WebSphere MQ v7.5 Security Concerns

Content contributed by Allan Bartleywood – Sr. MQ Subject Matter Expert
WebSphere MQ v7.5 security concerns seemed to be a resounding issue. We heard a lot of concerns regarding it while we were at the IBM Impact 2014 conference last week.

I do not believe it’s actually a concern for security when your organization is doing an upgrade to version 7.5, but more a concern as to whether your organization already has security enabled within your MQ environment.

At a lot of the organizations that I’ve consulted with, I’ve noticed that there is a lack of security actually implemented within the MQ environment.  WebSphere MQ has always had security implemented that was focused at the operating system level where it was running.

With this latest WebSphere MQ v7.5, security concerns, features have been added to meet today’s demands. This includes support for Advanced Message Security where the queue manager actually encrypts and decrypts Messages as they go through the environment on a put an get of an application.

You can actually configure the queue manager down to individual queues so that only certain queues will have messages encrypted.

This feature is providing the capability for messages to now meet compliance requirements like HIPAA and PCI Compliance. While data is in transit, it is in encrypted by the messaging transport without any special requirements being added to the applications.

This will, of course, mean that from the time a message put onto queue to the time a message just gotten off the queue, it has been included. Further security enhancements are provided to ensure that only certain applications will get the message decrypted from a given queue.

Now all of these features are out of the box with no added installs and compatibility issues being encountered.

Going back to whether organizations are actually implementing suitable levels of security within their messaging environment is another matter. What is quite often seen it is that administration and application usage of MQ is left open, that is it has not been unable at all.

This is normally due to a conscious decision or simply a lack of knowledge of the capabilities of the product; or a lack of understanding of the security policies and implications relating to the data that is being sent over the messaging environment.

It is not uncommon to see administrators using client connections to queue managers over the server connection channel with no authentication at all. It is also not uncommon to see the queue manager with channel authority disabled.

So are the security concerns about upgrading to version 7.5 related to a lack of understanding and knowledge of what the security capabilities are within 7.5 and pressure being put on IT for tighter security compliance, rather than whether 7.5 is capable of delivering services to these tighter security compliance requirements.

There are also situations where IT sees the requirement for better security compliance but the business doesn’t understand what is compliance are.

If you’re having WebSphere MQ v7.5 security concerns, please feel free to reach out to Wendy at TxMQ, wendy@txmq.com and let us answer your questions and guide your upgrade so all the proper security features are in place.

(Photo: Compliments of Still Burning)

IBM Bringing 500 Jobs to Buffalo

IBM is committing to bring 500 jobs to a new, 100,000-square-foot, state-owned computer information technology center in Buffalo to train future and current industry workers and to create cutting-edge software.
According to an article in the local news, IBM has also agreed to a separate endeavor to become the first corporate technology member of the recently announced New York Genomic Medicine Center, a $100 million new partnership between a genome research facility in Manhattan and the University at Buffalo’s center for computational research.
At a news conference Monday, it was announced that IBM will be the anchor tenant in a new partnership development with SUNY College of Nanoscale Engineering in Albany.
IBM’s new facility is expected to open in Buffalo by early 2015 and is the latest in a series of economic development plans in Western New York.
Buffalo has done a fair job of luring IBM to come here with some $55 million in state funding going toward the project. An additional $30 million will go for the purchase of various software, computers and servers.
The goal is to create around 500 jobs in three to five years time and IBM is reportedly putting an emphasis on recruiting software engineer and research graduates from Buffalo colleges.
Ginni Rometty, IBM chairman, president and chief executive officer, said the new facility will “create new opportunity for Buffalo developing the next generation of software in growth areas like mobile, cloud and analytics.”

IBM Plans to Acquire Lenovo Servers

Lenovo and IBM have entered into a definitive agreement in which Lenovo plans to acquire IBM’s x86 server business. This includes System x, BladeCenter and Flex System blade servers and switches, x86-based Flex integrated systems, NeXtScale and iDataPlex servers and associated software, blade networking and maintenance operations. The purchase price is approximately US$2.3 billion, approximately two billion of which will be paid in cash and the balance in Lenovo stock.
IBM will retain its System z mainframes, Power Systems, Storage Systems, Power-based Flex servers, and PureApplication and PureData appliances.
The agreement builds upon a longstanding collaboration that began in 2005 when Lenovo acquired IBM’s PC business, which included the ThinkPad line of PCs. In the period since the companies have continued to collaborate in many areas.
IBM will continue to develop and evolve its Windows and Linux software portfolio for the x86 platform.  IBM is a leading developer of software products for x86 servers with thousands of products and tens of thousands of software developer and services professionals who build software for x86 systems.
For more information on this acquisition, read the full announcement.

A Quadruple Play For IBM On-Premises Applications

As industry focuses more and more on a move toward cloud, IBM is certainly not neglecting the On-Premises needs. Way to go IBM!!! Gartner recently scored IBM as the “Quadrant Leader” in four significant areas: On-Premises Application Platforms, Mobile Application Development Platforms, On-Premises Application Integration Suites and Application Services Governance.
You will hear a lot of this buzz at the upcoming IBM Connect (January) and IBM Impact (April) conferences. Come to TxMQ to understand the full significance of this achievement.
To learn more, you can download each of the Gartner Magic Quadrant reports here:

Breach Etiquette: Target's Responsibility

Just as retailers were in the throes of the holiday madhouse, Target – the second largest retailer in the US – was breached. Forbes recently posted an article outlining seven lessons that could be learned from the way Target handled the situation.
The link to the Forbes article is here – Target’s Worst PR Nightmare: 7 Lessons From Target’s Well-Meant But Flawed Crisis Response – but what do you think?
What I always find surprising in these cases in which consumer portal sites are breached/hacked is that there’s always so much talk about how to handle the consequences. But what about an explanation of what will be done to prevent this from happening again? The same issue happened last year with the PlayStation Network, when millions of credit-card numbers and customer information was exposed. Another scenario was the ObamaCare website: The site went down because it wasn’t properly architected and stress tested. We heard a lot about “why” but not a lot about the “what” is being done to prevent it from happening all over again.
Obviously, when you open your business to the world, you’re now exposed to a world of attacks. You can only do your best to prevent a hacker’s attack. However, your best must include an ongoing and robust test plan, executed by an experienced team that keeps up with the latest technologies, methods of attacks, and the ever-changing demographics of user communities and methods of access.
TxMQ has expert infrastructure architects, portal architects and load-testing expertise to help companies address these issues through cost-effective, consulting engagements.
Find out more. Email our consulting leaders in confidence, consulting@txmq.com, for more information.

IBM Worklight V6.0, IBM Mobile Applications Platform Pattern V6.0, and IBM Mobile Foundation V6.0

IBM® Worklight® and IBM Mobile Foundation are open standards-based mobile application foundations, which enable accelerated delivery of innovative mobile solutions. As elements of IBM MobileFirst, they help you build rich, cross-platform applications using standard technology, and connect mobile applications to a variety of enterprise back-end systems and cloud systems.
IBM Worklight V6.0 delivers an open, comprehensive, and advanced mobile application platform for smartphones and tablets, offering:

  • Mobile application development and delivery
  • Complete end-to-end mobile device management
  • Advanced connectivity to back-end systems and cloud-based services that is optimized for mobile devices
  • Advanced application management for updates push and version control

IBM Mobile Foundation V6.0 is a member of the IBM MobileFirst family of products that include IBM Worklight V6.0, IBM Mobile Application Platform pattern V6.0, IBM EndPoint Manager for mobile device management, and IBM WebSphere® Cast Iron® for connectivity. Together, these products help organizations of all iszes extend their business by providing copabilities to efficiently implement, connect, secure, and mangage HTML5, hybrid and native mobile applications.
IBM Worklight helps you by:

  • Using standard technology, such as HTML5, the native client platform software development kits (SDKs), and integration with the growing ecosystem of third-party tools, libraries, and frameworks
  • Connecting mobile applications to back-end systems and cloud services through mobile-optimized middleware
  • Enabling you to manage a portfolio of applications and the lifecycle of their content from one centralized administration console
  • Helping you secure mobile applications through numerous protection mechanisms, such as encrypted storage, online and offline authentication

Enhancements in IBM Worklight V6.0 Include:

  • Automated functional testing for accelerated delivery cycles of native and hybrid, cross-platform mobile applications
  • New advanced IT analytics for application usage insight, triggering of actions based on analytics events, and location-based services such as geo-fencing
  • Improved application development and testing abilities to record and run tests of mobile applications on devices and emulators
  • Expanded mobile operating system support, including support for new levels of iOS, Android, BlackBerry, Windows 8 and RT, and Windows Phone 8 in addition to third-party software support updates for JQuery Mobile and Dojo Mobile
  • Easier, more guided, hybrid application development, with tools and building blocks such as improved Dojo Mobile setup and screen templates
  • Improved application startup performance

IBM Worklight V6.0
IBM Worklight is designed to provide an open mobile application platform for developing, deploying, and managing mobile applications on an open extensible platform. Enterprises can deliver mobile content that takes advantage of existing enterprise security, scalability, management solutions, and service-oriented architecture (SOA) service investments.
Worklight is based on open standards, which may help you protect your mobile investment, reduce development costs, and avoid technology lock-ins. Worklight delivers a range of application development and management capabilities to support a wide variety of mobile devices and mobile application types, while taking advantage of existing technologies, skills, and investments.
IBM Worklight V6.0 provides five main capabilities:
Screen Shot 2013-06-24 at 3.24.09 PM

  • A comprehensive, cross-platform, standards-based extensible environment that maximizes code reuse and per-device optimization.
  • Includes a rich, drag-and-drop, WYSIWYG development environment
  • Helps to simplify the development of mobile web, hybrid, and native applications across multiple mobile platforms, including iOS, Android, BlackBerry, Windows, Windows RT, and Windows Phone

 
Screen Shot 2013-06-24 at 3.24.31 PM

  • Mobile-optimized middleware that provides a services layer to support back-end integration, version management, security, and unified push notification mechanisms.
  • Supports Mobile Application Management (MAM) and mobile authenticity check, mobile usage statistics, and reports
  • Facilitates authentication framework integration for single sing-on (SSO)

 
 
Screen Shot 2013-06-24 at 3.24.52 PM

  • Extensible libraries and client API’s that expose and interface with native device capabilities, such as the camera, accelerometer, and contact lists, using standard web skills.
  • Provide on-device, synchronized, and encrypted storage facilities for storing sensitive data on the device

 
 
Screen Shot 2013-06-24 at 3.25.11 PM

  • Administrators can remotely disable applications based on predetermined rules of application version and mobile device
  • Directs users to a new version of the application, if necessary
  • Can deploy new versions of an application’s web code and automatically push the versions to users
  • Administrators can monitor the push notification framework and enable or disable notifications to specific applications
  • Administrators can access reports describing application adoption and usage, or integrate with the enterprise business intelligence (BI) system to perform custom analytics on mobile usage data

 
Screen Shot 2013-06-24 at 3.25.24 PM

  • Can function as an enterprise application store by providing a place to deploy mobile applications across platforms with appropriate access control and role based security
  • If you want to deploy mobile applications to the IBM Endpoint Manager for Mobile Devices, the process of moving mobile applications from development with IBM Worklight to production deployment with IBM Endpoint Manager for Mobile Devices is simplified

 
The following products integrate well with IBM Worklight and IBM Mobile Foundation solutions to deliver unified front-end and back-end mobile development:

  • Rational® IDE V8.5.1 products
    • Rational Application Developer for WebSphere Software
    • Rational Software Architect for WebSphere Software
    • Rational Developer for System z
    • Rational Developer for Power® System Software

The following products provide specific support for IBM Worklight and IBM Mobile Foundation, and provide a more robust solution:

  • IBM Mobile Development Lifecycle Solution
    • Rational Requirements Composer
    • Rational Team Concert
    • Rational Quality Manager
    • IBM Worklight
    • IBM WebSphere Portal

Prerequisites are mobile operating systems that include iOS, Android, Blackberry, Windows RT, and Windows Phone and IBM PureApplication™ System V1.0 for IBM Mobile Application Platform Pattern. In addition to this, the program will run on AIX®, Linux™, Mac OS, and Windows operating systems.
The planned available date for the media packs is July 19, 2013 and the electronic delivery packages have been available since June 14, 2013.
IBM Worklight V6.0, together with the additional products from IBM’s MobileFirst initiative, enables you to address the entire lifecycle of your mobile initiative.
For more information on Worklight V6.0 or TxMQ IT Solutions and Staffing please contact Miles Roty, Senior Account Manager? Miles@txmq.com 716-636-0070 ext 228
social-linked

IBM® MessageSight: The appliance for Mobile Messaging and M2M

On April 23, 2013 IBM® announced MessageSight that delivers massive scale communication within and beyond the enterprise.
As many people have come to realize, the Internet is no longer just for web browsing. Consumers and application owners expect near, real-time interactions between mobile phones, sensors, machines and applications.
IBM MessageSight is a messaging platform that delivers the performance, scalability, and value organizations required to meet the demands of the hyper-connected world. IBM MessageSight allows organizations to expand their applications beyond the data to provide a truly interactive experience.

IBM MessageSight delivers:

  • High-performance, reliable and scalable messaging
  • Security
  • Simple deployment
  • Extension of existing enterprise messaging
  • Developer friendly design

With IBM MessageSight you can sit at the edge of your enterprise and can extend your existing messaging infrastructure or use MessageSight as a standalone.

IBM MessageSight allows organizations to implement a variety of use cases:

  • Connected vehicles
  • Event-driven sensor networks
  • Interactive mobile applications including notifications
  • WebSocket HTML5-based web applications
  • Near, real-time date collection for Big Data analytics
  • Scalable alerting and notification systems
  • High-scale asynchronous publish and subscribe for service-oriented architectures

IBM MessageSight Features:

One appliance can handle:

    • 1M Concurrent Connection
              • One appliance can handle all the car circulating in Manhattan in a day
    • 13M non-persistent msg/sec
              • Allows massive fan-out streaming of data
    • 400K persistent msg/sec
              • When assured delivery matters
    • Predictable latency in the microseconds under load

 
MessageSight has efficient MQTT messaging protocol that is faster, requires less bandwidth and less battery than traditional https. In addition to this, it’s event oriented paradigm allows for better customer experience. It has support for JavaScript, C and Java APIs and apps can be HTML5 web apps, native or hybrid. MessageSight also integrates easily with IBM Worklight.
 
 

 
Hardened appliance form factor ensure that there is secure firmware (signed and encrypted by IBM) and no user-visible, general purpose OS. There are also fine-grained messaging policies with SSL/TLS (including FIPS 140-2), authentication and deny-based access control. MessageSight is highly available (without shared resources) and there are various options for Quality of Service including Assured delivery.
 
 

    • Simple yet powerful API’s consistent across multiple platforms
              • Simple paradigm: connect, subscribe, publish
              • Promotes loosely coupled and scalable applications
    • Protocols:
              • MQTT protocol – efficient pub/sub protocol designed for M2M
              • Java Messaging over high speed protocol
    • Active development community on developer Works
              • http:www.ibm.com/developerworks/connect/IBMmessaging
    • Could-based demo systems for rapid prototyping

 

 
MessageSight is compatible with a variety of environments such as; JMS support for Java Standard Edition (JSE) environments, WebSockets support for Rich Internet Applications and MQTT protocol with many open source clients. There is built-in connectivity with WebSphere MQ and one appliance can connect to multiple WebSphere MQ queue managers. Lastly there is IBM Integration Bus support through the JMS nodes.
 
 

 
 
MessageSight’s goal is to be up and running within 30 minutes. They use task oriented UI guides to administrate through the first steps and implement simple and scalable management through policies.
 
 
 

 
Implementing the IBM MessageSight allows your business to scale to the demands of the mobile and m2m use cases. It easily extends your existing messaging infrastructure across the Internet and it is easy to develop applications with simple programming interfaces.
IBM MessageSight is the best way to implement the event driven architecture at the edge of the network. It delivers unprecedented level of scale, it is secrue and reliable and yet remains simple to use.
 

High-level architecture of the demo:

 
The all-new IBM MessageSight appliance is a secure, easy-to-deploy messaging server that is optimized to address the massive scale requirements of the machine to machine and mobile use cases. It can handle a million connections, and millions of messages per second. MessageSight is designed to sit at the edge of the enterprise and can extend your existing messaging infrastructure or be used as a standalone. MessageSight extends and complements the existing IBM Connectivity and Integration portfolio.

 

Appliance Connectivity:

 
 

For more information on MessageSight or TxMQ IT Solutions and Staffing please contact Miles Roty, Senior Account Manager
Miles@txmq.com 716-636-0070 ext 228
social-linked

Why you should migrate to WAS v8.x

As of the end of September 2013 IBM® will no longer offer support on WebSphere® Application Server 6.1. This means that you have two options; lose extended support on your WebSphere Application Server or migrate to WAS v8.x.
With WAS v8.x you will experience a number of upgrades along with additions to the application. You won’t just get an updated version of the application, you will also keep your costs down by avoiding support extensions and running your applications on an unsupported environment.
Not only does WAS 8.x have significant performance, productivity and security features, but it also allows you to take advantage of the additional 7 years of development and resulting capabilities driven into WAS since v6.1 was released. In addition, WAS v8.x allows you to take advantage of virtualization, web, mobile and cloud capabilities.
WAS v8.x has the highest performing foundation (Application Server) for dynamic, interconnected business processes and Service Oriented Architecture (SOA). You will also have the ability to manage large topologies asynchronously to standalone app servers or entire cells (WAS ND Job Manager and new WAS ND Liberty Collective Cluster Controller in v8.5.5).
There is not defined path that fits all migrations. Your decision to migrate should be based on three factors. One being that the versions involved in the customer migration scenario, moving from v6.1 to v8.5 would be different than v6.1 to v7.0. Two, the amount of change introduced in and between these versions. Moving from WAS v6.1 to v8.5 involves changes introduced by v7.0, v8.0 and v.8.5. And lastly, dependencies on third-party frameworks and libraries. Some frameworks/libraries are JRE-specific or unsupported on newer JREs, some libraries are now IN the JRE and can cause class collisions (Axis2/JAX-WS).
The best part about all of this is that TxMQ can help with your migration. TxMQ has experience with migrations (AIX, Linux, Windows, zOS), with systems evaluations and HealthChecks available too.
If you aren’t ready to switch just yet TxMQ can help with that too. We offer a remote support solution with ticketed handling of out of support WAS v6.1 issues by certified WAS technical Experts. This includes issue analysis, diagnosis, resolutions communication, infrastructure support and supplements internal teams with proactive maintenance services, consulting, training and problem resolution.
For more information please contact Miles Roty miles@txmq.com.
social-linked

zEnterprise vs Intel Server Farms

I’m reposting an interesting blog that was shared with us from a Partner organization. Please read and enjoy!
How many Intel x86 servers do you need to match the performance of a zEnterprise and at what cost for a given workload? That is the central question every IT manager has to answer.
It is a question that deserves some thought and analysis. Yet often IT managers jump to their decision based on series of gut assumptions that on close analysis are wrong. And the resulting decision more often than not is for the Intel server although an honest assessment of the data in many instances should point the other way. DancingDinosaur has periodically looks at comparative assessments done by IBM. You can find a previous one, lessons from Eagle studies, here.
The first assumption is that the Intel server is cheaper. But is it? IBM benchmarked a database workload on SQL Server running on Intel x86 and compared it to DB2 on z/OS.  To support 23,000 users, the Intel system required 128 database cores on four HP servers.  The hardware cost $0.34 million and the software cost $1.64 million for a 3-year TCA of $1.98 million. The DB2 system required just 5 cores at a hardware/software combined 3-year TCA of $1.4 million
What should have killed the Intel deal was the software cost, which has to be licensed based on the number of cores. Sure, the commodity hardware was cheap, but the cost of the database licensing drove up the Intel cost. Do IT managers wonder why they need so many Intel cores to support the same number of users they can support with far fewer z cores? Obviously many don’t.
Another area many IT managers overlook is I/O performance and its associated costs. This becomes particularly important as an organization deploys virtual machines.  Increasing the I/O demand on an Intel system uses more of the x86 core for I/O processing, effectively reducing the number of virtual machines that can be deployed per server and raising hardware costs.
The zEnterprise handles I/O differently. It provides 4-16 dedicated system assist processors for the offloading of I/O requests and an I/O subsystem bus speed of 8 GBps.
The z also does well with z/VM for Linux guest workloads. In this case IBM tested three OLTP database production workloads (4 server nodes per cluster), each supporting 6,000 trans/sec, Oracle Enterprise Edition, and Oracle Real Application Cluster (RAC) running on 12 HP DL580 servers (192 cores). This was compared to three Oracle RAC clusters of 4 nodes per cluster with each node as a Linux guest under z/VM . The zEC12 had 27 IFLs. Here the Oracle HP system cost $13.2 million, about twice as much as on the zEC12, $5.7 million. Again, the biggest cost savings came from the need for fewer Oracle licenses due to fewer cores.
The z also does beats Intel servers when running mixed high- and low- priority workloads on the same box. In one example, IBM compared high priority online banking transaction workloads with low priority discretionary workloads.  The workloads running across 3 Intel servers with 40 cores each (120 cores total) cost $13.7 million compared to z/VM on an zEC12 running 32 IFLs, which cost $5.77 million (58% less).
Another comparison demonstrates that core proliferation between Intel and the z is the killer. One large workload test required sixteen 32-way HP Superdome App. Production/Dev/ Test servers and eight 48-way HP Superdome DB Production/Dev/Test for a total of 896 cores. The 5-year TCA came to $180 million. The comparable workload running on a zEC12 41-way production/dev/test system used 41 general purpose processors (38,270 MIPS) with a 5-year TCA of $111 million.
When you look at the things a z can do to keep concurrent operations running that Intel cannot you’d hope non-mainframe IT managers might start to worry. For example, the z handles core sparing transparently; Intel must bring the server down.  The z handles microcode updates while running; Intel can update OS-level drivers but not firmware drivers. Similarly, the z handles memory and bus adapter replacements while running; Intel servers must be brought down to replace either.
Not sure what it will take for the current generation of IT managers to look beyond Intel. Maybe a new business class version of the zEC12 at a stunningly low price. You tell me.
You can see the original posting here.
social-linked

IBM discusses DB2 for z/OS security best practices

Security is a main issue for companies and there’s no such thing as too much of it. DB2 for z/OS just released version 10 and it’s one of the most exciting releases in 20 years.
Roger Larson, DB2 for z/OS Technical Evangelist at IBM states that for some situations your basic security is adequate. However, in other instances, you’ll need the absolute best security practices offered.
The tools IBM offer range from very tight system controls to fairly basic techniques applicable even with public information on the web. There are choices when it comes to security and understanding your options is very important.
IBM proposes that enterprises that want to succeed in such a challenging business climate focus on four key areas to ensure that their information infrastructure can support the business goals.
Those key areas include:
– Information availability
– Information security
– Information retention
– Information compliance
IBM information infrastructure will help businesses get the right information to the right people when they need it in a safe and secure manner.
DB2 for z/OS has a very solid reputation for world class security and world class business resiliency, and they have been building stronger encryption solutions on an ongoing basis.
Read more about IBM’s security techniques here.