WebSphere MQ v7.5 Security Concerns

Content contributed by Allan Bartleywood – Sr. MQ Subject Matter Expert
WebSphere MQ v7.5 security concerns seemed to be a resounding issue. We heard a lot of concerns regarding it while we were at the IBM Impact 2014 conference last week.

I do not believe it’s actually a concern for security when your organization is doing an upgrade to version 7.5, but more a concern as to whether your organization already has security enabled within your MQ environment.

At a lot of the organizations that I’ve consulted with, I’ve noticed that there is a lack of security actually implemented within the MQ environment.  WebSphere MQ has always had security implemented that was focused at the operating system level where it was running.

With this latest WebSphere MQ v7.5, security concerns, features have been added to meet today’s demands. This includes support for Advanced Message Security where the queue manager actually encrypts and decrypts Messages as they go through the environment on a put an get of an application.

You can actually configure the queue manager down to individual queues so that only certain queues will have messages encrypted.

This feature is providing the capability for messages to now meet compliance requirements like HIPAA and PCI Compliance. While data is in transit, it is in encrypted by the messaging transport without any special requirements being added to the applications.

This will, of course, mean that from the time a message put onto queue to the time a message just gotten off the queue, it has been included. Further security enhancements are provided to ensure that only certain applications will get the message decrypted from a given queue.

Now all of these features are out of the box with no added installs and compatibility issues being encountered.

Going back to whether organizations are actually implementing suitable levels of security within their messaging environment is another matter. What is quite often seen it is that administration and application usage of MQ is left open, that is it has not been unable at all.

This is normally due to a conscious decision or simply a lack of knowledge of the capabilities of the product; or a lack of understanding of the security policies and implications relating to the data that is being sent over the messaging environment.

It is not uncommon to see administrators using client connections to queue managers over the server connection channel with no authentication at all. It is also not uncommon to see the queue manager with channel authority disabled.

So are the security concerns about upgrading to version 7.5 related to a lack of understanding and knowledge of what the security capabilities are within 7.5 and pressure being put on IT for tighter security compliance, rather than whether 7.5 is capable of delivering services to these tighter security compliance requirements.

There are also situations where IT sees the requirement for better security compliance but the business doesn’t understand what is compliance are.

If you’re having WebSphere MQ v7.5 security concerns, please feel free to reach out to Wendy at TxMQ, [email protected] and let us answer your questions and guide your upgrade so all the proper security features are in place.

(Photo: Compliments of Still Burning)