Security: Overview & recap
 
mqttvsrest_v4.pdf
mqttvsrest_v4.pdfmqttvsrest_v4.pdf
mqttvsrest_v4.pdf
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger Lab
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
 
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
 
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018
 
IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017
 
Running IBM MQ in the Cloud
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the Cloud
 
f2f-overview12.ppt
f2f-overview12.pptf2f-overview12.ppt
f2f-overview12.ppt
 
f2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middlewaref2f-overview1-presentation about rabbitmq and middleware
f2f-overview1-presentation about rabbitmq and middleware
 
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
The 36th Chamber of Shaolin - Improve Your Microservices Kung Fu in 36 Easy S...
 
Hack the 802.11 MAC
Hack the 802.11 MACHack the 802.11 MAC
Hack the 802.11 MAC
 
Iot hub agent
Iot hub agentIot hub agent
Iot hub agent
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren't careful may not work at all)

  • 1. (and if you aren't careful may not work at all) T.Rob Wyatt, Senior Managing Consultant t.rob@ioptconsulting.com Follow on Twitter: @tdotrob MQ Blog: https://t-rob.net 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org
  • 2. This deck is expected to change frequently over the course of the project. Please check back for the latest version. Although it will be posted on IMWUC and Slideshare, the authoritative source is https://t-rob.net/links This is v1.0, published on Dec 1, 2016 Known to-do’s as of Dec 1:  Re-test to eliminate any false results based on lack of backstop rule.  Re-test to eliminate results of possible MQ Explorer bug re: Compatibility Mode in early releases.  Write command-line tools to eliminate dependence on Explorer. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 2
  • 3.  All tools for this project are maintained on GitHub. Please don’t be shy about sending pull requests. https://github.com/tdotrob/IBMMQ-passwd-auth  In consideration of corporate firewall blocking, the research and results matrix are posted in multiple formats on Google and for direct download. These are indexed from on my links page https://t-rob.net/links and will also change frequently.  Don’t let the fact that I provide consulting services stop you from contacting me informally to talk about this stuff. I am not participating in the community to promote my business. My business arose out of and exists to serve the MQ community, not the other way around. @tdotrob, LinkedIn, call 704-443-TROB(8762), or email: t.rob at IoPTConsulting dot com 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 3
  • 4. Native MQ password authentication (CONNAUTH) introduced in IBM MQ v8.0 has gotten off to a rough start. As of Fix Pack 8.0.0.5, the interaction between CONNAUTH and CHLAUTH has exhibited 5 distinct behaviors. After applying Fix Packs some of these cause hard failures while others silently over-authorize client users, leaving the queue manager exposed. This webcast will present findings from our CONNAUTH/CHLAUTH security research as well as recommendations for MQ users and the audit community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 4
  • 5. T.Rob Wyatt is an independent consultant who has been working with IBM MQ for over 20 years. Professionally he spends about half his time designing MQ architectures, clusters and HA solutions, and the other half focusing on security and figuring out how to break MQ. His latest project is mapping out MQ's security behaviors when using password authentication, which produced the findings presented in this webinar. T.Rob is a frequent speaker at IBM conferences and MQ Tech Conference, a prolific blogger, and was recognized as an IBM Champion in 2016 for his contributions to the MQ community. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 5
  • 6.  I’m going to make some claims about what are safe and unsafe practices regarding CONNAUTH configuration.  I’ll justify those with real-life examples.  There will be a Q&A at the end where any questions will be answered and I’ll defend any challenges to the claims. This is only a checkpoint and new information was coming to light right up to the webinar deadline. After the webinar, I’ll post this on my site and keep it up to date over time. CHECK BACK before distributing or re- presenting to make sure you have a current copy: https://t-rob.net/links 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 6
  • 7. Based on my research, I consider the following to be mandatory configurations when using CONNAUTH.  ADOPTCTX(YES) in all cases.  ChlauthEarlyAdopt enabled in all cases.  Use a version of MQ at which Early Adopt is supported.  Define Morag’s “Backstop Rule” to establish a deny-by- default CHLAUTH policy.  Set PasswordProtection=always in the qm.ini Channels stanza.  Use TLS channels.  Use CHCKCLIENT(REQUIRED) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 7
  • 8. At the opposite end of the scale are things to never do with CONNAUTH and CHLAUTH.  Don’t use permissive ADDRESSMAP rules.  Don’t use generic PEERMAP rules.  Don’t patch or upgrade without extensive testing.  Don’t disable CHLAUTH.  Don’t use a USERSRC(NOACCESS) mapping rule where a BLOCKUSER rule will work. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 8
  • 9. Mandatory configurations 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 9
  • 10.  With ADOPTCTX(NO) there is no meaningful connection between the ID authenticated by the password and that used for mapping and authorization.  With ADOPTCTX(NO) it is the client and not the MQ Admin who decides which ID the QMgr will act on.  ADOPTCTX(YES) is the only option that enforces the authenticated ID be used for OAM authorization.  Unfortunately, ADOPTCTX(YES) does NOT enforce that connection for CHLAUTH rules. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 10
  • 11. As noted in the prior section, ADOPTCTX(YES) does NOT enforce that CHLAUTH rules operate against the password-authenticated ID.  IBM added ChlauthEarlyAdopt to enforce this behavior.  Requires the MQ Admin to explicitly alter the default configuration to obtain relief from a bug. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 11
  • 12.  Implied by the previous slide.  Listed here in hopes that a mob of MQ Admins wielding pitchforks and torches will storm the castle and demand that the Knowledge Center track this and other Fix-Pack-specific features down to the Fix Pack level so that we can ascertain which provides the minimum level of support. (The KC entry for ChlAuthEarlyAdopt keeps disappearing and reappearing like the palace in Krull. It is currently on this page and has no mention of which MQ version first delivered it. It does say “To have the queue manager use this new behavior…” which makes no sense if you don’t know which Fix Pack delivered it since CONNAUTH was itself new in v8.0, the version for the page in question.) 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 12
  • 13. The (almost) secure-by-default CHLAUTH posture originally was to allow connections of non-admin users from all addresses. Since a new QMgr did not know about non-admin groups or users they could not sign on, even after defining new SVRCONN channels. The fact that CONNAUTH is set to IDPWOS by default breaks this assumption! Now when you define a new SVRCONN the other defaults allow anyone who can sign onto the MQ host (and if it uses AD, NIS+, LDAP, etc. that may be the entire corporate user database) to connect and nominate mqm as the MCAUSER. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 13
  • 14.  QMgr by default points to IDPWOS AUTHINFO.  IDPWOS enables password validation by default, requires it for Admins.  ADOPTCTX(NO) by default allows the client to set a user ID other than the one they authenticate with their password.  MQ Admin defines SYSTEM.ADMIN.SVRCONN and a BLOCKUSER that omits *MQADMIN and suddenly ANYONE can become mqm.  D’oh! 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 14
  • 15. MQ will encrypt your password when using a v8.0 or higher client and a v8.0 or higher QMgr, but…  Credentials are in the clear when using clients < v8.0 in all cases.  Credentials are in the clear even with clients at v8.0 and higher in compatibility mode! Your apps and users will still transmit their ID and password over the network willy-nilly, but at least the connection refusal will encourage them to disable compatibility mode. This also reduces (but not eliminate) variance in CHLAUTH behavior across versions and fixes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 15
  • 16. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 16
  • 17. This way when your apps and users are transmitting their ID and password over the network willy-nilly in the clear, the MQ Admin can show steps taken to prevent sniffing them on the wire.  TLS encryption protects the credentials.  Anonymous clients support encryption without having to provision personal certs at each client.  Unfortunately, this removes the restriction on Compatibility Mode so the CHLAUTH behavior variance you must account for in your CHLAUTH design more than doubles. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 17
  • 18.  With ADOPTCTX(YES), CHLAUTH rules cease to perform any mapping whatsoever. This requires a significantly different CHLAUTH security model versus when mapping is available.  The security models that are effective under mapping and under ADOPTCTX(YES) are antagonistic toward one another.  With CHCKCLIENT(OPTIONAL) the client gets to choose whether to authorize under CHLAUTH mapping, not the MQ Admin, and it is likely the CHLAUTH model fails to adequately secure at least one of these modes. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 18
  • 19. Avoid these like the plague 11/30/2016Presented by IBM Middleware User Community, https://imwuc.org 19
  • 20. Because ADOPTCTX(YES) disables all mapping, rules that filter on addresses effectively whitelist all IDs that can authenticate with a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Example: You have a B2B gateway and before CONNAUTH you used ADDRESSMAP rules to designate some channels as internal-facing and some as external-facing. Applying that to a QMgr with CONNAUTH converts those rules so they now whitelist all password-validated IDs for all internal-facing and external-facing channels. They still restrict the channels to the IDs intended only now the attacker has the means to sign on to any account if they can obtain the password. Better get your asbestos raincoat on, the forecast calls for 80% chance of spearphishing attack. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 20
  • 21. Because ADOPTCTX(YES) disables all mapping, rules that filter on generic certificate Distinguished Names effectively whitelist all IDs that can authenticate with a cert and a password. They may be blocked later by OAM but the connection itself is whitelisted and hardcoded MCAUSER values are overridden. Admittedly, this is MUCH better than permissive ADDRESSMAP rules, but if you have something like PEERMAP(“O=YourCompany”) it is still a much larger population of whitelisted ID than you probably intended. Note that even if you use a fully qualified DN, mapping is disabled and the ID that is authenticated need not have anything to do with the certificate presented. So if I’m a business partner whose cert you trust, I can still sign on as you if I know your password. Did we mention spearphishing attacks? 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 21
  • 22. When I first undertook this research, I got a v8.0.0.0 virtual machine working with several accounts and CHLAUTH rules, then cloned it 5 more times, once for each Fix Pack. All of the resulting VMs worked except for v8.0.0.1. Although it had worked before the Fix Pack, after the maintenance and with no modifications to the MQ Explorer channels, stored IDs or passwords, it refused to authenticate under CONNAUTH. Hence the subtitle, “and if you aren't careful may not work at all” 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 22
  • 23.  To commit to CONNAUTH is to commit to extensive regression testing after every maintenance or upgrade.  Due to the increased overhead, it may not be feasible for auditors and QSAs to enforce the 30/60/90 day security patch discipline called for by PCI and generally considered Best Practice.  If the 30/60/90 day deadlines are to be enforced, consider disabling CONNAUTH altogether.  Please consider contributing to the post-patch regression testing toolset being built on Github: https://github.com/tdotrob/IBMMQ-passwd-auth 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 23
  • 24.  Because ADOPTCTX(NO) allows the client to nominate any ID to run under.  Because ADOPTCTX(YES) overrides the hard-coded MCAUASER.  Because SSLPEER doesn’t affect either of the above.  Because at this point you just ran out of security controls. I’d like to think this one didn’t need any justification. Please try not to disabuse me of that notion. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 24
  • 25.  These rules sometimes operate against the MQCD user, sometimes against the MQCSP user, sometimes both.  When there is any variation at all in behavior, it is the client and not the MQ Admin who decides which ID is presented.  The exact behavior changes across versions and fixes, and by ChlauthEarlyAdopt settings.  Whichever ID is ultimately used can be overridden by an exit. BLOCKUSER rules are evaluated after all other rules. Their behavior has not been seen to vary. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 25
  • 26. A Secure By Default CONNAUTH design would immediately on receipt of the connection request overlay the asserted User ID with the MQCSP User ID if present, then proceed with mapping and password validation as usual. There is no valid use case to implement MQ’s strongest-ever authentication and then fail to enforce that the authenticated ID be used for authorization. The use case that was given (migration) is better handled by forcing the password-authenticated user ID, and preserving mapping functionality so the MQ Admin (NOT the client!) can map the authenticated ID back to wasadmin or whatever it had been using before. With that in mind… 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 26
  • 27. …if you can think of even ONE valid use case for ADOPTCTX(NO) tell me! Otherwise, please join me in telling, no begging, IBM to abandon backward compatibility in this case, make CONNAUTH enforce the authenticated ID, restore mapping functionality, and return MQ to a Secure-By-Default posture. If this is done I can use the improved controls to duplicate any functionality you currently use ADOPTCTX(NO) for and will do so, under contract, for free. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 27
  • 28. More people deserve thanks than can be mentioned but a couple have gone the extra mile-and-a-half in support of this particular presentation… Josh McIver seems to find more security and other bugs than anyone else I know and has provided extensive documentation and verified many of the results. FJ Brandelik (you know him as fjbsaper) dove right into the code about 30 seconds after it hit Github and gave it a good test, bug fix, and upgrade. My eternal thanks to both of you for the assistance and high expectations for the project. 11/30/2016Presented by IBM Middleware User Community https://imwuc.org 28