Volume 9, Number 12 -- March 24, 2009

Capitalware Clamps Down on WebSphere MQ's 'Big Dirty' Security Secret

Updated: March 24, 2009

by Alex Woodie

Capitalware is bringing three WebSphere MQ products to the IBM i operating system, the vendor announced recently. The three tools--MQ Standard Security Exit, MQ Authenticate User Security Exit, and MQ Instant Secure Data--will help to address major security shortfalls with default installations of WebSphere MQ, company officials say. The i OS ports of the products are currently in beta, with GA expected next month.

There's a "big dirty secret" in the WebSphere MQ community, says Roger Lacroix, president of Capitalware, which is based in Markham, Ontario. "As you may not be aware of, after a default install of [WebSphere] MQ, MQ security is extremely limited, or basically, nonexistent," he says.

Unless WebSphere MQ users take one of three actions--implement end-to-end SSL encryption, write their own security routines, or buy a third-party product--any internal user with a modicum of technical expertise can tap into WebSphere MQ data and breach the organization's security, Lacroix says. Considering that the biggest users of WebSphere MQ are Fortune 100 financial services companies, and that only one out of 20 WebSphere MQ customers are estimated to take the time to implement security, that is a "big dirty secret," indeed.

There are several security shortcomings in the default installation of WebSphere MQ. For starters, it stores sensitive data in plain text, which enables MQ data to be easily accessed from WebSphere MQ Explorer or other tools available for browsing the content of MQ message queues (including freeware available from Capitalware). User authentication is also minimal. And there is also a spoof threat with out-of-the-box WebSphere MQ installations.

"This means that anybody with a little bit of knowledge can pull the queue, with a rogue application or a little GUI application, and then they can view somebody's details," Lacroix says. "So if I want to transfer money, all I have to do is fill in these fields with these amounts, and then push it into my bank account. If I'm working for a retailer, I could say, 'I want to buy 10 of those. They're supposed to be $99, but let's just move the decimal point.'"

The [De]Securitization of MQ Series

So how did WebSphere MQ, which has such a rock-solid reputation, develop such a poor out-of-the-box security posture? Lacroix traces the roots back to Microsoft's launch of Windows 2000 and lingering fear over the whipping that Microsoft put on OS/2.

"When NT 5 was coming to market, there was a great fear at IBM because Microsoft was coming out with embedded MSMQ [Microsoft Message Queue]," Lacroix says. "So IBM turned around and basically said, 'We're going to make MQ Series the same way Microsoft makes Windows: Super easy. We're not going to worry about security. You can add it after the fact.' They had this great fear that Microsoft was going to eat their lunch."

It's not that WebSphere MQ can't be secured, Lacroix says. "It's just that the default install of it isn't." Instead, IBM provided security hooks, or exits, for developers to write their own security routines. "Ever since then, they've left that as the standard," Lacroix says. Unfortunately, it takes a certain amount of technical skill to write exit programs for WebSphere MQ.

For years, before committing his energy to Capitalware full time, Lacroix would write exit programs that lock down WebSphere MQ at the various companies where he worked. He would share these tools with other IT professionals facing similar dilemmas with WebSphere MQ. He also wrote a series of handy WebSphere MQ utilities, which help developers accomplish basic tasks. After a while, he realized he could make money doing this, and so he started selling and supporting the tools through Capitalware, where he has worked full time since 2001.

Capitalware Offerings

At the request of a customer, Capitalware is bringing its three core MQ security tools to i OS. This will give the company coverage across every major platform, including Unix, Linux, Windows, and z/OS (the company offers separate versions of the security tools for the mainframe).

Both MQ Standard Security Exit (MQSSX) and MQ Authenticate User Security Exit (MQAUSX) focus on stopping unauthorized users from accessing WebSphere MQ resources. MQAUSX allows a company to fully authenticate a user who is accessing a WebSphere MQ resource. It authenticates the user's UserID and Password against the server's native OS system or a remote LDAP server. MQSSX allows a company to control and restrict based on UserID and IP address who is accessing a WebSphere MQ resource.

The third product coming to i OS, MQ Instant Secure Data (MQISD), protects WebSphere MQ data by encrypting it. The product uses TEA Variant, a "fast block cipher" algorithm with a 128-bit key, to encrypt the data. Lacroix chose TEA Variant because it's very fast, and only adds about a 1 percent performance hit, he says. The company is looking at implementing AES encryption to satisfy government agencies, he says.

Lacroix says he designed his WebSphere MQ security tools to be lightweight and easy to use. Unlike IBM's WebSphere MQ Extended Security Edition (ESE), which implements Tivoli security software into the MQ environment (and which incidentally no longer supports i OS), the Capitalware products do not require a dedicated server, he says.

Currently, Capitalware sells ten commercial WebSphere MQ-related products and also offers five open source solutions. In addition to the three security tools the company is bringing to the i-based Power Systems (iSeries) platform, Capitalware's five free and open source utilities including a port scanner, a message multiplexer, a file mover, a message router, and a server status display product can be used on the i OS server.

Capitalware's commercial products MQ Visual Edit and MQ Visual Browse are mainly geared at programmers who need an easier way to view WebSphere MQ products and have been around for many years. The three security tools (and their mainframe counterparts) are fairly new products, having been on the market only for a few years.

Licenses for MQISD start at $299 per server, with an unlimited enterprise license going for $55,000. MQAUSX costs $499 per server, or $90,000 for an enterprise license. MQSX goes for $249 per server, or a site license of $45,000. Capitalware is targeting all i OS releases from i5/OS V5R3 to IBM i 6.1. For more information, visit www.capitalware.biz.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By


Leverage the power of The Cloud with your IBM back-end applications!

snap for The Cloud is a set of connectors that provides developers and vendors of core 5250 and 3270 applications with the technology to:

Enable end user collaboration and sharing of documents
Reduce IT costs
Provide a platform for leveraging Web 2.0 technologies such as Mashups
Utilize Web Services from many different vendors
Store data in many remote locations and access it from anywhere
Share data between users and 3rd parties
Deploy applications and data using a variety of new mechanisms and sales models
Implement Software as a Service (SaaS)

Attend our webcast to learn how you can integrate your core i applications with The Cloud. This webcast includes:

A live demonstration of an i application integrating with The Cloud
Integration examples including Google Docs, Spreadsheets, Sites and GDrive
An overview of key Cloud concepts
Typical scenarios where Cloud concepts make sense for IBM i customers and ISVs

View The Cloud Webinar! - Get a Free White Paper

"It's clear that IT is moving towards a service-oriented future and cloud computing is one of the hottest trends. Cloud computing provides a single point of access for an enterprise's computing needs, allowing the organization to cut costs and create a leaner IT environment."
Adam Kerrison, eWeek, Feb, 2009.


Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Halcyon Software:  Register now for our Multi-Platform Virtualization Webinar, March 31, 10 a.m.
System i Developer:  RPG & DB2 Summit in Orlando, April 15-17 for 3 days of serious training
COMMON:  Join us at the 2009 annual meeting and expo, April 26-30, Reno, Nevada


IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95

The Four Hundred
Wall Street Makes IBM, Sun Strange Bedfellows?

Measure Twice, Cut Once Applied to ERP Implementations

UCG Partners with MaxAva, Expands DR and HA Capabilities

As I See It: Generation Gap

BCD Cranks Up Services, Training for PHP Deployments

Four Hundred Guru
Looking for Commitment, Part 2

Treasury of New DB2 6.1 (V6R1) Features, Part 3: Client Special Registers

Admin Alert: Changing your SMTP Server is Easy-ish

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
March 21, 2009: Volume 11, Number 12

March 14, 2009: Volume 11, Number 11

March 7, 2009: Volume 11, Number 10

February 28, 2009: Volume 11, Number 9

February 21, 2009: Volume 11, Number 8

February 14, 2009: Volume 11, Number 7

TPM at The Register
Platform lands OCS cluster deal with HP

SAS schemes $70m biz analytics cloud

Sun's Niagara gets Linux (again)

Penguin floats hybrid Linux supers

Sun and IBM - What price Bigger Indigo?

Sun pitches new cloud as 'Open Platform'

Rackable shrinks CloudRack cookie sheets

Sun breaks through the clouds

California: Cisco gives out some details, finally

Sun lands Sparc-Xeon super on Cape Town

Cisco throws California virt-server gauntlet

Storage software bucks hardware sales trend

HP in NonStop rack server chase

Cloudera floats commercial Hadoop distro


SkyView Partners
RJS Software Systems

Printer Friendly Version

Capitalware Clamps Down on WebSphere MQ's 'Big Dirty' Security Secret

FalconStor Casts a Wider De-Duplication Net

Help/Systems Extends i OS Job Scheduler to Linux and Unix

Shield Adds More Smarts to Budget HA Software

Appian Expands Web-Based Reporting GPS Tracking for Fleets

News Briefs and Product Shorts:

m-Power Gets Calculation Enhancements . . . Meridian and Varsity to Go After IBM i Shops Together . . . SoftTree Updates SQL Assistant . . . Lotus Symphony Gets Visio Alternative with SmartDraw Plug-In . . . LANSA Introduces eLearning Option of Education and Training . . .

Four Hundred Stuff


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2009 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement