Roger's Blog on MQ, Java, C, etc… | A blog about IBM MQ, Java, C and other things developers or MQAdmins need to know.

IBM MQ 9.1 and IBM MQ Appliance M2002 are announced

July 3, 2018 Roger Lacroix

IBM has just announced IBM MQ 9.1 and IBM MQ Appliance M2002:
https://developer.ibm.com/messaging/2018/07/03/ibm-mq-9-1-ibm-mq-appliance-m2002-announced-plus-small-tweak-continuous-delivery-support/

IBM MQ 9.1 Long Term Support and IBM MQ Appliance M2002 have announced today. IBM MQ 9.1 consolidates product features delivered throughout the IBM MQ 9.0.x continuous delivery releases. IBM MQ 9.1 LTS will be the default firmware level on the new M2002 appliance model, and will also be available as a Long Term Support firmware to install on the M2000 and M2001 hardware models.

IBM MQ V9.1 for Multiplatforms:
https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/6/897/ENUS218-246/index.html

IBM MQ V9.1 for z/OS:
https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/2/897/ENUS218-252/index.html

IBM MQ V9.1 for MQ Appliance:
https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/9/897/ENUS218-249/index.html

Regards,
Roger Lacroix
Capitalware Inc.

IBM i (OS/400), IBM MQ, Linux, Unix, Windows, z/OS Comments Off

Eclipse 4.8 (Photon) Released

June 27, 2018 Roger Lacroix

On June 27th, 2018, Eclipse Foundation has released the annual Eclipse release train:
https://projects.eclipse.org/releases/photon

Eclipse is an open source community, whose projects are focused on building an open development platform comprised of extensible frameworks, tools and runtimes for building, deploying and managing software across the lifecycle. The Eclipse Foundation is a not-for-profit, member supported corporation that hosts the Eclipse projects and helps cultivate both an open source community and an ecosystem of complementary products and services.

Regards,
Roger Lacroix
Capitalware Inc.

C, C++, Java, JMS, Linux, macOS (Mac OS X), Open Source, Programming, Windows Comments Off

Two Free E-Books on Blockchain

June 27, 2018 Roger Lacroix

Blockchain for dummies!
The Founders Handbook

Regards,
Roger Lacroix
Capitalware Inc.

E-Book, Education Comments Off

New Category – Fix Packs for MQ

June 26, 2018 Roger Lacroix

I decided to create a new category on my blog called “Fix Packs for MQ”. This will allow people to find MQ Fix Packs quickly. A direct link to the new category is:
http://www.capitalware.com/rl_blog/?cat=65

Regards,
Roger Lacroix
Capitalware Inc.

Fix Packs for MQ, HPE NonStop, IBM i (OS/400), IBM MQ, Linux, Unix, Windows, z/OS 1 Comment

IBM MQ Fix Pack 8.0.0.10 Released

June 25, 2018 Roger Lacroix

IBM has just released Fix Pack 8.0.0.10 for IBM MQ
http://www.ibm.com/support/docview.wss?uid=swg22017459

Regards,
Roger Lacroix
Capitalware Inc.

Fix Packs for MQ, IBM MQ, Linux, Unix, Windows Comments Off

IBM MQ Fix Pack 9.0.0.4 Released

June 25, 2018 Roger Lacroix

IBM has just released Fix Pack 9.0.0.4 for IBM MQ V9.0 LTS
http://www.ibm.com/support/docview.wss?uid=swg24044869

Regards,
Roger Lacroix
Capitalware Inc.

Fix Packs for MQ, IBM i (OS/400), IBM MQ, Linux, Unix, Windows Comments Off

MQTC v2.0.1.8 Early-bird Price ends on Sunday June 24th

June 22, 2018 Roger Lacroix

The early-bird price for MQ Technical Conference v2.0.1.8 (MQTC) expires on Sunday, June 24th.

MQTC is the largest conference in the world solely dedicated to IBM MQ (aka WebSphere MQ & MQSeries).

For more information about MQTC, please go to:
https://www.mqtechconference.com

Regards,
Roger Lacroix
Capitalware Inc.

Education, IBM MQ, MQ Technical Conference Comments Off

Security Risk for MQ Model Queue

June 20, 2018 Roger Lacroix

Well, I learnt something new today: an MQ model queue is a security risk!

It is not that a model queue in of itself is a security risk but rather what you can do with a model queue to get a backdoor to a queue or maybe it is called a ‘side channel attack’ of a queue.

An application uses a model queue as a template when creating either Temporary Dynamic Queue (TDQ) or Permanent Dynamic Queue (PDQ).

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "SYSTEM.DEFAULT.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_EXCLUSIVE,
        &Hobj,
        &CompCode,
        &Reason );

(1) If the ‘Definition Type’ for the model queue ‘SYSTEM.DEFAULT.MODEL.QUEUE’ is ‘Temporary Dynamic’ (i.e. DEFTYPE(TEMPDYN) ) which is the default value then the above code will create a temporary dynamic queue that begins AMQ. i.e. AMQ.5B2A92F303EB5525

(2) If the ‘Definition Type’ for the model queue ‘SYSTEM.DEFAULT.MODEL.QUEUE’ is ‘Permanent Dynamic’ (i.e. DEFTYPE(PERMDYN) ) then the above code will create a permanent dynamic queue that begins AMQ. i.e. AMQ.5B2A92F303EB5635

When a TDQ or PDQ is created, the creator of the queue gets full access to the queue. And you would say yes, of course. Note: This is an important point to remember.

Now, if you don’t like AMQ as a prefix, you can use your own. Lets say you want a prefix of ‘GOAL’ then the code would look like:

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "SYSTEM.DEFAULT.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
strncpy( od.DynamicQName,
         "GOAL.*",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_EXCLUSIVE,
        &Hobj,
        &CompCode,
        &Reason );

For OAM permissions of a model queue, they are exactly the same as a local, alias, remote or cluster queue. If you don’t have access to ‘SYSTEM.DEFAULT.MODEL.QUEUE’ then you cannot create a TDQ or PDQ – WRONG.

Most MQAdmins will set the OAM permissions for application-related model queues to allow everyone (or pretty much everyone) access. What does that mean? If you don’t have access to ‘SYSTEM.DEFAULT.MODEL.QUEUE’ then you can use any other model queue that exists in the queue manager to create a TDQ or PDQ. i.e. ‘APPL.MODEL.QUEUE’

So, lets put our evil hats on!!! Off the top of my head, I can think of 2 situations where evil doers can do harm.

Hole #1: Let’s say you know that within the next few days or weeks, the MQAdmin will be creating new queues in a queue manager for a production application that will have confidential information in the messages. Let’s say the local queue will be called ‘RETAIL.CC.DATA.Q’. The MQAdmin has set the OAM permissions such that you do NOT have access to any queue that begins with ‘RETAIL.’. You are locked out, not if you think fast!!!

So, you create a program, doesn’t matter the language, that does:

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "ANY.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
strncpy( od.DynamicQName,
         "RETAIL.CC.DATA.Q",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_SHARED,
        &Hobj,
        &CompCode,
        &Reason );

The ‘ANY.MODEL.QUEUE’ model queue can be any model queue that has Definition Type of Permanent Dynamic. i.e. DEFTYPE(PERMDYN)

Note: I used the option of MQOO_INPUT_SHARED rather than MQOO_INPUT_EXCLUSIVE because I don’t want the real application noticing that I’m stealing the messages!!!!

Now the rogue user now has FULL access to queue ‘RETAIL.CC.DATA.Q’ (see point above about full access).

Why did MQ allow you to create the queue? The OAM checked the user’s permission of the queue name in the ObjectName field (i.e. model queue). One check and it is done. OAM does NOT check the value in the DynamicQName field or the ResolvedQName field if an asterick ‘*’ was used in the DynamicQName field.

When the MQAdmin runs their scripts to create the new queues (i.e. ‘RETAIL.CC.DATA.Q’), they may not even notice that the queue already existed and when they apply permissions via setmqaut commands, everything will work. But the rogue user has a nice backdoor to ‘RETAIL.CC.DATA.Q’.

Hole #2: Let’s say you have 4 queue managers (MQA1, MQA2, MQA3 & MQA4) participating in a cluster called ‘RETAIL_CLUS’ and a cluster queue called ‘RETAIL.CC.DATA.CLUSQ’. Let’s further say that the cluster queue ‘RETAIL.CC.DATA.CLUSQ’ is ONLY defined locally in queue manager ‘MQA4’ and not in the other 3 queue managers participating in the cluster.

This is a pretty typical setup. So, lets put our evil hats on again and create a program, doesn’t matter the language, which will connect to either MQA1, MQA2 or MQA3 and does:

MQOD od = {MQOD_DEFAULT};
strncpy( od.ObjectName,
         "ANOTHER.MODEL.QUEUE",
         MQ_Q_NAME_LENGTH);
strncpy( od.DynamicQName,
         "RETAIL.CC.DATA.CLUSQ",
         MQ_Q_NAME_LENGTH);
MQOPEN( Hcon,
        &od,
        MQOO_INPUT_SHARED,
        &Hobj,
        &CompCode,
        &Reason );

Now leaving behind a permanent dynamic queue in this situation may not be a good idea. I would go with a temporary dynamic queue. The evil program would get the messages, the application would be losing messages and when the program disconnects, there would be no trace and everybody would blame MQ for losing the messages!!!!

Hence, the ‘ANOTHER.MODEL.QUEUE’ model queue should be any model queue that has Definition Type of Temporary Dynamic. i.e. DEFTYPE(TEMPDYN)

Again, the OAM checks the user’s permission of the queue name in the ObjectName field (i.e. model queue). One check and it is done. OAM does NOT check the value in the DynamicQName field or the ResolvedQName field

I’ve worked with MQ for about 25 years and this is something I didn’t know you could do. Shocking. I always thought the OAM did a second check against either DynamicQName field or the ResolvedQName field. But no.

Bottom-line, make sure you put SUPER tight security on your model queues of a queue manager.

Regards,
Roger Lacroix
Capitalware Inc.