TxMQ senior consultant Allan Bartleywood doesn’t like bullies. Didn’t like them when he was a wee lad chasing butterflies across the arid hardscrabble of the Zimbabwean landscape. And certainly won’t tolerate them today in giant enterprise shops across the world.
Here’s the deal: Allan’s an MQ architect. Pretty much the best there is. He’s got a big peacenik streak. And he likes to stick up for his guys when a company bully starts to blame MQ.
You’ve heard it before: “MQ is the bottleneck. We need more MQ connections. It’s not my application – it’s your MQ.”
We all know it isn’t, but our hands are tied because we can’t measure the true capacity of MQ under load. So we blame the app and the bully rolls his eyes and typically wins the battle because apps are sexy and MQ is not and the app bully has been there 10 years and we’ve been there 3.
But Bartleywood’s new utility – the aptly named MQ Capacity PlannerTM (MQCP) – unties our hands and allows us to stand up to the bully.
“I’m giving everyone the information we need to defend our environments – to stand up for our MQ,” Bartelywood says. “The Tivolis, the BMCs, the MQ Statistics Tools can’t speak to capacity because they can’t gin the information to tell you what true capacity is. I absolutely love how MQCPTM allows me, and you, to turn the whole argument upside-down and ask the bully: ‘Here’s what the MQ capacity is. Does the demand you put on MQ meet what it can truly deliver? Can you actually consume connections as fast as MQ can deliver them?'”
MQCP is now available to the public for the first time. It’s simply the best tool to develop an accurate picture of the size and cost of your environment. Ask about our special demo for large enterprise shops.
Photo by Eddie~S
Category: Blog
Managed File Transfer: Your Solution Isn't Blowing In The Wind
If FTP were a part of nature’s landscape, the process would look a lot like a dandelion gone to seed. The seeds need to go somewhere, and all it takes is a bit of wind to scatter them toward some approximate destination.
Same thing happens on computer networks every day. We take a file, we stroke a key to nudge it via FTP toward some final destination, then turn and walk away. And that’s the issue with using FTP and SFTP to send files within the enterprise: The lack of any native logging and validation. Your files are literally blowing in the wind.
The popular solution is to create custom scripts to wrap and transmit the data. That’s why there’s typically a dozen or so different homegrown FTP wrappers in any large enterprise – each crafted by a different employee, contractor or consultant with a different skillset and philosophy. And even if the file transfers run smoothly within that single enterprise, the system will ultimately fail to deliver for a B2B integration. There’s also the headache of encrypting, logging and auditing financial data and personal health information using these homegrown file-transfer scripts. Yuck.
TxMQ absolutely recommends a managed system for file transfer, because a managed system:
- Takes security and password issues out of the hands of junior associates and elevates data security
- Enables the highest level of data encryption for transmission, including FIPS
- Facilitates knowledge transfer and smooth handoffs within the enterprise (homegrown scripts are notoriously wonky)
- Offers native logging, scheduling, success/failure reporting, error checking, auditing and validation
- Integrates with other business systems to help scale and grow your business
TxMQ typically recommends and deploys IBM’s Managed File Transfer (MFT) in two different iterations: One as part of the Sterling product stack, the other as an extension on top of MQ.
When you install MFT on top of MQ, you suddenly and seamlessly have a file-transfer infrastructure with built-in check-summing, failure reporting, audit control and everything else mentioned above. All with lock-tight security and anybody-can-learn ease of use.
MFT as part of the Sterling product stack delivers all those capabilities to an integrated B2B environment, with the flexibility to quickly test and scale new projects and integrations, and in turn attract more B2B partners.
TxMQ is currently deploying this solution and developing a standardization manual for IBM MFT. Are you worried about your file transfer process? Do you need help trading files with a new business partner? The answer IS NOT blowing in the wind. Contact us today for a free and confidential scoping.
Photo by Alberto Bondoni.
What The x86 Deal Delivers To Lenovo, IBM And Users
The Lenovo purchase of IBM’s low-end x86 server business closed about a month ago. Now that all the smoke has cleared, it’s time to examine a few of the angles about why the sale went down, what it delivers to both Lenovo and IBM, and how it affects current users of IBM-branded x86 equipment.
First, the easy question: Why the sale?
Think back to 2005 when Lenovo bought IBM’s PC business. Lenovo instantly became the third-largest PC supplier in the world and is now the largest (ahead of HP and Dell, based on unit sales). The ThinkPad that Lenovo bought from IBM is the most successful and most durable everyman’s laptop in the word, and it continues to endure with top and near-top worldwide marketshares.
Lenovo wants to replicate that success with its purchase of IBM’s everyman server technology. And when the deal closed, and Lenovo finally became the owner of IBM’s profitable x86 server business, Lenovo immediately went from 6th to 3rd in marketshare in the x86 market (behind, yep, HP and Dell).
Sure, the x86 stuff is pretty unsexy. It’s a commodity. Sort of like Lego blocks. But the historic low cost of the product means that x86 stuff is still a major core infrastructure component for red-hot market segments like big data and cloud deployments. And remember that Lenovo will also acquire Motorola Mobility – the smartphone business that Google bought from Motorola in 2011 – by the end of the year. Mobile data’s one of the main drivers of the growth in large-scale commodity-server deployment. So it’s a proper marriage for Lenovo.
For reference, here’s the formal list of the x86 product that Lenovo bought from IBM:
- System x racks and towers
- x86 BladeCenter
- x86 Flex System blade servers and integrated systems
- Associated software, switching and maintenance operations
What does the sale deliver to both companies? For IBM, it allows Big Blue to continue to divest itself of commodity-hardware manufacturing and to continue its trend of crafting strategic partnerships with hardware manufacturers. Lenovo’s a big partner, but don’t forget IBM’s historic alliance with Apple, announced in July. There’s a different type of hardware integration happening right now, where workplace functionality and process is no longer desktop-specific. IBM has a lot to gain by selling a solid hardware business like the x86 line to Lenovo, because Lenovo can deliver legendary efficiency and scalability to gain more share for the servers and thus benefit IBM process software and platforms far into the future.
Does anybody really think IBM should still be making and selling PCs? Ask that same question about low-grade servers 2 years from now.
But the question looms: Where does all this leave current IBM x86 customers? Not much should change, according to both Lenovo and IBM. Former IBM server chief Adalio Sanchez – who led the x86 server business at IBM – is now senior vice-president of enterprise systems, reporting to Gerry Smith, Lenovo’s president for the North America region.
There’s talk that the entire x86 business might suddenly be more approachable – both from an IBM and Lenovo standpoint. There’s also speculation, likely grounded in truths, that strong incentives will emerge to align Lenovo PC users with x86 servers. That’s a bit of good news for firms and customers who want incentives to scale and align at the same time.
IBM WebSphere Message Broker And Integration Bus Both Vulnerable To POODLE
[fusion_text]Shortly after its announcement that WebSphere MQ could be exposed to the POODLE vulnerability, IBM issued a similar warning for its IBM WebSphere Message Broker and IBM Integration Bus (IIB) products. POODLE is short for Padding Oracle On Downgraded Legacy Encryption and it exploits an opening in SSLv3. Because SSLv3 is enabled by default in IBM WebSphere Message Broker and IBM Integration Bus, hardening against POODLE is critical. (See TxMQ’s coverage of the WebSphere MQ vulnerability here.)
OpenSSL could allow a remote attacker to bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete an SSL 3.0 handshake, which could then be exploited to perform unauthorized actions.
Affected Products
The specific list of affected products includes:
- IBM WebSphere Message Broker V7.0 and V8.0
- IBM Integration Bus V9.0
- IBM WebSphere Message Broker Hypervisor Edition V8.0
- IBM Integration Bus Hypervisor Edition V9.0
- IBM SOA Policy Pattern for Red Hat Enterprise Linux Server
Workarounds
The most important action is to disable SSLv3 and switch to TLS protocol on Message Broker and IIB servers and clients. Product-specific instructions, with direct links to the more detailed instructions in the IBM Knowledge Center, are listed below.
Inbound Connections
The attack vector is around inbound. The outbound connections may stop working if the server disallows SSLv3.
Inbound HTTP connections using the Broker-wide listener: Instructions found here.
mqsichangeproperties broker name -b httplistener -o HTTPSConnector -n sslProtocol -v TLS
Inbound HTTP connections using the integration server listener will by default use TLS (as the integration server listener defaults to TLS). If however it has been modified to match the broker-wide listener, use these instructions to make the necessary changes to use TLS.
mqsichangeproperties broker name -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLS
Inbound SOAP connections using the non-default broker-wide listener: Instructions found here.
mqsichangeproperties broker name -b httplistener -o HTTPSConnector -n sslProtocol -v TLS
Inbound SOAP connections using the integration server listener (the default choice) will by default use TLS (as the integration server listener defaults to TLS). If however it has been modified to match the broker-wide listener, use these instructions to make the necessary changes to use TLS.
mqsichangeproperties broker name -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLS
TCPIP Server inbound: Instructions found here.
mqsichangeproperties MYBROKER -c TCPIPServer -o myTCPIPServerService -n SSLProtocol -v TLS
WebAdmin inbound: Instructions found here.
mqsichangeproperties brokerName -b webadmin -o HTTPSConnector -n sslProtocol -v TLS
ODBC (DataDirect) OpenSSL as configured in odbc.ini: The ODBC Oracle Wire Protocol driver allows for the EncryptionMethod connect option to be set to a value of 5, which means only use TLS1 or higher. Setting EncryptionMethod=5 for the Oracle Wire Protocol driver will avoid POODLE. This functionality has been available since 6.1 version of the Oracle WP driver. The providers of DataDirect drivers are working on similar functionality to all other ODBC drivers that support SSL and upgrading the version of OpenSSL used within the drivers to pick up the enhancement to SSL negotiation.
The client-based ODBC drivers (DB2 Client and Informix Client) rely on the SSL implementation within the database’s client libraries. See client libraries to learn about possible exposure to POODLE.
Outbound Connections
Once the servers are changed to use TLS, it’s important to update the outbound settings with the following commands. Note that in all the following instructions, TLS can be substituted for SSL_TLS or SSL_TLSv2 if needed.
For HTTP connections: Instructions found here.
Then in the SSL tab of the Request node(s) select TLS for the Protocol.
For SOAP connections that have been modified to use the non-default SSLv3 protocol: Instructions found here.
Then in the SSL tab of the Request node(s) select TLS for the Protocol.
TCPIP Client: Instructions found here.
mqsichangeproperties MYBROKER -c TCPIPClient -o myTCPIPClientService -n SSLProtocol -v TLS
JMS Nodes: Some information found here. Follow instructions as provided by your JMS Provider.
Follow instructions as provided by your JMS Provider.
CICS Nodes: Instructions found here.
the CICS nodes use TLS by default, so no change needed.
Security Providers
WSTrust: Set the environment variable MQSI_STS_SSL_PROTOCOL to “TLS”
TFIM: Set the environment variable MQSI_TFIM_SSL_PROTOCOL to “TLS”
Click here for IBM’s full CVE-2014-3566 bulletin.
TxMQ is an IBM Premier Business Partner and “MQ” is part of our name. For additional information about this vulnerability and all WebSphere-related matters, contact president Chuck Fried: 716-636-0070 x222, mailto:chuck@TxMQ.com.
TxMQ recently introduced its MQ Capacity Planner – a new solution developed for performance-metrics analysis of enterprise-wide WebSphere MQ (now IBM MQ) infrastructure. TxMQ’s innovative technology enables MQ administrators to measure usage and capacity of an entire MQ infrastructure with one comprehensive tool.
(Photo by greg westfall under Creative Commons license.)
[/fusion_text]
IBM WAS Enhancements Deliver Internet-Scale Clustering For Applications
IBM recently announced enhancements to its WebSphere Application Server (IBM WAS) version 8.5.5 that deliver more functionality and services to the Liberty and full profiles. The enhancements are geared toward both development and production environments and are said to provide “significant enhancements in terms of developer experience and high-end resiliency.”
The features can largely be installed optionally from the WebSphere Liberty Repository and used in conjunction with features previously available and active.
Developers now have new programming models and tools. The result: A better developer climate that should result in a more rapid pace of application deployments. Administrators and businesses can leverage new Intelligent Management and security features to lower the administrative overhead of managing, scaling, and securing servers.
WAS in general is gearing itself more and more toward cloud and mobile development and deployment, hence the rollout of these new features.
Specific enhancements to WebSphere Liberty include:
- Java EE 7-compliant programming model support for WebSockets 1.0 (JSR 356) and Servlet 3.1 (JSR 340) to enrich applications with responsive dynamic content
- Additional Java EE 7 components in support of APIs for processing JSON (JavaScript] Object Notation) data (JSR 353) and Concurrency utilities (JSR 236)
- Auto-scaling capabilities to dynamically adjust the number of Java virtual machines (JVMs) that are based on workload and auto-routing to intelligently manage your workload
- Improved operational efficiency of large-scale, clustered deployments of tens of thousands of Java virtual machines (JVMs) in a Liberty Collective
- Configurable, global Web Service handlers for extending and customizing payloads to Web Service applications
- REST connector for non-Java clients to extend client access to Java Management Extensions (JMX) administration infrastructure through a RESTful API.
- Simplified configuration processing for feature developers to enable customization of WebSphere Application Server Liberty profile capabilities
- Enhancement to the distributed security model using OpenID and OpenID Connect to simplify the task of authenticating users across multiple trust domains
- Enhancement to WebSphere Liberty Administrative Center for usability and management of large collectives of application servers
- Enhancement to WebSphere Application Server Migration Toolkit – Liberty Tech
- Preview includes new binary scanning capability to quickly evaluate applications for rapid deployment on WebSphere Liberty.
TxMQ is an IBM Premier Business Partner and we specialize in WebSphere. For additional information about IBM WAS and all WebSphere-related matters, contact president Chuck Fried: 716-636-0070 x222, chuck@TxMQ.com.
TxMQ recently introduced its MQ Capacity Planner – a new solution developed for performance-metrics analysis of enterprise-wide WebSphere MQ (now IBM MQ) infrastructure. TxMQ’s innovative technology enables MQ administrators to measure usage and capacity of an entire MQ infrastructure with one comprehensive tool. Visit our MQ Capacity Planner product page.
POODLE Vulnerability In SSLv3 Affects IBM WebSphere MQ
Secure Socket Layer version 3 (SSLv3) is largely obsolete, but some software does occasionally fall back to this version of SSL protocol. The bad news is that SSLv3 contains a vulnerability that exposes systems to a potential attack. The vulnerability is nicknamed POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption.
The vulnerability does affect IBM WebSphere MQ because SSLv3 is enabled by default in MQ.
IBM describes the vulnerability like this: IBM WebSphere MQ could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.”
The vulnerability affects all versions and releases of IBM WebSphere MQ, IBM WebSphere MQ Internet Pass-Thru and IBM Mobile Messaging and M2M Client Pack.
To harden against the vulnerability, users should disable SSLv3 on all WebSphere MQ servers and clients and instead use the TLS protocol. More specifically, WebSphere MQ channels select either SSL or TLS protocol from the channel cipherspec. The following cipherspecs are associated with the SSLv3 protocol and channels that use these should be changed to use a TLS cipherspec:
AES_SHA_US
RC4_SHA_US
RC4_MD5_US
TRIPLE_DES_SHA_US
DES_SHA_EXPORT1024
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_SHA_EXPORT
NULL_SHA
NULL_MD5
FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA
On UNIX, Linux, Windows and z/OS platforms, FIPS 140-2 compliance mode enforces the use of TLS protocol. A summary of MQ cipherspecs, protocols and FIPS compliance status can be found here.
On the IBM i platform, use of the SSLv3 protocol can be disabled at a system level by altering the QSSLPCL system value. Use Change System Value (CHGSYSVAL) to modify the QSSLPCL value, changing the default value of *OPSYS to a list that excludes *SSLV3. For example: *TLSV1.2, *TLSV1.1, TLSV1.
TxMQ is an IBM Premier Business Partner and “MQ” is part of our name. For additional information about this vulnerability and all WebSphere-related matters, contact president Chuck Fried: 716-636-0070 x222, chuck@TxMQ.com.
TxMQ recently introduced its MQ Capacity Planner – a new solution developed for performance-metrics analysis of enterprise-wide WebSphere MQ (now IBM MQ) infrastructure. TxMQ’s innovative technology enables MQ administrators to measure usage and capacity of an entire MQ infrastructure with one comprehensive tool.
(Photo from J Jongsma)
DataPower Security Bulletin from IBM
I received an email from IBM today and I’d like to pass along the security information. This came directly from IBM.
While this issue is not specifically with DataPower, DataPower can leverage SSLv3, so please ensure you’re assessing all of your security infrastructure leveraging SSLv3. Please take appropriate actions.
http://www-01.ibm.com/support/docview.wss?uid=swg21687189
|
Security Bulletin: Vulnerability in SSLv3 affects DataPower (CVE-2014-3566) |
| Security Bulletin Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in DataPower.Vulnerability Details:CVE-ID: CVE-2014-3566 |
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions All DataPower products and versions that have configured a DataPower Crypto Profile object for SSL communication.
Remediation/Fixes None
Workarounds and Mitigations Disable SSL v3 in DataPower configuration.
First make sure to Quiesce all domains and services to stop traffic to the appliance. System quiesce and unquiesce commands can be invoked by navigating to Administration –> Main –> System Control.
Next, select Objects –> Crypto Configuration –> Crypto Profile in the left navigation pane. For all the crypto profile objects that are configured, in the “Configure Crypto Profile” page, “Options” parameter, select the checkbox “Disable SSL version 3”. Click Apply.
Note that SSL v3 must be disabled in all the Crypto Profile objects configured in all the domains. IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.
WebSphere DataPower not affected by "Shellshock" Virus
IBM released a notice this morning stating that the IBM DataPower appliance is not vulnerable to the Shellshock vulnerabilities, also referred to as the Bash Bug and the two memory corruption vulnerabilities.
DataPower doesn’t use Bash anywhere and therefore it is not impacted by any of the Bash vulnerabilities.
Inparticular, dataPower in all editions and all platforms is NOT vulnerable to the Bash vulnerabilities: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.
However, it is recommended that you review your entire environment to identify vulnerable releases of Bash ad take appropriate action where needed.
Source: http://www-01.ibm.com/support/docview.wss?uid=swg21685435&myns=swgws&mynp=OCSS9H2Y&mync=E
How Big Data Crowdsource Strategies Aim To Improve Navigation Charts
Some might be quick to poo-poo the industry of fishing and outdoor recreation – especially when it comes to technology. Too bad, because this vertical’s a ripe testbed for technological innovation and application. I’ll repeat an axiom I put forth a few days ago: Major technological advances are driven by two factors – war and entertainment. It’s no surprise to me that cartography has undergone a recent revolution, led by the manufactures of recreational fishing and boating electronics and their customers.
The new buzzword in this vertical is crowdsource charting. It’s a big-data project where the public supplies the sonar charting data, which is then uploaded and integrated into a master map, which is then served back to the public as a sum of the different community edits and adds.
It’s been done before in other forms – Yelp, Google, iTunes and so many other apps and platforms crowdsource reviews, tips, photos and public/government data. But crowdsource cartography is different because it deals with water depths and features – stuff that’s just as rare and valuable and malleable today as it was 300 years ago when Blackbeard had to pick his way through to Ocracoke Inlet.
The power of the crowdsource strategy lies in its promise to develop pinpoint depth accuracy fed by near-real-time updates to changing water depths, sandbars and hazards. Most navigation charts were sounded decades ago. In the case of reservoirs, the navigation charts may have simply been created using topographic maps that were surveyed years prior to fill.
The first marine electronics company to embrace crowdsource technology was Navionics, which manufactures third-party upgrades and add-ons for all popular electronics platforms. The Navionics app has been downloaded more than 1.5 million times. And now, the Navionics SonarCharts project allows boaters and anglers to record soundings throughout their day, then upload them to a central server for more accurate charts.
Lowrance, a division of Navico, recently launched its Insight Genesis project, which follows a similar strategy, with the difference that Insight Genesis is only compatible with Navico products (Lowrance, Simrad, B&G). Another interesting feature of the Insight Genesis project: Users can upload and use maps for free, but they need to pay a premium to keep them private. That’s a nice bonus option for secretive anglers.
Interestingly, the other major electronics player, Humminbird, hasn’t embraced crowdsource mapping. Its AutoChart program allows users to generate private charts only. But given the fact that Humminbird is geared nearly 100% toward the angling market, the privacy play makes sense.
I think the major takeaway at this point is that crowdsource marine charting is here to stay and the involved companies will soon possess hordes of valuable big data that will grow in worth and equity over the coming decade as new platforms and businesses find new ways to leverage and monetize such data.
Interested in big data? Want to know how to implement big-data architecture and strategy in your enterprise? TxMQ can help. Contact TxMQ president Chuck Fried for a free and confidential consultation: (716) 636-0070 x222, chuck@txmq.com.
New IBM Tivoli OMEGAMON Performance Suite Expands Mainframe Service Management Options
The new availability of a comprehensive Tivoli-based zOS performance suite is big news for mainframe service management. The software, which was released on Sept. 5, is a single orderable product that helps manage IBM zEnterprise performance and availability. IBM has geared several of the suite’s features directly to SMEs, most notably the deep-dive analysis capabilities, which are enabled for the entire zOS platform and middleware.
A good way to describe Tivoli OMEGAMON is to call it a highly integrated solution for sharing information between the different management groups within an organization to help increase effectiveness, better meet Service Level Agreements and reduce costs through efficiency.
The OMEGAMON Performance Management Suite contains the following component-products:
- IBM Tivoli OMEGAMON Dashboard Edition on z/OS V5.3.0 (new)
- IBM Tivoli OMEGAMON XE on z/OS V5.3.0 (new)
- IBM Tivoli OMEGAMON XE for Mainframe Networks V5.1.1
- IBM Tivoli OMEGAMON XE for Storage on z/OS V5.3.0 (new)
- IBM Tivoli OMEGAMON XE for CICS on z/OS V5.3.0 (new)
- IBM Tivoli OMEGAMON XE for DB2 Performance Expert on z/OS V5.2.0
- IBM Tivoli OMEGAMON XE for IMS on z/OS V5.1.0
- IBM Tivoli OMEGAMON XE for Messaging for z/OS V7.3.0
- IBM Tivoli Composite Application Manager for Web Resources V7.1.0
If your enterprise already owns any of the above components, you can upgrade to the performance suite.
The suite also contains Tivoli Monitoring Agent, which provides visibility into the zEnterprise hybrid infrastructure including hardware resources, hypervisors, virtual servers, virtual networks, and workload resource groups that span heterogeneous platforms as defined by IBM zEnterprise Unified Resource Manager. The Agent offers proactive monitoring of zEnterprise workload resource groups to help them meet the service level objectives you’ve defined for the enterprise.
TxMQ is an IBM Premier Partner and can assist you with software purchases and deployments. Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, mailto:chuck@txmq.com.