March 2020 – ColinPaice

You can provide an audit trail of the http requests coming into your server. This is described in the base liberty document, and works in mqweb.

Within the httpEndoint tag you can add

See here for information on the accessLogging, here for the syntax of the <accessLogging…> and here for the logFormat format options.

From the logFormat page

%a: Remote IP address
%A: Local IP address
%b: Response size in bytes excluding headers
%B: Response size in bytes excluding headers. 0 is printed instead of – if no value is found.
%{CookieName}C: The request cookie specified within the brackets, or if the brackets are not included, prints all of the request cookies.
%D: The elapsed time of the request – millisecond accuracy, microsecond precision
%h: Remote host
%{HeaderName}i: HeaderName header value from the request
%m: Request method
%{HeaderName}o: HeaderName header value from the response
%q: Output the query string with any password escaped
%r: First line of the request
%{R}W: Service time of the request from the moment the request is received until the first set of bytes of the response is sent – millisecond accuracy, microsecond precision
%s: Status code of the response
%t: NCSA format of the start time of the request
%(t)W: The current time when the message to the access log is queued to be logged in normal NCSA format
%u: Remote user according to the WebSphere Application Server specific $WSRU header
%U: URL Path, not including the query string
%{X}W: Cross Component Tracing (XCT) Context ID

logFormat=’a:%a A:%A D:%D h:%h HeaderHost:%{Host}i HeaderOrigin:%{Origin}i m:%m R:%{R}W t:%{t}W u:%u U:%U r:”%r” s:%s’

gave me

a:127.0.0.1 remote IP address
A:127.0.0.1 local host
D:225960 duration in millisecond
h:127.0.0.1 remote host
HeaderHost:127.0.0.1:9443 the Host header
HeaderOrigin:- the Origin header (missing in this case)
m:GET request method
R:186930 Service time of the request from the moment the request is received until the first set of bytes of the response is sent
t:[27/Feb/2020:17:04:27 +0000] NCSA format of the start time of the request
u:colinpaice remote user
U:/ibmmq/console url path
r:”GET /ibmmq/console HTTP/1.1″ First line of the request
s:302 Status code of the response

There are other log formatting options available, I picked those I thought were most useful.

Note when using the MQConsole from a browser, the interface is chatty. I had 20 request to refresh one window.

Other ways of formatting the data

I separated each field with a ‘,’ and could read it into a spread sheet.
You could configure your log format string to produce the output in JSON format, to make it easier to post process.

When doing research into the MQ Console and REST interface I was some times surprised at how “insecure” the mqweb was, but with a bit more thought it seemed more reasonable.

One of the questions I had was, is authentication with certificates better than using userid and password? See here.

What do I mean by secure?

You can buy a safe with a combination lock to secure your valuables. It will not be 100% secure. It will have a statement like “This safe will provide protection from fire for up to 1 hour”. The number of combinations is limited, and so it will take someone some hours to try them all. They may be lucky and guess it first go! An insecure safe would have one combination wheel. The more wheels, the longer it should take to find the combination.

Digital certificates are considered a good way of providing “secure” communication. However if you are careless with your private information, then other people have easy access to your secrets. The private information for some encryption types is based on multiplying two very large prime numbers together. The theory being it will take you a long time to factorize the product . If I was a government, I would take the “book of prime numbers” and go through each number, and multiply it be each other number in the book, and generate a reverse dictionary of factor1 * factor 2 -> public key. You need a lot of computing power as the numbers are very large, but computing power is cheap, and you only need to do it once. Take the public key, and look up the factors. Of course it is not that simple, you might need a dictionary for each encryption type, as well as a lot of CPU power. These certificates give some security, but are not totally secure.

You can have locks on your house, but if you leave the doors unlocked – it is easy to break in. People often lock the front door, but leave the back door or a window open.

Security is down to how long it will take someone to access the information. All components have to be secure; you cannot be “half secure”.

What do I want to secure?

This is where it starts to get murky. Some of the HTTP protocol protection depends on “state change”, so changing a field in a database is a state change, creating an object is a state change, but browsing a record is not a state change.

With the MQ REST API an HTTP GET maps to a browse; an HTTP POST is a change or put; and an HTTP DELETE is a destructive get. With the standard HTTP protection POST and DELETE have more protection than GET.

I consider being able to browse a queue which has financial transaction information, as insecure. You can obtain bank account details, which could be used in a different sort of attack. In mqweb, the protection for browse is weaker than for POST and DELETE.

Surprise number 1 – which certificate should the browser use?

My first surprise when using digital certificates for identification was how the browser decides which certificate to use.

I said here

If client authentication is used, the certificates are read from the server’s trust store. The DN of the self signed certificates and the DN of the CA certificates are extracted and sent down to the browser.

The browser takes this list and checks through the “user” certificates in its key store, for those self signed certificates with a matching DN, or those certificates which have been signed by the CA.

The list of matching certificates is displayed for the user to select from.

From then on, communication to that https://url:port will use that certificate. If you create a new tab within the browser instance, and work with the same site, the selected certificate will be used – without prompting.

You can only change the certificate by restarting the browser and selecting a different certificate. You cannot logoff.

Surprise number 2 – it is easy to browse the queue with no additional security.

In an HTML page, I used the html link <a href=”https://localhost:9445/ibmmq/rest/v1/messaging/qmgr/QMA/queue/DEEPQ/message “> direct link https ></a> .

If I had already accessed the server then this displayed the content of the next message on the queue, with no further security checks.

If I opened another tab within the browser, displayed the page and clicked on the link, I also got the next message content displayed.

I used a file on my laptop with the link in it – and it displayed the message content. It was easy to create a web page in an editor and so display the content of the queue.

The CSRF checks are not applicable – as these only occur when the request is a change of state, POST, DELETE etc.

Using Curl, and changing the GET request to a DELETE I received (as expected)

{“error”: [{
“action”: “Resubmit the request with the correct CSRF header.”,
“completionCode”: 0,
“explanation”: “The REST API request cannot be completed because the CSRF header was omitted.”,
“message”: “MQWB0100E: The CSRF header ‘ibm-mq-rest-csrf-token’ was omitted from the request.”,
“msgId”: “MQWB0100E”,
“reasonCode”: 0,
“type”: “rest”
}]}’

This is not a Cross Origin request – as it is in one page – so the CORS checks are not performed. Putting the backend request into a java script did cause the CORS checking as expected.

Turning off client Certificate Authentication helped

I changed the <ssl… clientAuthenticationSupported=”true”> to “false” to use userid and password.

With my <a href=”https://localhost:9445/ib… > ” > direct link https ></a> I got

{"error": [{
  "action": "Provide credentials using a client certificate, LTPA security token, or username 
   and password via HTTP basic authentication header. 
   On z/OS, if the mqweb server has been configured for SAF authentication, 
   check the messages.log file for messages indicating that SAF authentication is not available. 
   Start the Liberty angel process if it is not already running. 
   You might need to restart the mqweb server for any changes to take effect.",
  "completionCode": 0,
  "explanation": "The REST API request cannot be completed because credentials were omitted from the request. 
   On z/OS, if the mqweb server has been configured for SAF authentication, 
   this can be caused by the Liberty angel process not being active.",
  "message": "MQWB0104E: The REST API request to 
  'https://localhost:9445/ibmmq/rest/v1/messaging/qmgr/QMA/queue/DEEPQ/message' is not authenticated.",
  "msgId": "MQWB0104E",
  "reasonCode": 0,
  "type": "rest"
}]}

I tried putting my userid and password in the URL as in
<a href=”https://colinpaice:mypassword@localhost:9445/ib…> “> direct link https ></a> . This gave me the same message. In particular the message says Provide credentials using … or username and password via HTTP basic authentication header. So it needs credentials in a header not inline.

As raw html cannot insert HTTP headers, it means this is more secure. To insert headers you need a script, and then the CORS processing will capture it.

I used the logon url https://127.0.0.1:9445/ibmmq/console/login.html this prompted me for userid and password, then displayed the console.

So is using userid and password the right thing to use?

Yes and No.

Yes – you know when you are accessing the back end, but then it logs you off, and you have to logon again after ltpaExpiration minutes.
With long running displays, such as the monitors in the operations room – you do not want to be logging on every hour. In this case certificates are the right answer.

See is it better to use certificate authentication or userid and password? for information.

Making it more secure.

I have shown that if people are authorised to process messages on a queue as part of their normal job, they could easily write a web page to browse the queue.

If the queue was access as part of a client program accessing the queue over a channel, the end user could write or obtain a program to process the queue – but this would be harder than just writing a web page. This is like having a combination safe with one wheel, and having multiple wheels – you need a lot more effort.

You cannot secure mqweb for message access to a subset of queues – it is all or nothing.

I would disable the end users access to message data – and just use the rest API for administration.

This means in the mqwebuser.xml the <security-role name=”MQWebUser”> … </security-role> has no users who are allowed to process sensitive queues. You need to prevent them using curl and other tools, so

<enterpriseApplication id=”com.ibm.mq.rest”> … and <enterpriseApplication id=”com.ibm.mq.console”>…. should have no users in <security-role name=”MQWebUser”>… </security-role>

Ban the special subject.

I would also explicitly specify the groups of users – and not use the <special-subject type=”ALL_AUTHENTICATED_USERS”/>.

Best practice says not to specify user names in the security roles, but to put the user names in groups and specify the groups. It make it much easier to manage. For example the manager in charge of the Payroll team, can administer the PayrollGroup, and the MQ Admin team does not need to edit the mqwebuser.xml file.

Month: March 2020

mqweb – what’s the difference between MQWebAdmin* and MQWebUser roles?

mqweb – who did what to what, when, and how long did it take?