Jan 22

Half a year ago, I got a copy of a presentation from a former colleague. It was from the then recent Open Group conference and was presented by Bert Hooyman of MphasiS. It covers the risks involved in running your company through the now (too) common SOA initative. The presentation, to me, reflects well on some of the limits you will run into as you implement your SOA strategy. It also suggests that an event driven architecture would be a better fit for your enterprise wide integration needs. Again, something I would tend to agree with. As The Open Group doesn’t seem to publish the presentations (so much for Open I guess), I asked Bert if he could. And he very graciously did so. Go read it, it’s well worth the time.

(This post has been sitting as a draft for quite some time, sorry about the latency):

Update: looks like there is a problem with the MpasiS site, probably temporary

Oct 19

Sometimes, when you’re out of luck, you need to use the old Base Java API for WebSphere MQ. That is, not JMS. And you might need to create, or even worse, read a RFH2 header. If this is you, you probably loath the mess that is the RFH2 header structure. It’s a mix of a leading binary structure, followed by zero or more almost-XML structures. I have yet to see a complete specification.

So, what’s a poor hacker to do. I’ve written up a utility class for creating and parsing RFH2 headers as part of the wmq-util library that I’m doing at work. The aim is simple: make it easy to use RFH2 headers without any risk of screwing up. Enjoy and report back bugs and suggestions.

Technorati Tags: , , ,

Oct 14
WMB init script
icon1 Niklas | icon2 Tags: , , . | icon4 10 14th, 2007| icon34 Comments »

For a client, I recently had to install a WebSphere Message Broker on Suse Linux. This also means getting it to start at boot time. Now, as far as I’ve been able to locate, WMB does not come with a init script. For WebSphere MQ, IBM recently added a service pac, MSL1, that does exactly this, but so far no luck for WMB. SLES uses LSB compliant init scripts, and has a command called insserv which automatically sets up the soft links to make all components start it the right order based on the dependencies you define as metadata in your script. So, with no further ado, here’s my current stab at the script:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          wmb
# Required-Start:    $syslog $network $remote_fs ibm.com-WebSphere_MQ
# Should-Start:      db2
# Required-Stop:     $syslog $network
# Should-Stop:
# Default-Start:     3 5
# Default-Stop:      0 1 2 6
# Short-Description: WebSphere Message Broker
# Description:       Starts WebSphere Message Broker
### END INIT INFO

# Source /etc/rc.status:
. /etc/rc.status

# Reset status of this service
rc_reset

case "$1" in
    start)
    	echo -n "Starting WMB "
    	su - mqm -c 'mqsistart BRK1D;mqsistart CFGMGRD'

    	# Remember status and be verbose
    	rc_status -v
	  ;;
    stop)
    	echo -n "Shutting down WMB "
    	su - mqm -c 'mqsistop BRK1D;mqsistop CFGMGRD'

    	# Remember status and be verbose
    	rc_status -v
	  ;;
    try-restart|condrestart)
	    ## Do a restart only if the service was active before.
	    $0 status
    	if test $? = 0; then
    		$0 restart
    	else
    		rc_reset	# Not running is not a failure.
    	fi
    	# Remember status and be quiet
    	rc_status
	  ;;
    restart)
    	## Stop the service and regardless of whether it was
    	## running or not, start it again.
    	$0 stop
    	$0 start

    	# Remember status and be quiet
    	rc_status
	  ;;
    force-reload)
    	$0 try-restart
    	rc_status
	  ;;
    reload)
	    rc_failed 3
	    rc_status -v
	  ;;
    status)
	   echo -n "Checking for service WMB "
	   /sbin/checkproc /opt/ibm/mqsi/6.0/bin/bipservice
	   rc_status -v
	  ;;
    *)
	    echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
	    exit 1
	  ;;
esac
rc_exit

Note that the script will start WMB as the mqm user. If this is not what you want, you will have to make your changes at the su commands.

To use, create a file called /etc/init.d/wmb and paste the above content into. Make sure it’s runnable with:

chmod +x /etc/init.d/wmb

The run:

insserv wmb

And it should set everything nicely for you.

Note that this script is dependent on the WebSphere MQ init script, as provided in the support pac mentioned above. It will also start DB2 beforehand, if available. In my case, we are using DB2, I’m just not happy with the current script I got so I will hold off publishing it until I’m done.

I will be happy to get feedback in the comments on my attempt and will update the code above with any changes.

Technorati Tags: , , , , , , ,

Sep 18
MQ broken on video
icon1 Niklas | icon2 Tags: , , . | icon4 09 18th, 2007| icon31 Comment »

The session at Defcon where Martyn Ruks describes his findings about WebSphere MQ security is now online at Google Video. I’ve previously covered the presentation, but it’s way more interesting to hear the presentation in addition to the published slides. Thanks to the anon commenter who pointed me to the video.

Technorati Tags: , , ,

Aug 17

This post is part of a series I’m doing on WebSphere MQ security.

Security in WebSphere MQ is heavily reliant on applications only being able to put messages where we want them to. Otherwise, an hacked application can be used to send messages where it is not supposed to, for example inserting spoofed messages destined for some other application. As messages commonly contain very important business data and have a high-priviliaged route into applications, spoofing messages can be a very efficient way of hacking.

Over at the WebSphere MQ mailing list, I described a simple but somewhat inefficient way of spoofing messages using the dead letter queue. T-Rob followed that by outlining an even simpler attack using confirm on arrival reports. In this first post, I’ll try to describe the first exploit and will then follow up with a post describing the exploit described by T-Rob. Please note that none of these two methods rely on any bug in WMQ, the product is working as designed.

This post is in the interest of full disclosure, what you don’t know is hard to protect yourself against.

Spoofing messages using the dead letter queue

Description

WMQ uses a shared queue called the dead letter queue as the ultimate destination for messages that can not be delivered. This might be due to many reasons, but the case of interest here is for applications that can not handle a message (due to for example resource problems or data corruption). In many cases, such an application will choose to store away this message on the dead letter queue to be able to continue processing further incoming messages.

A message stored on the dead letter queue will usually contain a header containing the orginal target queue and queue manager. The purpose of this is to automatically be able to retry the message when whatever the original problem was. The target queue can include the administration queues, or a queue on any other reachable queue manager.

On a typical system, this queue will be named SYSTEM.DEAD.LETTER.QUEUE. On a queue manager that is shared by multiple applications, a very common practice, this means that this queue might be used by several different applications.

WMQ also has what is called dead letter queue handlers, a process running that monitors the dead letter queue for messages and then, using a rules table, decide on what to do with the message. The options includes to retry for a number of times, store it somewhere else, delete it, leave it on the dead letter queue, and so on. A message that can not be successfully retried or deleted will finally be handled by an administrator, for example by fixing the troubling application and the retrying the message.

Now, if applications has put authority on the dead letter queue, it can simply fake the header containing the original target queue. The dead letter queue handler or a unobservant administrator might then try to retry the message by putting it on the faked target queue.

Protect yourself

There are a few, more or less, efficient ways of protecting against this exploit. The methods described below are not mutually exclusive, investigate what the most reasonable solution is in your case.

Don’t give applications put authority on the dead letter queue. For applications that support it, instead create a specific exception queue for only that specific application. For applications that still requires using the dead letter queue, investigate their behavior if they get an security exception when accessing it. If their failure behavior (probably rolling back the message to the original queue) is acceptable, go with that.

Let the source application digitally sign its messages and let the target application confirm the signature. This is a efficient method, albeit sometimes hard to implement due to, for example, the use off-the-shelf applications without such support.

If using a dead letter queue handler, make sure the rules table confirm that the message contain the expected USERID. It should contain the user with which the real source application accesses WMQ. It must not contain the value of any other, possibly hacked application.

Don’t retry messages targeted for the command server or any other administrative funtion.

Let the target application confirm the USERID, in the same fashion as the dead letter queue handler.

Jun 13
A RESTful queue
icon1 Niklas | icon2 Tags: . | icon4 06 13th, 2007| icon32 Comments »

As messaging and therefore queues is close to my heart, I’ve been following the discussions on rest-discuss on how to construct a RESTful queue with great interest. The discussion started (as did my thinking on the topic a year or so back) around how ActiveMQ has choosen to implement their REST support, a somewhat broken model as pointed out by Paul Winkler (e.g. non-safe GET, DELETE on queue deletes message rather than the queue).

My favorite model so far is the one suggested by Steve Bjorg, also quite similar to the one described in HTTPLR. In that case you would push messages onto a queue with POST and pop then with a combination of POST and DELETE. To quote from Steve’s email.

To add an item:
POST /queue
Content-Type: application/xml (or whatever a queue item is)
–>
201 Created
Location: http://server.com/queue/itemXYZ

To request to pop an item:
POST /queue
Content-Type: application/w-www-form-urlencoded
AckTTL=60 (where AckTTL is the time to acknowledge the queue item or
it becomes available again)
–>
200 Ok
http://server.com/queue/itemABC

To delete a popped item:
DELETE /queue/itemABC

Go read the discussion thread as it contains many interesting aspects on this pretty hard problem. Ideas on how to improve the current suggestions is very welcome.

Jan 12
SOAP JMS binding
icon1 Niklas | icon2 Tags: , , . | icon4 01 12th, 2007| icon3No Comments »

Looks like the big guys finally got their act together and wrote both a specification for JMS IRI format and a SOAP JMS binding (via Dan Diephouse). Now, I’m certainly not the right person to judge the quality of the SOAP binding, but I do like the fact that there might actually be one soonish.

On the IRI format, its currently only based on using JNDI for identifying the connection factory and destination. However, with JNDI falling out a fashon the last couple of years and JMS commonly running outside the container, I find this a bit lacking. However, the spec leaves some leeway with the following quote:

JMS relies heavily on JNDI for interoperable functionality (vendor extensions may provide alternate means of acquiring a javax.jms.Destination, but only JNDI is interoperably specified).

That only covers the destination, not the connection factory. I would prefer that the spec more clearly allowed for both JNDI based and a more “freeform” syntax that’s up to providers to define. How about:

jms:jndi://connectionFactoryName/destinationName?params

and (for MQ in this example):

jms:wmq://queueManagerName/queueOrTopicName?params

ActiveMQ and WebSphere MQ already has defined similar URL formats that could be adapted. JMS is inherently not interoperable between different providers anyway, so having these provider specific URLs wouldn’t hurt. And it would allow using them without having a JNDI implementation around.

Oct 24

Couldn’t find this on Google, so I thought I should post it here. It’s a JACL script for creating a WPM/SIB/JetStream JMS alias destination with the magic context property needed to generate a MQRFH2 header when sending messages to MQ.

set dest [ $AdminTask createSIBDestination "-bus MyBus -type Alias -name MyQueue -node $nodeName -server $serverName -targetBus MyMQBus -targetName MyMQQueue" ]

$AdminConfig create SIBContextInfo $dest {{name _MQRFH2Allowed} {type BOOLEAN} {value true}}

Jul 17

An AMQP implementation project has been proposed to Apache Incubator in the form of the Blaze project. As I belive that AMQP can become a very important piece for interoperability and commodization of messaging, I think this would be an excellent addition to Apache. I’m pretty confident that a strong community could form around it as many players should be interested. Even some of the major players (read IBM) might be encouraged by an Apache project being the foundation for AMQP.

If this stuff interests you, speak up on the Incubator mailing list

Jun 22
Reactions on AMQP
icon1 Niklas | icon2 Tags: . | icon4 06 22nd, 2006| icon3No Comments »

Quite an interesting discussion over at InfoQ. John O’Hara, the inventor of the protocol has pointed to an upcoming site for discussions around the spec as well as hinted to a future donation of the spec to a standards organization. There’s also some discussion on the merits of Stomp compared to AMQP and the value of messaging providers to support AMQP.

Sean McGrath, like me, think that an open standard for messaging is much needed and is amazed that it has taken so long.

Mike Herrick is excited as well, arguing that AMQP might be important for large scale EDA implementations.

Anne Thomas Manes thinks AMQP can be useful with WS-RX and seems generally happy about the proposal. She, like almost everyone, questions if IBM and Tibco will follow along.

William Vambenepe discusses the possible overlap between WS-* and AMQP, especially when it comes to WS-Eventing (WS-Topics).

« Previous Entries