IBM MQ Fix Pack 8.0.0.10 Released

June 25, 2018 Roger Lacroix

IBM has just released Fix Pack 8.0.0.10 for IBM MQ
http://www.ibm.com/support/docview.wss?uid=swg22017459

Regards,
Roger Lacroix
Capitalware Inc.

Fix Packs for MQ, IBM MQ, Linux, Unix, Windows Comments Off on IBM MQ Fix Pack 8.0.0.10 Released

IBM MQ Fix Pack 9.0.0.4 Released

June 25, 2018 Roger Lacroix

IBM has just released Fix Pack 9.0.0.4 for IBM MQ V9.0 LTS
http://www.ibm.com/support/docview.wss?uid=swg24044869

Regards,
Roger Lacroix
Capitalware Inc.

Fix Packs for MQ, IBM i (OS/400), IBM MQ, Linux, Unix, Windows Comments Off on IBM MQ Fix Pack 9.0.0.4 Released

MQTC v2.0.1.8 Early-bird Price ends on Sunday June 24th

June 22, 2018 Roger Lacroix

The early-bird price for MQ Technical Conference v2.0.1.8 (MQTC) expires on Sunday, June 24th.

MQTC is the largest conference in the world solely dedicated to IBM MQ (aka WebSphere MQ & MQSeries).

For more information about MQTC, please go to:
https://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on MQTC v2.0.1.8 Early-bird Price ends on Sunday June 24th

Security Risk for MQ Model Queue

June 20, 2018 Roger Lacroix

Well, I learnt something new today: an MQ model queue is a security risk!

It is not that a model queue in of itself is a security risk but rather what you can do with a model queue to get a backdoor to a queue or maybe it is called a ‘side channel attack’ of a queue.

An application uses a model queue as a template when creating either Temporary Dynamic Queue (TDQ) or Permanent Dynamic Queue (PDQ).

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "SYSTEM.DEFAULT.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_EXCLUSIVE,
        &Hobj,
        &CompCode,
        &Reason );

(1) If the ‘Definition Type’ for the model queue ‘SYSTEM.DEFAULT.MODEL.QUEUE’ is ‘Temporary Dynamic’ (i.e. DEFTYPE(TEMPDYN) ) which is the default value then the above code will create a temporary dynamic queue that begins AMQ. i.e. AMQ.5B2A92F303EB5525

(2) If the ‘Definition Type’ for the model queue ‘SYSTEM.DEFAULT.MODEL.QUEUE’ is ‘Permanent Dynamic’ (i.e. DEFTYPE(PERMDYN) ) then the above code will create a permanent dynamic queue that begins AMQ. i.e. AMQ.5B2A92F303EB5635

When a TDQ or PDQ is created, the creator of the queue gets full access to the queue. And you would say yes, of course. Note: This is an important point to remember.

Now, if you don’t like AMQ as a prefix, you can use your own. Lets say you want a prefix of ‘GOAL’ then the code would look like:

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "SYSTEM.DEFAULT.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
strncpy( od.DynamicQName,
         "GOAL.*",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_EXCLUSIVE,
        &Hobj,
        &CompCode,
        &Reason );

(1) If the ‘Definition Type’ for the model queue ‘SYSTEM.DEFAULT.MODEL.QUEUE’ is ‘Temporary Dynamic’ (i.e. DEFTYPE(TEMPDYN) ) which is the default value then the above code will create a temporary dynamic queue that begins GOAL. i.e. GOAL.5B2A92F303EB5525

(2) If the ‘Definition Type’ for the model queue ‘SYSTEM.DEFAULT.MODEL.QUEUE’ is ‘Permanent Dynamic’ (i.e. DEFTYPE(PERMDYN) ) then the above code will create a permanent dynamic queue that begins GOAL. i.e. GOAL.5B2A92F303EB5635

For OAM permissions of a model queue, they are exactly the same as a local, alias, remote or cluster queue. If you don’t have access to ‘SYSTEM.DEFAULT.MODEL.QUEUE’ then you cannot create a TDQ or PDQ – WRONG.

Most MQAdmins will set the OAM permissions for application-related model queues to allow everyone (or pretty much everyone) access. What does that mean? If you don’t have access to ‘SYSTEM.DEFAULT.MODEL.QUEUE’ then you can use any other model queue that exists in the queue manager to create a TDQ or PDQ. i.e. ‘APPL.MODEL.QUEUE’

So, lets put our evil hats on!!! Off the top of my head, I can think of 2 situations where evil doers can do harm.

Hole #1: Let’s say you know that within the next few days or weeks, the MQAdmin will be creating new queues in a queue manager for a production application that will have confidential information in the messages. Let’s say the local queue will be called ‘RETAIL.CC.DATA.Q’. The MQAdmin has set the OAM permissions such that you do NOT have access to any queue that begins with ‘RETAIL.’. You are locked out, not if you think fast!!!

So, you create a program, doesn’t matter the language, that does:

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "ANY.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
strncpy( od.DynamicQName,
         "RETAIL.CC.DATA.Q",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_SHARED,
        &Hobj,
        &CompCode,
        &Reason );

The ‘ANY.MODEL.QUEUE’ model queue can be any model queue that has Definition Type of Permanent Dynamic. i.e. DEFTYPE(PERMDYN)

Note: I used the option of MQOO_INPUT_SHARED rather than MQOO_INPUT_EXCLUSIVE because I don’t want the real application noticing that I’m stealing the messages!!!!

Now the rogue user now has FULL access to queue ‘RETAIL.CC.DATA.Q’ (see point above about full access).

Why did MQ allow you to create the queue? The OAM checked the user’s permission of the queue name in the ObjectName field (i.e. model queue). One check and it is done. OAM does NOT check the value in the DynamicQName field or the ResolvedQName field if an asterick ‘*’ was used in the DynamicQName field.

When the MQAdmin runs their scripts to create the new queues (i.e. ‘RETAIL.CC.DATA.Q’), they may not even notice that the queue already existed and when they apply permissions via setmqaut commands, everything will work. But the rogue user has a nice backdoor to ‘RETAIL.CC.DATA.Q’.

Hole #2: Let’s say you have 4 queue managers (MQA1, MQA2, MQA3 & MQA4) participating in a cluster called ‘RETAIL_CLUS’ and a cluster queue called ‘RETAIL.CC.DATA.CLUSQ’. Let’s further say that the cluster queue ‘RETAIL.CC.DATA.CLUSQ’ is ONLY defined locally in queue manager ‘MQA4’ and not in the other 3 queue managers participating in the cluster.

This is a pretty typical setup. So, lets put our evil hats on again and create a program, doesn’t matter the language, which will connect to either MQA1, MQA2 or MQA3 and does:

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "ANOTHER.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
strncpy( od.DynamicQName,
         "RETAIL.CC.DATA.CLUSQ",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_SHARED,
        &Hobj,
        &CompCode,
        &Reason );

Now leaving behind a permanent dynamic queue in this situation may not be a good idea. I would go with a temporary dynamic queue. The evil program would get the messages, the application would be losing messages and when the program disconnects, there would be no trace and everybody would blame MQ for losing the messages!!!!

Hence, the ‘ANOTHER.MODEL.QUEUE’ model queue should be any model queue that has Definition Type of Temporary Dynamic. i.e. DEFTYPE(TEMPDYN)

Again, the OAM checks the user’s permission of the queue name in the ObjectName field (i.e. model queue). One check and it is done. OAM does NOT check the value in the DynamicQName field or the ResolvedQName field

I’ve worked with MQ for about 25 years and this is something I didn’t know you could do. Shocking. I always thought the OAM did a second check against either DynamicQName field or the ResolvedQName field. But no.

Bottom-line, make sure you put SUPER tight security on your model queues of a queue manager.

Regards,
Roger Lacroix
Capitalware Inc.

.NET, C, C#, C++, HPE NonStop, IBM i (OS/400), IBM MQ, IBM MQ Appliance, Java, JMS, Linux, Programming, Security, Unix, Windows, z/OS 1 Comment

Five Things Junior Developers Need to Know

June 14, 2018 Roger Lacroix

If you’re a junior developer then have a view of this video

Regards,
Roger Lacroix
Capitalware Inc.

Education, Programming, Video Comments Off on Five Things Junior Developers Need to Know

MQTC v2.0.1.8 Platinum Sponsor: TxMQ

June 11, 2018 Roger Lacroix

Capitalware would like to announce that TxMQ is a Platinum Sponsor of MQ Technical Conference v2.0.1.8 (MQTC).

For more information, please go to: https://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on MQTC v2.0.1.8 Platinum Sponsor: TxMQ

MQTC v2.0.1.8 Platinum Sponsor: IBM

June 11, 2018 Roger Lacroix

Capitalware would like to announce that IBM is a Platinum Sponsor of MQ Technical Conference v2.0.1.8 (MQTC).

For more information, please go to: https://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on MQTC v2.0.1.8 Platinum Sponsor: IBM

Doyle Leabch will be Speaking at MQTC v2.0.1.8

June 8, 2018 Roger Lacroix

Doyle Leabch of IBM will be presenting the following sessions at MQ Technical Conference v2.0.1.8 (MQTC):

    Doyle Leabch’s Technical Sessions:

  • ACEv11 the next generation of IBM Integration Bus and App Connect Professional

For more information about MQTC, please go to:
http://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on Doyle Leabch will be Speaking at MQTC v2.0.1.8

Here a cloud, there a cloud, MQ in the Cloud!!!

June 8, 2018 Roger Lacroix

People are always asking me what is “new” this year at MQTC. Well, this year there will be lots of sessions on “MQ in the Cloud”. In case you hadn’t noticed, there will be 8 MQTC sessions on MQ in the Cloud. That’s as of right now, there may be more to come. 🙂

    MQ in the Cloud Sessions:

  • MQ in the Cloud – The New MQaaS offering by Matthew Whitehead
  • MQ Hybrid Cloud Architectures by Matthew Whitehead
  • Running MQ in the Cloud by Rob Parker
  • Running MQ in Containers by Rob Parker
  • MQ Monitoring on the Cloud by Suganya Rane
  • MQ on AWS by Suganya Rane
  • MQ and IIB Deployment Patterns using Docker on IBM Cloud Private by Sandeep Chellingi
  • MQ, IIB, Docker, Kubernetes and the IBM Cloud by Glen Brumbaugh

For more information about MQTC, please go to:
http://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on Here a cloud, there a cloud, MQ in the Cloud!!!

First Draft of MQTC v2.0.1.8 Schedule

June 7, 2018 Roger Lacroix

I have posted the first draft of the MQ Technical Conference v2.0.1.8 (MQTC) schedule.You can find it at http://www.mqtechconference.com/schedule.html

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off on First Draft of MQTC v2.0.1.8 Schedule