IBM announced plans to buy Red Hat

October 29, 2018 Roger Lacroix

This is interesting. IBM announced it will buy Red Hat for $34 Billion.
https://arstechnica.com/information-technology/2018/10/ibm-buys-red-hat-with-eye-on-cloud-dominance/

Regards,
Roger Lacroix
Capitalware Inc.

Linux, Open Source, Operating Systems Comments Off on IBM announced plans to buy Red Hat

So You Secured MQ But How Do You Know It Is Secure?

October 26, 2018 Roger Lacroix

As the MQ Technical Conference V2.0.1.8 t-shirts said “MQAdmin: the superhero of middleware messaging!“. Since, you are a “superhero”, you have secured your MQ environment. You have implemented CHLAUTH and/or CONNAUTH features in IBM MQ. So, give yourself a pat on the back, a gold star or have another cold one on you because you deserve it – you’re the middleware superhero who has implemented security for IBM MQ.

Question: How do you know it is secure? Seriously! MQ does not tell you it is secure. If someone connects with a valid UserId and Password but shouldn’t have connected to the production queue manager, the “superhero” will never know. Why? Because MQ doesn’t care about successful connections.

On the other hand, a good security auditor will care. They will want to know who is connecting – both successfully and unsuccessfully. If your company’s security auditor decided that your company’s MQ environment needed a security review, you can extract the error messages related to unsuccessful login attempts from the queue manager’s AMQERR01.LOG file (which may only hold the last few hours of information) but that is it. There is no information about successful connections.

Now some people will say, I’ll just issue the MQSC command to display the connections. Sure, that will let you see who is currently connected to the queue manager but it will not tell you who was connected 5 minutes ago or 1 hour ago or at 3:00AM. You will have absolutely no clue that a rogue user previously successfully connected, get and/or put messages to 1 or more queues, then disconnected.

So, still feeling “super”?

Around a year ago, a couple of Capitalware’s MQ Authenticate User Security Exit (MQAUSX) customers said that their management wanted them to start to use CHLAUTH and CONNAUTH which are included free with MQ rather than continue to use MQAUSX and pay for support. I would point out that MQAUSX has far more features and more robust features than what CHLAUTH and CONNAUTH offer but alas management only looks at the price and free is better than paying.

The MQAdmins came back to me and said that they missed having the MQAUSX logging of connection attempts. Since, their management won’t pay for MQAUSX, they have no way to verify that connections were legitimate. I suggested to them that they use MQ Auditor but they only wanted to track connections not everything in MQ and others said they need it on z/OS (mainframe). Since, MQ Auditor is an MQ API Exit, IBM does not support API Exits on z/OS, that was a no go.

I decided to create MQ Channel Connection Inspector (MQCCI). MQCCI uses a MQ Channel Security Exit like MQAUSX. A channel security exit is ONLY invoked/called by the queue manager’s MCA (Message Channel Agent) for MQCONN/X and MQDISC API calls (so it is very light-weight) and channel security exit is available on z/OS.

I decided to use the audit record format from MQ Auditor for MQCCI. And like MQ Auditor, MQCCI can write the audit information to either a file or to a queue. For each connection attempt, MQCCI will output 1 plain text CSV (Comma Separate Value) line.

If the MQAdmin uses the default values for MQCCI, this is what the audit record would look like for a connection attempt:

2018/09/14 18:07:00.654884, CONN, Tag=F4Evlx0T6ComjD20, CD_QMgrName=MQWT1, CD_ChannelName=TEST.CHL, CD_ConnectionName=127.0.0.1, , CD_ShortConnectionName=127.0.0.1, CD_MaxMsgLength=4194304, CD_PutAuthority=MQPA_DEFAULT, CD_MCAUserIdentifier=roger, CD_RemoteUserIdentifier=roger, CD_RemotePassword_Length=0, CD_SSLCipherSpec=, CD_SSLClientAuth=MQSCA_REQUIRED, CD_CertificateLabel=, CXP_PartnerName=roger, CXP_SSLCertUserid=, CXP_SecurityParms_AuthenticationType=MQCSP_AUTH_USER_ID_AND_PWD, CXP_SecurityParms_UserId=roger, CXP_SecurityParms_Password_Length=8, CXP_SharingConversations=TRUE, CXP_MCAUserSource=MQUSRC_MAP, CXP_RemoteProduct=MQJB, CXP_RemoteVersion=0800,

Optionally, the MQAdmin can select to have the MQDISC audit records as well. And this it what it would look like:

2018/09/14 18:07:02.161509, DISC, Tag=F4Evlx0T6ComjD20, CD_QMgrName=MQWT1, CD_ChannelName=TEST.CHL, CD_ConnectionName=127.0.0.1, Duration=1.506625,

For the default MQCD and MQCXP fields outputted by MQCCI, I tried to select the most relevant fields but the MQAdmin can have MQCCI outputted any field from the MQCD and MQCXP structures.

Here is an interesting footnote but not related to a security audit. Generally speaking, before an application is deployed, the MQAdmin will ask the application team “if the application connects and stays connected to the queue manager“. The application team will say “Yes“. But how do you verify this statement?

With MQCCI, you can review the audit file and see if the application only connected once or did it “connect then disconnect”, “connect then disconnect”, “connect then disconnect”, etc..

Not only is MQCCI good for security audits but it can also be used to identify poorly written applications.

  • MQCCI is available for AIX, HP-UX, IBM i (OS/400), Linux (x86, x86_64, Power and System z), Solaris (SPARC and x86_64) and Windows.
  • MQCCI for z/OS is available for z/OS v1.4 or higher.

For more information about MQCCI, please go to:
https://www.capitalware.com/mqcci_overview.html or MQCCI for z/OS

Note: We offer free a 60-day trial of MQCCI and MQCCI for z/OS which includes free support. If you interesting in trying it out, please send an email to support@capitalware.com to request a trial of it.

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, IBM i (OS/400), IBM MQ, Linux, MQ Channel Connection Inspector, Security, Unix, Windows, z/OS Comments Off on So You Secured MQ But How Do You Know It Is Secure?

OpenBSD v6.4 Released

October 22, 2018 Roger Lacroix

Theo de Raadt has just released OpenBSD v6.4.
http://www.openbsd.org/64.html

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography.

Regards,
Roger Lacroix
Capitalware Inc.

Open Source, Operating Systems Comments Off on OpenBSD v6.4 Released

Ubuntu 18.10 Released

October 19, 2018 Roger Lacroix

Ubuntu has just released Ubuntu v18.10.
http://releases.ubuntu.com/18.10/

Super-fast, easy to use and free, the Ubuntu operating system powers millions of desktops, netbooks and servers around the world. Ubuntu does everything you need it to. It’ll work with your existing PC files, printers, cameras and MP3 players. And it comes with thousands of free apps.

Regards,
Roger Lacroix
Capitalware Inc.

Linux, Open Source, Operating Systems Comments Off on Ubuntu 18.10 Released

Language Wars – Maybe Enough Already

October 10, 2018 Roger Lacroix

Maybe I’m just old and grumpy, but I’m tired of surfing the internet and seeing language wars. I just saw this line “100% Java free!” the other day, listed as a product feature and it makes me shake my head. Of all the product features that would sell a product, you want to include that one?!?

There are programming languages for: scripting, back-end applications, front-applications, web containers, cloud, utilities, etc. One programming language does not cover all these use-cases. Although, someone people like to think so. 🙂

Most of my work day, I write code. 47% of my programming time is writing ‘C’ code, 47% of my programming time is writing ‘Java’ code and the remaining time is writing ‘C#’, ‘REXX’ and ‘PHP’ code. REXX is a great scripting language. It just doesn’t get the love it desires, probably because it originated on the mainframe – lack of exposure.

The programming language I use will depend on what I’m trying to accomplish. If it is a GUI desktop application or requires threading, I will choose Java because it is so much easier to do than ‘C’. This is especially true if I want it to run on other non-Windows desktops (ie. Linux or macOS). Of course, I can if/def the hell out of my ‘C’ code to accomplish it but why go through the aggravation.

The biggest complaint people have against Java is the JVM (Java Virtual Machine) load/startup time. There are thousands of web pages that talk about the startup of a JVM taking longer to load/start than a native ‘C’ application. Eclipse is usually the poster-child of this issue. This is all true. But who in the world cares if a desktop application loads in 0.5 seconds vs 2.0 seconds. Maybe you would care if it was a back-end application that was being launched every second but on the other hand, what the hell kind of application design is that? It should start and use threading. There are far, far too many novice/newbie programmers creating junk applications that somehow end up in production. I digress. Ok, back to JVM startup time. If you are using a desktop application during your work day (i.e. 8 hours), is there really an issue with the startup time? Maybe, just take another sip of your coffee, soda, green tea or water and then it will be loaded/started. 🙂

I created and sell 4 Java desktop applications: MQ Visual Edit, MQ Visual Browse, MQ Batch Toolkit and MQTT Message Viewer. Plus I have many helper (utilities) Java desktop applications for the various back-end solutions that I sell. Why Java? I want cross-platform execution and the ability to easily code “good looking” (aka modern) GUI applications.

A long time ago, I had some customers doing things with my Java applications that they shouldn’t have been doing. So, I decided to spend the money and purchase Excelsior Jet. Excelsior Jet compiles and links Java applications into native executables. I originally just purchased Excelsior Jet for Windows and Linux. After using it for a while, I decided to take the plunge and purchase it for macOS too. Besides IP (Intellectual Property) protection, using Excelsior Jet to compile and link the Java applications to native executables means that the startup/load times is on par with regular native applications.

Why macOS for an MQ application? Because shocking as it may seem, the break down of MQ Visual Edit end-user desktops is: 80% Windows, 13% macOS and 7% Linux. Yes, there are far more people using MQ Visual Edit on macOS than on Linux. Rather shocking if you ask me!

I use Eclipse to write all of my C and Java code. I use makefiles for my C applications and Eclipse executes the build process (makefile) as I save my code. For Java, everything is built into it for compiling Java code to classes and for testing (very nice). I have a separate makefile which I use to build the native executable using Excelsior Jet on Windows. For Linux and macOS, I copy the updated JAR to the respective OS and then run a similar makefile to create the native executable for that particular OS.

When Excelsior Jet compiles an application, it sucks in everything required to build the native application. So, what does that mean?

  1. It means that MQ is NOT required on the end-user’s desktop PC/laptop.
  2. Nor is Java. That’s right, Java/JVM is NOT required on the end-user’s desktop PC/laptop. It is because the Java application is compiled as a native application. 🙂

So, when I see comments like “100% Java free!“, I think that someone is stuck in the 90’s. There are millions of Java applications available that do thousands and thousands of useful things including games. (Of course, there are lots of poorly written Java, C/C++, C#, Python, PHP, Swift, etc. applications.) Over the years, first Sun then Oracle improved the startup/load time of the JVM. Hence, the slow load/startup time is not as much of an issue as it use to be but it is still there. For developers, who want to go that extra mile, there is always Excelsior Jet.

Can we stop with the language wars? Because for every complaint about Java applications, I can point to just as many poorly written and/or designed C/C++, C#, Python, PHP, Swift, etc. applications. So, lets move on. There is no need to go to war over which language to use or which is better. Use a language that is best suited for the job and don’t try to fit a square peg into a round hole.

Regards,
Roger Lacroix
Capitalware Inc.

.NET, Assembler, C, C#, C++, IBM MQ, Java, JMS, Linux, macOS (Mac OS X), MQ Batch Toolkit, MQ Visual Browse, MQ Visual Edit, MQTT, MQTT Message Viewer, Perl, Programming, Raspberry Pi, Rexx, Swift, Unix, Windows 2 Comments

SSL/TLS for capitalware.com

October 5, 2018 Roger Lacroix

Capitalware’s web site has been available as a secure (“https”) web site for several months. In the Summer, I tried turning on the auto redirection from “http” to “https” but it broke my online registration code in MQ Visual Edit, MQ Visual Browse, MQ Batch Toolkit and MQTT Message Viewer. I fixed the issue a couple of months ago and now the code uses a secure connection to capitalware.com.

Note: The issue does NOT affect regular use of any of the products just the online registration via the Registration window in the product (or register command for MQ Batch Toolkit).

Therefore, on November 1st, 2018, I will be turning on the auto redirection from “http” to “https” for capitalware.com web site.

Hence, if you want to perform a product registration after November 1st, 2018, you MUST be running the following version of the product:

  • MQ Visual Edit v2.4.0.1 or higher
  • MQ Visual Browse v2.4.01 or higher
  • MQ Batch Toolkit v3.1.0.1 or higher
  • MQTT Message Viewer v1.3.0.1 or higher

Yes, I will be sending out email alerts to all activate users of the below mentioned products.

To activate users, you have the download link with the UserId and Password for the commercial release of the product, simply follow the instructions in Appendix B of the product’s User Guide on how to handle the upgrade (i.e. un-install then install).

Regards,
Roger Lacroix
Capitalware Inc.

Capitalware, MQ Batch Toolkit, MQ Visual Browse, MQ Visual Edit, MQTT Message Viewer, Security Comments Off on SSL/TLS for capitalware.com

LearnMQ from IBM Developer

October 4, 2018 Roger Lacroix

During David Ware’s “What’s New in IBM MQ?” session at MQ Technical Conference v2.0.1.8, David announced LearnMQ (see slide 24).

LearnMQ is a place where new users can get some FREE MQ training (and earn badges). The LearnMQ web site is broken down into 3 sections:

So, if you have some MQ newbies or users looking for more training on MQ, send them to LearnMQ web site.

Regards,
Roger Lacroix
Capitalware Inc.

C, C++, Education, HPE NonStop, IBM i (OS/400), IBM MQ, Java, JMS, Linux, Programming, Security, Unix, Windows, z/OS Comments Off on LearnMQ from IBM Developer

MQ Lab at MQ Technical Conference v2.0.1.8

October 2, 2018 Roger Lacroix

For those who don’t know, IBM sends laptops and lab materials to MQ Technical Conference (MQTC) for attendees to do FREE hands-on training. The MQ Lab was open to attendees all day Monday and Tuesday.

I would like to thank Lyn Elkins, Jack Carnes Jr and Mitch Johnson from IBM for doing an awesome job in the MQ Lab. The MQ Lab is worth the price of admission to MQTC not to mention, there are 71 technical sessions (& 15 vendor sessions) at MQTC.

MQ Lab pictures (click on the image to see a larger picture):

    Here is a list of all of the FREE labs for distributed platforms that were available at MQTC:

  • Introduction to IBM MQ
  • Using the MQ Explorer
  • Configuring the IBM MQ JMS Provider
  • Publish / Subscribe Administration
  • IBM MQ Security
  • Using the IBM MQ Console and REST Interfaces
  • Implementing Channel Security in IBM MQ
  • Using Multiple Certificates in IBM MQ
  • Protecting Message Data with IBM MQ Advanced Message Security
  • Configuring a IBM MQ Managed File Transfer Environment
  • Creating File Transfer Requests Using IBM MQ Explorer and Command Line
  • Creating a Sales Force Developer Account
  • IBM MQ Salesforce Bridge
  • IBM MQ on Cloud
  • RDQM for High Availability
  • RDQM for Disaster Recovery
    Here is a list of all of the FREE labs for z/OS that were available at MQTC:

  • Comparing buffers above and below the bar
  • Advantages of having enough fixed pages
  • Developing and Deploying JMS Enable CICS Applications
  • Using CAPEXPRY on z/OS
  • Introduction to SMF115 Records
  • Introduction to SMF116 Records
  • Channel Initiator Statistics Lab
  • z/OS Queue Manager Customization
  • z/OS Advanced Message Security
  • Implementing z/OS Queue Manager Security
  • Introduction to CICS Trigger Monitors
  • CICS Publish and Subscribe
  • Queue Sharing Group Comparing Offload Options

Big News: Lyn Elkins told me that they were so busy in the MQ Lab that for next year’s MQ Technical Conference, they will run the MQ labs for the entire 3 days of the conference!

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on MQ Lab at MQ Technical Conference v2.0.1.8

And Now The End Is Near for MQ on HP-UX and Solaris

October 2, 2018 Roger Lacroix

During David Ware’s “What’s New in IBM MQ?” session at MQ Technical Conference v2.0.1.8, the following was announced (see slide 46 of the PDF):

  • IBM MQ on HP-UX
    • Not on CD stream: Last release: MQ V9.0 LTS
    • Statement of Direction: No further releases.

  • IBM MQ on Solaris
    • Not on CD stream: Last release: MQ V9.1 LTS
    • Statement of Direction: No further releases after 9.1.

So, if you are using MQ on HP-UX and/or Solaris, then you may want to plan new hardware upgrades, so that you don’t get left behind.

Regards,
Roger Lacroix
Capitalware Inc.

IBM MQ, Unix Comments Off on And Now The End Is Near for MQ on HP-UX and Solaris

Third Day of MQ Technical Conference

September 28, 2018 Roger Lacroix

Richard Nikula presenting ‘If you can’t clone yourself, Delegate!’ session:

Rob Sordillo presenting the ‘REST Easy with Infrared360’ session:

Krista Valentine presenting the ‘Licensing Lingo – The Users Guide to IBM Licensing’ session:

Lunch:

Chris Frank presenting the ‘What’s new with Logging in IBM MQ?’ session:

Jonathan Levell presenting the ‘MQTT: The Protocol for the Internet of Things’ session:

Sam Goulden presenting the ‘MQ Administration, the Web Console, & REST API’ session:

Afternoon desserts:

Tim Zielke presenting the ‘MQ Data Conversion’ session:

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on Third Day of MQ Technical Conference