3158 Building a Zero Trust Secure MQ Environment.pdf

《3158 Building a Zero Trust Secure MQ Environment.pdf》由會員分享，可在線閱讀，更多相關《3158 Building a Zero Trust Secure MQ Environment.pdf（43頁珍藏版）》請在三個皮匠報告上搜索。

1、October 21-24,2024Mandalay Bay Convention CenterLas Vegas,NevadaMatt LemingIBM,STSM,Architect MQ for z/OSSession 3158Building a Zero Trust,Secure MQ EnvironmentContentsZero TrustWhat is Zero Trust?PrinciplesIBM MQ and Zero Trust InventoryAuthenticationLeast privilegeAuditingOther considerationsMQIPT

2、Channel authentication rulesAMS IntegritySummaryQuestions2IBM TechXchange|2024 IBM Corporation#IBMTechXchangeZero Trust3IBM TechXchange|2024 IBM Corporation#IBMTechXchangeWhat is Zero Trust?4https:/csrc.nist.gov/pubs/sp/800/207/final Zero trust is a cybersecurity paradigm focused on resource protect

3、ion and the premise that trustis never granted implicitly but must be continually evaluated.Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity(person and non-person entities),credentials,access management,operations,endpoints,hosting

4、environments,and the interconnecting infrastructure.IBM TechXchange|2024 IBM Corporation#IBMTechXchange5An approach to security that eliminates implicit trustThe model of relying on perimeter firewalls to protect your critical systems does not workAttackers have proven that getting past the“moat”is

5、quite easyMust guard against insider threatsIBM TechXchange|2024 IBM Corporation#IBMTechXchangeWhat is Zero Trust?3 principlesAuthenticate Authenticate everyoneeveryone No implicit trust Every connection authenticated Only able to do what they need to do Request access for resources Encrypt all nece

6、ssary data Collect audit logs6Least privilegeLeast privilegeAssume breachAssume breachIBM TechXchange|2024 IBM Corporation#IBMTechXchangeIBM MQ and Zero Trust7IBM TechXchange|2024 IBM Corporation#IBMTechXchange3 principlesAuthenticate Authenticate everyoneeveryone No implicit trust Every connection

7、authenticated Only able to do what they need to do Request access for resources Encrypt all necessary data Collect audit logs8Least privilegeLeast privilegeAssume breachAssume breach Connection authentication mTLS Security exits Authorization TLS AMS/disk encryption Event messages Application activi

8、ty traceIBM TechXchange|2024 IBM Corporation#IBMTechXchangeInventory your MQ estate9Local AppQueue managerMCA channelsClient app Client channelsHTTPIBM TechXchange|2024 IBM Corporation#IBMTechXchangeQueue managerAuthenticate everyone10IBM TechXchange|2024 IBM Corporation#IBMTechXchangeLocal AppQueue

9、 managerMCA channelsClient App Client channelsHTTPEssential for all apps connected to the queue managerLocal or client appsMessaging apps or admin clientsIBM TechXchange|2024 IBM Corporation#IBMTechXchange11Authenticate everyoneQueue managerConnection authenticationApplication provides a user ID and

10、 password,or tokenQueue manager configuration states whether a valid user ID and password must be supplied,and the type of connections they must be supplied forCredentials are validated against a user repository Credentials can be adopted as the context for the applicationAppMQCONNXuser+password/JWT

11、Only authenticated users can access the queue managerIBM TechXchange|2024 IBM Corporation#IBMTechXchange12App alg:HS256,typ:JWT sub:1234567890,name:John Doe,iat:1516239022HMACSHA256(base64UrlEncode(header)+.+base64UrlEncode(payload),secret)IBM MQ on distributed now provides a password-less approach

12、to authentication with JSON Web Tokens(JWT)enabling applications to operate in a secure,Multi-Factor Authentication(MFA)environmentToken-based authentication eliminates the need for storing and transmitting passwords,which can be a security vulnerabilityYou can use one trusted issuer so your applica

13、tions can authenticate with many services without separately registering with all of themTokens can be used across multiple,diverse applications or other endpoints,enabling easier secure collaboration between enterprises and platformsToken-based authentication13IBM MQIBM MQKeycloak Keycloak Obtain t

14、okenObtain tokenConnect with tokenConnect with tokenSecureSecureScalableScalableFlexibleFlexibleNew in IBM MQ v9.4IBM TechXchange|2024 IBM Corporation#IBMTechXchangeClient App JWKS support for token-based authenticationJWKS support allows MQ to connect to an authentication server when needed and fet

15、ch necessary keys for validation Simpler initial configuration Much easier to manage rotation,expiry,revocation etcKeys updated:At start-up/REFRESH Every 15 minutes On unknown KeyID from appCached to tolerate outagesAuth ServerJWT-Issuer-KID(Key ID)PreconfiguredJWKS endpoint(URL)Query KIDKnown keysD

16、ownload Key(s)These flows only required intermittently for unknown KIDs14New in IBM MQ v9.4IBM TechXchange|2024 IBM Corporation#IBMTechXchangeClient App Mutual TLSMutual TLS allows both client and server to confirm that they are connected to a trusted partner.Therefore,it can be used by the queue ma

17、nager to authenticate clientsRequires:Both queue manager and app to have a certificateQueue manager and app to share their public certificate,i.e.trust each otherChannels to require TLS client authenticationChannels to set SSLPEER to match certificates ORORCHLAUTH rules to match certificatesIBM Tech

18、Xchange|2024 IBM Corporation#IBMTechXchange15ALTER CHANNEL(CL1)SSLCIPH(ANY_TLS13)SSLCAUTH(REQUIRED)SSLPEER(CN=MATTL)SSLCAUTH(REQUIRED)SSLPEER(CN=MATTL)Security exitsSecurity exits are bespoke,customer/vendor code that are run when a channel starts upThey allow customers to expand MQs security to sui

19、t their needsWhen run the security exit will have access to the channel definition and information about the incoming connectionSecurity exits on each side of the channel exchange data to ensure each side is trusted,only then does the channel startIBM TechXchange|2024 IBM Corporation#IBMTechXchange1

20、6Summary:app authenticationConnection authenticationConnection authenticationMutual TLSMutual TLSSecurity ExitsSecurity ExitsAuthentication of credentialsValidated against a repositoryOSLDAPPAMJWTCertificate authenticationRequire connecting applications provide trusted TLS certificateAdd your own se

21、curityCustom code called by IBM MQ during security processingWrite your ownUse a vendorExtends existing security optionsLocal AppClient App IBM TechXchange|2024 IBM Corporation#IBMTechXchange17Summary:queue manager authenticationMutual TLSMutual TLSSecurity exitsSecurity exitsCertificate authenticat

22、ionRequire connecting applications provide trusted TLS certificateAdd your own securityCustom code called by IBM MQ during security processingWrite your ownUse a vendorExtends existing security optionsQueue manager to queue manager channels traditionally would not authenticateWith Zero Trust,this is

23、 no longer allowedIBM TechXchange|2024 IBM Corporation#IBMTechXchange18MQ web server authenticationIf you use either the MQ Console or the MQ REST APIS then you also need to consider authentication to the MQ web serverAllows authentication that WebSphere Liberty supportsUserid/passwordCertificatesOI

24、DC/SAMLControlled via XML configuration in the mqweb serverRemember,two sets of authentication:Web serverQueue manager19IBM TechXchange|2024 IBM Corporation#IBMTechXchangeAuthenticationAuthenticationLeast privilege20IBM TechXchange|2024 IBM Corporation#IBMTechXchangeFrom authentication to authorizat

25、ionMQ will perform authority checks on every operation that an app performsOnce an app has authenticated,it needs to be associated with a user ID against which authority checks can be performedADOPTCTX(YES)Must map from certificate distinguished name to a user ID Channel authentication rules Securit

26、y exits Channel MCAUSERCan directly set the user IDConnection authenticationConnection authenticationMutual TLSMutual TLSSecurity exitsSecurity exitsIBM TechXchange|2024 IBM Corporation#IBMTechXchange21Authorization applicationsAuthorization checks forConnecting to the queue managerAccessing MQ reso

27、urcesSetting message contextManaged withRACF profiles on z/OSsetmqaut and SET AUTHREC commands on distributedSET AUTHREC PROFILE(QUEUE1)OBJTYPE(QUEUE)GROUP(grpname)AUTHADD(INQ,PUT,GET,BROWSE)IBM TechXchange|2024 IBM Corporation#IBMTechXchange22RDEFINE MQQUEUE QM1.QUEUE1 UACC(NONE)PERMIT QM1.QUEUE1 C

28、LASS(MQQUEUE)ID(usrname)ACCESS(UPDATE)Client App MQPUT QUEUE1Authorization administrationCommand&command resource securityGrant authority to issue MQSC or PCF commands usingRACF profiles on z/OSsetmqaut and SET AUTHREC commands on distributedCan grant very precise authority to issue a specific comma

29、nd against a specificresourceRDEFINE MQCMDS QM1.ALTER.QLOCAL UACC(NONE)PERMIT QM1.ALTER.QLOCAL CLASS(MQCMDS)ID(usrname)ACCESS(ALTER)RDEFINE MQADMIN QM1.QUEUE.QUEUE1 UACC(NONE)PERMIT QM1.QUEUE.QUEUE1 CLASS(MQADMIN)ID(usrname)ACCESS(ALTER)SET AUTHREC PROFILE(QUEUE1)OBJTYPE(QUEUE)GROUP(grpname)AUTHADD(

30、CRT)IBM TechXchange|2024 IBM Corporation#IBMTechXchange23ALTER QL(QUEUE1)Console/REST authorizationThe MQ Console&REST API use roles for authorization MQWebAdmin MQWebAdminRO MQWebUserAuthenticated users can be assigned to a role and MQ access based on thatThe roles for the MQ Console/REST API are n

31、amed the same,but are granted separately24IBM TechXchange|2024 IBM Corporation#IBMTechXchangeAssume breach25 Collect audit logs Encrypt all necessary dataIBM TechXchange|2024 IBM Corporation#IBMTechXchangeAuditingOn z/OS,standard external security manager(ESM)facilities record changes to security pr

32、ofiles and successful and failed access to resources controlled by the profilesOn distributed,authority events record unauthorized access attemptsOn both platforms queue manager command events provide an audit trail of successful commandsOn both platforms queue manager configuration events provide a

33、n audit trail of changes to the queue manager configurationData from these sources can be useful in understanding the impact of a breach,and with suitable analytics in place potentially help reduce the risk of oneALTER QMGR CMDEV(ENABLED)SYSTEM.ADMIN.COMMAND.EVENTALTER QMGR CONFIGEV(ENABLED)REFRESH

34、QMGR TYPE(CONFIGEV)OBJECT(ALL)NAME(*)SYSTEM.ADMIN.CONFIG.EVENTIBM TechXchange|2024 IBM Corporation#IBMTechXchange26AuditingOn distributed,application activity trace produces detailed information about the behaviour of applications connected to a queue managerProvides more information on applications

35、 than event monitoringIBM MQ supports two methods of collecting application activity trace dataSYSTEM.ADMIN.TRACE.ACTIVITY.QUEUEMQ system topicsIBM TechXchange|2024 IBM Corporation#IBMTechXchange27MonitoringType:MQI Activity TraceQueueManager:MQ1Host Name:IBM-PF3ABT0NCommandLevel:933ApplicationName:

36、test.SimplePutAndGetApplication Type:MQAT_JAVAUserId:mquserAPI Caller Type:MQXACT_EXTERNALAPI Environment:MQXE_MCA_SVRCONNChannel Name:SVRCON1ConnName:127.0.0.1Channel Type:MQCHT_SVRCONNRemote Product:MQJMRemote Version:09030300Platform:MQPL_WINDOWS_NT=Tid Date Time Operation CompCode MQRC HObj(ObjN

37、ame)256 2024-10-04 09:56:25 MQXF_CONNX MQCC_OK 0000 -256 2024-10-04 09:56:25 MQXF_OPEN MQCC_OK 0000 2()256 2024-10-04 09:56:25 MQXF_INQ MQCC_OK 0000 2()256 2024-10-04 09:56:25 MQXF_CLOSE MQCC_OK 0000 2()256 2024-10-04 09:56:25 MQXF_PUT1 MQCC_OK 0000 -256 2024-10-04 09:56:25 MQXF_OPEN MQCC_OK 0000 2(

38、MY.Q)256 2024-10-04 09:56:25 MQXF_CB MQCC_OK 0000 2(MY.Q)256 2024-10-04 09:56:25 MQXF_CTL MQCC_OK 0000 -257 2024-10-04 09:56:25 MQXF_CALLBACK MQCC_OK 0000 2(MY.Q)256 2024-10-04 09:56:25 MQXF_CMIT MQCC_OK 0000 -256 2024-10-04 09:56:25 MQXF_CB MQCC_OK 0000 2(MY.Q)256 2024-10-04 09:56:25 MQXF_BACK MQCC

39、_OK 0000 -256 2024-10-04 09:56:25 MQXF_CTL MQCC_OK 0000 -256 2024-10-04 09:56:25 MQXF_DISC MQCC_OK 0000 -=AuditingIBM MQ error logs print out some auditing informationNot authorized errorsTLS handshake failuresListener,channel startsConfigure to print in JSON formatForward JSON logs to centralized s

40、erver:Kibana,etcIBM TechXchange|2024 IBM Corporation#IBMTechXchange28Encrypt data-AMSUse AMS to prevent messages from being read by anyone other than the intended recipientApply end-to-end encryption to existing messaging infrastructure easily and with no application changesAuthenticate and protect

41、messages across the enterprise making audit simpleReduce time and skills needed to comply with aspects of common security standardsDetect and remove rogue messagesConfidentiality option for encryption only has minimal performance impact29Application BApplication BApplication AApplication AChannelsCh

42、annelsQueue ManagerQueue ManagerQueue ManagerQueue ManagerAdvanced Message Security(AMS)protects data at rest,in-flight and in-memory to guarantee privacy of message contentsIBM TechXchange|2024 IBM Corporation#IBMTechXchangeEncrypt data disk encryptionDisk encryption can be utilized to encrypt data

43、IBM MQ can work with disk encryption systems that do this transparently to applicationsOnly protects data from disk theftPerformance impact on every disk read/write operationAlso available on the MQ Appliance,and on z/OS30IBM TechXchange|2024 IBM Corporation#IBMTechXchangeTLSTLSData set Data set enc

44、ryptionencryptionCF CF EncryptionEncryptionAMSAMSProtected on the networkProtected on diskProtected in qmgr/chinit memoryProtected in CFProtected end to end Transparent to application*z/OS provides policy-based encryption for data sets and the coupling facility(CF)All MQ for z/OS data sets can be en

45、crypted:active and archive logs,pages sets,SMDS,etcCF encryption can be used with MQ application and admin structures containing shared queue dataPervasive encryption is simpler to set up than AMS,but is less efficient z/OS pervasive encryptionIBM TechXchange|2024 IBM Corporation#IBMTechXchange31Oth

46、er considerations32IBM TechXchange|2024 IBM Corporation#IBMTechXchangeMQIPT:MQ internet pass-thru33Separate optional component of IBM MQProxy for MQ connectionsCan add and remove TLS from MQ connections,and push authentication checks to the edge of the networkOften used as a gateway to access MQ acr

47、oss network boundariesQM1QM2MQIPTDMZDMZIBM TechXchange|2024 IBM Corporation#IBMTechXchangeChannel authentication rules34Channel Authentication rules are filtersThere are four types of filtersTLS distinguished nameClient user ID nameRemote queue manager nameIP/HostnameFor IP/Hostname the connection c

48、an be allowed/blocked at the listener or channelFor client user ID,the user ID blocked can be the user ID supplied by the client or the final adopted user IDSET CHLAUTH(*)TYPE(USERMAP)CLNTUSER(*)USERSRC(NOACCESS)ACTION(ADD)SET CHLAUTH(*)TYPE(USERMAP)CLNTUSER(UserA)USERSRC(CHANNEL)ACTION(ADD)IBM Tech

49、Xchange|2024 IBM Corporation#IBMTechXchangeAMS integrity35AMS also supports integrity checking.Requires that the message has come from an authorized signerCan be enabled in conjunction with encryptionMessage signed at creation and validated at consumptionApplication BApplication BApplication AApplic

50、ation AChannelsChannelsQueue ManagerQueue ManagerQueue ManagerQueue ManagerIBM TechXchange|2024 IBM Corporation#IBMTechXchangeSummary36IBM TechXchange|2024 IBM Corporation#IBMTechXchangeSummary37Local AppQueue managerMCA channelsClient app Client channelsHTTPIBM TechXchange|2024 IBM Corporation#IBMT

51、echXchangeQueue managerEvery security feature of MQ interacts with each other(except AMS and TLS)To effectively design your security,you must consider all security featuresUse AMS for transparent end-to-end message protectionSummary38Local AppQueue managerMCA channelsClient app Client channelsHTTPIB

52、M TechXchange|2024 IBM Corporation#IBMTechXchangeQueue managerMQ security is only effective with the right processes in placeAuthenticate all connections into MQProtect data on MQ queues and in transitAny questions?39IBM TechXchange|2024 IBM Corporation#IBMTechXchange40IBM MQIBM MQ|Other useful reso

53、urces-IBM IBM TechXchangeTechXchange CommunityCommunity-User forums,blogs,webcasts,and more-www.ibm.biz/MQCommunity-IBM MQ PodcastIBM MQ Podcast-Where MQ experts discuss all things MQ!-Enhancement Request submissionEnhancement Request submission-Request new or updated product features,performance en

54、hancements or information,documentation updates and more-www.ibm.biz/mqideasIBM TechXchange|2024 IBM Corporation#IBMTechXchange#IBMTechXchange41Thank YouMatt LemingIBM,STSM,Architect MQ for z/OSIBM TechXchange|2024 IBM Corporation#IBMTechXchangeNotices and disclaimersCertain comments made in this pr

55、esentation may be characterized as forward looking under the Private Securities Litigation Reform Act of 1995.Forward-looking statements are based on the companys current assumptions regarding future business and financial performance.Those statements by their nature address matters that are uncerta

56、in to different degrees and involve a number of factors that could cause actual results to differ materially.Additional information concerning these factors is contained in the Companys filings with the SEC.Copies are available from the SEC,from the IBM website,or from IBM Investor Relations.Any for

57、ward-looking statement made during this presentation speaks only as of the date on which it is made.The company assumes no obligation to update or revise any forward-looking statements except as required by law;these charts and the associated remarks and comments are integrally related and are inten

58、ded to be presented and understood together.2024 International Business Machines Corporation.All rights reserved.This document is distributed“as is”without any warranty,either express or implied.In no event shall IBM be liable for any damage arising from the use of this information,including but not

59、 limited to,loss of data,business interruption,loss of profit or loss of opportunity.Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved.Actual performance,cost,savings or other results in other operating environments

60、may vary.Workshops,sessions and associated materials may have been prepared by independent session speakers,and do not necessarily reflect the views of IBM.Not all offerings are available in every country in which IBM operates.Any statements regarding IBMs future direction,intent or product plans ar

61、e subject to change or withdrawal without notice.IBM,the IBM logo,and are trademarks of International Business Machines Corporation,registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at“Copyright and trademark information”at: TechXchange|2024 IBM Corporation42