• Have any questions?
  • info.zbook.org@gmail.com

PathWAI Secure For WebSphere MQ Installation Guide, V300

14d ago
13 Views
1 Downloads
1.10 MB
154 Pages
Last View : 8d ago
Last Download : 14d ago
Upload by : Xander Jaffe
Share:
Transcription

Installation GuidePathWAI Secure for WebSphere MQVersion 300GC32-9343-00January 2003Candle Corporation100 North Sepulveda Blvd.El Segundo, California 90245

Registered trademarks and service marks of Candle Corporation: AF/OPERATOR, AF/PERFORMER, AF/REMOTE,Availability Command Center, Candle, Candle Command Center, Candle Direct logo, Candle Electronic Customer Support, Candlelogo, Candle Management Server, Candle Management Workstation, CandleNet Portal, Candle Technologies, CL/CONFERENCE,CL/SUPERSESSION, CommandWatch, CandleNet Command Center, CT, CT/Data Server, CT/DS, DELTAMON, eBA,eBA*ServiceMonitor, eBA*ServiceNetwork, eBusiness Assurance, eBusiness Institute, ETEWatch, IntelliWatch, IntelliWatch Pinnacle,MQSecure, MQView, OMEGACENTER, OMEGAMON, OMEGAMON/e, OMEGAMON II, OMEGAMON Monitoring Agent,OMEGAVIEW, OMEGAVIEW II, PQEdit, Solutions for Networked Applications, Solutions for Networked Businesses, and Transplex.Trademarks and service marks of Candle Corporation: Alert Adapter, Alert Adapter Plus, Alert Emitter, AMS, Amsys,AutoBridge, AUTOMATED FACILITIES, Availability Management Systems, Candle Alert, Candle Business Partner Logo, CandleCommand Center/SentinelManager, Candle CommandPro, Candle CIRCUIT, Candle eDelivery, CandleLight, CandleNet, CandleNet2000, CandleNet eBP, CandleNet eBP Access, CandleNet eBP Administrator, CandleNet eBP Broker Access, CandleNet eBPConfiguration, CandleNet eBP Connector, CandleNet eBP File Transfer, CandleNet eBP Host Connect, CandleNet eBP Object Access,CandleNet eBP Object Browser, CandleNet eBP Secure Access, CandleNet eBP Service Directory, CandleNet eBP UniversalConnector, CandleNet eBP Workflow Access, CandleNet eBusiness Assurance, CandleNet eBusiness Exchange, CandleNet eBusinessPlatform, CandleNet eBusiness Platform Administrator, CandleNet eBusiness Platform Connector, CandleNet eBusiness PlatformConnectors, CandleNet eBusiness Platform Powered by Roma Technology, CandleNet eBusiness Platform Service Directory, CCC,CCP, CEBA, CECS, CICAT, CL/ENGINE, CL/GATEWAY, CL/TECHNOLOGY, CMS, CMW, Command & Control, Connect-Notes,Connect-Two, CSA ANALYZER, CT/ALS, CT/Application Logic Services, CT/DCS, CT/Distributed Computing Services, CT/Engine,CT/Implementation Services, CT/IX, CT/Workbench, CT/Workstation Server, CT/WS, !DB Logo, !DB/DASD, !DB/EXPLAIN,!DB/MIGRATOR, !DB/QUICKCHANGE, !DB/QUICKCOMPARE, !DB/SMU, !DB/Tools, !DB/WORKBENCH, Design Network, DEXAN,e2e, eBAA, eBAAuditor, eBAN, eBANetwork, eBAAPractice, eBP, eBusiness Assurance Network, eBusiness at the speed of light,eBusiness at the speed of light logo, eBusiness Exchange, eBusiness Institute, eBX, End-to-End, ENTERPRISE, Enterprise CandleCommand Center, Enterprise Candle Management Workstation, Enterprise Reporter Plus, EPILOG, ER , ERPNet, ESRA, ETEWatchCustomizer, HostBridge, InterFlow, Candle InterFlow, Lava Console, MessageMate, Messaging Mastered, Millennium ManagementBlueprint, MMNA, MQADMIN, MQEdit, MQEXPERT, MQMON, NBX, NetGlue, NetGlue Extra, NetMirror, NetScheduler, OMA, OMCGateway, OMC Status Manager, OMEGACENTER Bridge, OMEGACENTER Gateway, OMEGACENTER Status Manager,OMEGAMON Management Center, OSM, PC COMPANION, Performance Pac, PowerQ, PQConfiguration, PQScope, Response TimeNetwork, Roma, Roma Application Manager, Roma Broker, Roma BSP, Roma Connector, Roma Developer, Roma FS/A, RomaFS/Access, RomaNet, Roma Network, Roma Object Access, Roma Secure, Roma WF/Access, Roma Workflow Access, RTA, RTN,SentinelManager, Somerset, Somerset Systems, Status Monitor, The Millennium Alliance, The Millennium Alliance logo, TheMillennium Management Network Alliance, TMA2000, Tracer, Unified Directory Services, Volcano and ZCopy.Trademarks and registered trademarks of other companies: AIX, DB2, MQSeries and WebSphere are registered trademarks ofInternational Business Machines Corporation. SAP is a registered trademark and R/3 is a trademark of SAP AG. UNIX is a registeredtrademark in the U.S. and other countries, licensed exclusively through X/Open Company Ltd. HP-UX is a trademark ofHewlett-Packard Company. SunOS is a trademark of Sun Microsystems, Inc. All other company and product names used herein aretrademarks or registered trademarks of their respective companies.CASmf is a copyright of S.W.I.F.T. 1996, all rights reserved.Copyright January 2003, Candle Corporation, a California corporation. All rights reserved. International rights secured.Threaded Environment for AS/400, Patent No. 5,504,898; Data Server with Data Probes Employing Predicate Tests in Rule Statements(Event Driven Sampling), Patent No. 5,615,359; MVS/ESA Message Transport System Using the XCF Coupling Facility, Patent No.5,754,856; Intelligent Remote Agent for Computer Performance Monitoring, Patent No. 5,781,703; Data Server with Event DrivenSampling, Patent No. 5,809,238; Threaded Environment for Computer Systems Without Native Threading Support, Patent No.5,835,763; Object Procedure Messaging Facility, Patent No. 5,848,234; End-to-End Response Time Measurement for ComputerPrograms, Patent No. 5,991,705; Communications on a Network, Patent Pending; Improved Message Queuing Based NetworkComputing Architecture, Patent Pending; User Interface for System Management Applications, Patent Pending.NOTICE: This documentation is provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject torestrictions set forth in the applicable license agreement and/or the applicable government rights clause.This documentation contains confidential, proprietary information of Candle Corporation that is licensed for your internal use only.Any unauthorized use, duplication, or disclosure is unlawful.2PathWAI Secure for WebSphere MQ Installation Guide, Version 300

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11What’s New in this Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .New Product Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Third-Party Certificate Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Global Administrator CDROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Online Certificate Revocation Checking . . . . . . . . . . . . . . . . . . . . . .Certificates Embedded in PathWAI Secure Messages . . . . . . . . . . . .Chapter 1.Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17What is PathWAI Secure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How Do You Invoke PathWAI Secure? . . . . . . . . . . . . . . . . . . . . . . .What Type of Encryption Does PathWAI Secure Use? . . . . . . . . . . . .PathWAI Secure Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Registration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Registering Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 2.171820202124Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .OS/390 and z/OS Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . .UNIX Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Windows Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CASP Secure Connector Prerequisites . . . . . . . . . . . . . . . . . . . . . . . .Chapter 3.13131314151515272728293031Installation Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Key Database (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Contents3

PKCS#7 and PKCS#12 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Site-Specific Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mainframe Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Prepare for Upgrade, If Necessary . . . . . . . . . . . . . . . . . . . . . . . . . . .Enable 4758 Processing, If Necessary . . . . . . . . . . . . . . . . . . . . . . . .Chapter 4.Installation Steps on OS/390 and z/OS . . . . . . . . . . . . . . . . . . . 41Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Summary of Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Step 1. Migrate Version 200 Databases, if Necessary . . . . . . . . . . . . .Step 2. Transfer the PathWAI Secure Software - Windows ProcedureStep 3. Transfer the PathWAI Secure Software - UNIX Procedure . . .Step 4. APF-Authorize PathWAI Secure Datasets . . . . . . . . . . . . . . . .Step 5. Customize the PathWAI Secure Server PROC . . . . . . . . . . . .Step 6. Customize the Configuration File. . . . . . . . . . . . . . . . . . . . . .Step 7. Update Channel Initiator JCL . . . . . . . . . . . . . . . . . . . . . . . .Step 8. Update SYS1.PARMLIB to Start MFSSRVR. . . . . . . . . . . . . .Step 9. Enable S/390 Crypto Facility Processing . . . . . . . . . . . . . . . .Step 10. Create PathWAI Secure Queues . . . . . . . . . . . . . . . . . . . . .Step 11. Start the KMFADM Utility . . . . . . . . . . . . . . . . . . . . . . . . . .Step 12. Create a New User Key Database . . . . . . . . . . . . . . . . . . . .Step 13. Register the Global Administrator . . . . . . . . . . . . . . . . . . . .Step 14. Register a Local Administrator. . . . . . . . . . . . . . . . . . . . . . .Step 15. Export Local Administrator’s Public Key . . . . . . . . . . . . . . .Step 16. Import Remote Administrators’ Public Keys. . . . . . . . . . . . .Step 17. Re-Encrypt User Key Database(s), if Necessary . . . . . . . . . .Step 18. Export Administrators’ Public Keys to LDAP, if Necessary . .Step 19. Modify the MQSeries Channels . . . . . . . . . . . . . . . . . . . . . .Step 20. Verify MQSecure Installation . . . . . . . . . . . . . . . . . . . . . . . .Chapter allation Steps on UNIX (GUI) . . . . . . . . . . . . . . . . . . . . . . . 85Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Summary of Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Step 1. Install PathWAI Secure Software . . . . . . . . . . . . . . . . . . . . . .43435363840PathWAI Secure for WebSphere MQ Installation Guide, Version 30085858687

Step 2. Configure the Local PathWAI Secure Node . . . . . . . . . . . . . . 91Step 3. Configure OCSP Revocation Checking . . . . . . . . . . . . . . . . . 94Step 4. Identify the User Key Repository . . . . . . . . . . . . . . . . . . . . . . 96Step 5. Configure a Local LDAP Directory . . . . . . . . . . . . . . . . . . . . 97Step 6. Create PathWAI Secure Queues . . . . . . . . . . . . . . . . . . . . . 100Step 7. Set Environment Variables . . . . . . . . . . . . . . . . . . . . . . . . . 101Step 8. Add LDAP Tools to Path (LDAP Users Only) . . . . . . . . . . . . 103Step 9. Register the Global Administrator . . . . . . . . . . . . . . . . . . . . 104Step 10. Register the Local Administrator . . . . . . . . . . . . . . . . . . . . 105Step 11. Re-Encrypt User Key Database(s), if Necessary . . . . . . . . . 107Step 12. Export Administrators’ Public Keys to File . . . . . . . . . . . . . 108Step 13. Import the Keys File to User Key Databases. . . . . . . . . . . . 109Step 14. Export the Keys File to LDAP (LDAP Sites Only) . . . . . . . 110Step 15. Modify the WebSphere MQ Channels . . . . . . . . . . . . . . . . 111Step 16. Verify MQSecure Installation . . . . . . . . . . . . . . . . . . . . . . . 113Chapter 6.Installation Steps on Windows . . . . . . . . . . . . . . . . . . . . . . . . 115Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Summary of Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Step 1. Migrate Version 200 Databases, if Necessary . . . . . . . . . . . .Step 2. Verify User ID Authority . . . . . . . . . . . . . . . . . . . . . . . . . . .Step 3. Download the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . .Step 4. Configure the Local PathWAI Secure Node . . . . . . . . . . . . .Step 5. Identify the User Key Repository . . . . . . . . . . . . . . . . . . . . .Step 6. Configure a Local User Key Repository . . . . . . . . . . . . . . . .Step 7. Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Step 8. Migrate Version 210 Databases, if Necessary . . . . . . . . . . . .Step 9. Re-Encrypt Version 210 Databases, if Necessary . . . . . . . . .Step 10. Register the Global Administrator . . . . . . . . . . . . . . . . . . .Step 11. Register the Local Administrator . . . . . . . . . . . . . . . . . . . .Step 12. Export Public Keys to File . . . . . . . . . . . . . . . . . . . . . . . . .Step 13. Import Public Keys to User Key Databases . . . . . . . . . . . .Step 14. Export Keys to LDAP (LDAP Sites Only). . . . . . . . . . . . . .Step 15. Create PathWAI Secure Queues . . . . . . . . . . . . . . . . . . . 51361371381395

Step 16. Enable Channel Exit Security . . . . . . . . . . . . . . . . . . . . . . 141Step 17. Verify PathWAI Secure Installation . . . . . . . . . . . . . . . . . . . 144Appendix A.6Guide to Candle Customer Support . . . . . . . . . . . . . . . . . . . . 145PathWAI Secure for WebSphere MQ Installation Guide, Version 300

PrefacePPurpose of this GuideThis guide explains how to install and configure the PathWAI Secure forWebSphere MQ product (PathWAI Secure) on OS/390 and z/OS, Windows,and UNIX operating systems.The term “installation” in this guide refers to the following tasks:nCopying the PathWAI Secure software from CDROM to disk.nInstalling the PathWAI Secure software into the correct datasets ordirectories.The term “configuration” in this guide refers to the following tasks:nEditing various files to replace default or symbolic values with yoursite-specific values.nRegistering PathWAI Secure administrators and distributingadministrators’ public keys.Who Should Use this GuideThis guide was written for systems, maintenance, or installation programmersand for PathWAI Secure administrators. Although most operating systemcommands necessary to complete the tasks in this guide are provided, it isassumed that users of this guide are familiar with the operating systems thatthey will install on and have access to system manuals. They should also havea working knowledge of IBM’s WebSphere MQ product.7

How to Use this GuideIf you are a new user of PathWAI Secure, before beginning the installation youshould familiarize yourself with the following chapters in the PathWAI Securefor WebSphere MQ Administrator’s Guide:n“Chapter 1. Introducing PathWAI Secure for WebSphere MQ”n“Chapter 2. Configuring Key and Encryption Options”n“Chapter 3. Managing Users and User KeysNew users of PathWAI Secure should also read “Installation Overview” onpage 17 for a brief overview of the installation. You should then proceed to“Installation Preparation” on page 33 and then to the appropriate installationchapter.Existing customers should begin with “What’s New in this Release” on page13 and then proceed to “Installation Preparation” on page 33 and then to theappropriate installation chapter.Related DocumentationFor information on administering PathWAI Secure, consult the PathWAISecure for WebSphere MQ Administrator’s Guide. For information onprogramming with the PathWAI Secure APIs, consult the PathWAI Secure forWebSphere MQ Programmer’s Guide.8PathWAI Secure for WebSphere MQ Installation Guide, Version 300

Adobe Portable Document FormatAdobe Portable Document FormatPrinting this bookCandle supplies documentation in the Adobe Portable Document Format(PDF). The Adobe Acrobat Reader will print PDF documents with the fonts,formatting, and graphics in the original document. To print a Candledocument, do the following:1. Specify the print options for your system. From the Acrobat Reader Menu bar,select File Page Setup and make your selections. A setting of 300 dpi ishighly recommended as is duplex printing if your printer supports this option.2. To start printing, select File Print. on the Acrobat Reader Menu bar.3. On the Print pop-up, select one of the Print Range options forn Alln Current pagen Pages from: [ ] to: [ ]4. (Optional). Select the Shrink to Fit option if you need to fit oversize pages tothe paper size currently loaded on your printer.Printing problems?The print quality of your output is ultimately determined by your printer.Sometimes printing problems can occur. If you experience printing problems,potential areas to check are:n settings for your printer and printer driver. (The dpi settings for both yourdriver and printer should be the same. A setting of 300 dpi isrecommended.)n the printer driver you are using. (You may need a different printer driveror the Universal Printer driver from Adobe. This free printer driver isavailable at www.adobe.com.)n the halftone/graphics color adjustment for printing color on black and whiteprinters (check the printer properties under Start Settings Printer).For more information, see the online help for the Acrobat Reader.n the amount of available memory in your printer. (Insufficient memory cancause a document or graphics to fail to print.)For additional information on printing problems, refer to the documentationfor your printer or contact your printer manufacturer.9

Adobe Portable Document FormatContacting AdobeIf additional information is needed about Adobe Acrobat Reader or printingproblems, see the Readme.pdf file that ships with Adobe Acrobat Reader orcontact Adobe at www.adobe.com.Adding annotations to PDF filesIf you have purchased the Adobe Acrobat application, you can addannotations to Candle documentation in .PDF format. See the Adobe productfor instructions on using the Acrobat annotations tool and its features.10PathWAI Secure for WebSphere MQ Installation Guide, Version 300

RestrictionsRThis product is subject to export and re-export restrictions and regulationsimposed by the government of the United States and, if applicable, thecountry to which the product is shipped, and any related federal, state, orlocal laws.As of October 19, 2000, the new export rules for PathWAI Secure forWebSphere MQ are as follows:1. No shipments to or use by non-United States Government End Usersoutside the United States are allowed without a special license for thegovernment end user, except for Members of the European Union (EU),Australia, Czech Republic, Hungary, Japan, New Zealand, Norway,Poland and Switzerland;2. No shipments may be made to and the product may not be used orlicensed for use by any person or entity that is a member of, or located in,any terrorist-supporting nations (currently, Cuba, Iran, Iraq, Libya, NorthKorea, Sudan, and Syria); and3. The product may not otherwise be used in violation of any applicablelicense agreement. Some countries’ import regulations prohibitimportation or use of encryption software products, and it is the user'sresponsibility to comply with those regulations.Note:A Government End User is any foreign central, regional, or localgovernment department, agency, or other entity performinggovernmental functions, including governmental research institutions,governmental corporations or their separate business units (as definedin part 772 of the EAR) which are engaged in the manufacture ordistribution of items or services controlled on the Wassenaar MunitionsList, and international governmental organizations. The term does not11

include utilities (including telecommunications companies and Internetservice providers), banks and financial institutions, transportation,broadcast or entertainment, educational organizations, civil health andmedical organizations, retail or wholesale firms, and manufacturing orindustrial entities not engaged in the manufacture or distribution ofitems or services controlled on the Wassenaar Munitions List.PathWAI Secure for WebSphere MQ Version 300. Copyright 1997–2002,Candle Corporation, a California corporation. All rights reserved.International copyright secured.This material is proprietary to Candle Corporation and is not to bereproduced, used, or disclosed except in accordance with program licenses orupon written authorization of Candle Corporation. This product containsBSAFE sofware, owned exclusively by RSA Data Security, Inc., andsublicensed by Candle Corporation.12PathWAI Secure for WebSphere MQ Installation Guide, Version 300

What’s New in this ReleaseWIntroductionThis release of the PathWAI Secure for WebSphere MQ product (formerlycalled MQSecure) includes the following enhancements that affect itsinstallation.For additional information about enhancements in the current release, consultthe PathWAI Secure for WebSphere MQ Administrator’s Guide and thePathWAI Secure for WebSphere MQ Programmer’s Guide.New Product NameThis product, formerly called MQSecure, has been renamed PathWAI Securefor WebSphere MQ. In most places, this guide abbreviates the product nameto PathWAI Secure.Be aware that you may still see the term “MQSecure” in some places withininstallation/user interfaces, file names, and sample data.Third-Party Certificate SupportThis release of PathWAI Secure includes support for third-party generatedpublic/private key pairs and supporting certificates. PathWAI Secure supportsany 3rd-party certificate that conforms to the x509 Version 3 industrystandard used by Verisign, Entrust, and most Certification Authorities incommercial use today. Your site may use certificates and key pairs created byany third-party Certification Authority that conforms to this standard.Your site may import keys and certificates generated by a third-partyCertification Authority using the PKCS#12 and PKCS#7 messaging formatsused by all leading PKI vendors. PKCS#7 files are used for importing13

stand-alone verification certificates. PKCS#12 files are used to importpublic/private key pairs used to register authorized PathWAI Secure users andthe certificates used to authenticate them.The PathWAI Secure Administration utilities have been enhanced to provideimport/export functions for PKCS#12 and PKCS#7 files, and theimport/export functions are supported through API calls.Note that PathWAI Secure-generated key pairs are still supported. Your sitecan continue to use PathWAI Secure-generated keys in the current release ifyou site prefers to avoid the overhead associated with certificatemanagement.Global Administrator CDROMThis release of PathWAI Secure includes an enhanced package ofadministrative functions called the Global Administrator. The GlobalAdministrator is a special class of PathWAI Secure administrator with theauthority to establish a trust model (trust points) within your site’s PathWAISecure network. The Global Administrator assigns trust to importedcertificates and exports trusted certificates for distribution throughout thePathWAI Secure network.The Global Administrator is distributed on a separately licensed CDROM. ThePathWAI Secure Administration utilities on this CDROM have been enhancedto provide the import and export functions for trusted certificates. If your siteintends to use third-party keys, and wants to use certificates for verification,you must install the Global Administrator CDROM. Be aware that you mustinstall the Global Administrator CDROM first and register the GlobalAdministrator on one node, before installing additional PathWAI Securenodes.If your site does not intend to use third-party keys and you want to designatea special administrator only for purposes of centrally collecting and exportingadministrators’ PathWAI Secure-generated public keys, you do not need toinstall the Global Administrator CDROM. This document refers to this type ofadministrator as the central administrator to distinguish it from the GlobalAdministrator described above; however, be aware that in previous releasesthis type of administrator was called the “global administrator.”14PathWAI Secure for WebSphere MQ Installation Guide, Version 300

Certificate Revocation ListsThis release of PathWAI Secure includes support for importing CertificateRevocation Lists (CRLs). CRLs are used to revoke invalid or expiredcertificates. PathWAI Secure imports CRLs from certificate and registrationauthorities just as it does third-party keys and certificates, using PKCS#7format files. CRLs are stored in local certificate databases and exported to thePathWAI Secure LDAP repository for central distribution.CRLs are issued periodically by Certification Authorities and they are typicallyupdated on a 12-hour, daily, or weekly basis; however, if your site requiresreal-time certification checking, you may want to use online certificationrevocation checking (described below) as an alternative to importing CRLs.Online Certificate Revocation CheckingThis release of PathWAI Secure includes support for certificate revocationchecking in real time using a third-party, network-based Online CertificateStatus Protocol (OCSP) responder. For critical applications requiring virtuallyreal-time status information, or simply to offload the effort of CRLmanagement, your site may want to take advantage of this feature.The OCSP vendor supported in the current release is ValiCert. The PathWAISecure installation/configuration utilities have been enhanced to allow you tospecify information about ValiCert (typically the URL and listening port wherethe responder resides).Certificates Embedded in PathWAI Secure MessagesThis release of PathWAI Secure includes support for embedding digitalcertificates within PathWAI Secure messages. Your site may want to useembedded certificates in situations where an application cannot access thePathWAI Secure key repository or there is no convenient mechanism fordistributing the public keys used for signature verification. The PathWAISecure installation/configuration utilities have been enhanced to allow you tospecify whether or not to embed certificates.Be aware that public keys are embedded in certificates; if you configure thePathWAI Secure node to embed certificates, you are distributing public keys.15

16PathWAI Secure for WebSphere MQ Installation Guide, Version 300

Installation Overview1This chapter briefly introduces you to PathWAI Secure for WebSphere MQ(PathWAI Secure) and contains an overview of its features and components.Candle recommends that you familiarize yourself with the information in thischapter, even if you have installed a previous release of PathWAI Secure,because new PathWAI Secure features affect its installation and configuration.What is PathWAI Secure?PathWAI Secure provides authentication and encryption services forWebSphere MQ messages. PathWAI Secure supplements the userauthorization capabilities of external security programs such as RACF, ACF2,and Top Secret on OS/390, and operating system security tools on UNIXandWindows systems.PathWAI Secure provides the following security services:AuthenticationVerifies the identity of the entity sending the message.NonrepudiationAssures that the sender of the message cannot deny havingsent it.IntegrityAssures that the message arrived without alteration.PrivacyAssures that the message contents are confidential whiletraveling over the network.Installation Overview17

How Do You Invoke PathWAI Secure?How Do You Invoke PathWAI Secure?PathWAI Secure’s security services can be invoked in two ways:nAPIs (application-to-application)Your site can use PathWAI Secure’s APIs to provide security services onan application-to-application basis.nChannel exits (node-to-node)Your site can use WebSphere MQ’s channel exits to provide securityservices on a node-to-node or channel-specific basis.The following sections contain more information about these methods ofinvoking PathWAI Secure and recommendations for the best method forconditions at your site.PathWAI Secure APIsYour site can use PathWAI Secure’s APIs to provide security services on anapplication-to-application basis. PathWAI Secure provides APIs for COBOL,C/C , and Java applications.Because security is handled by the sending and receiving applications, whenyou use PathWAI Secure APIs you do not need to know the route themessages travel or the identities of the machines that handle the messages enroute. This method of securing messages is especially useful when messagesmust pass through channels which you do not control—for example, whenmessages travel over the Internet.Additional Feature Using the APIsIf you use the PathWAI Secure APIs, the following additional feature isavailable:RangeencryptionEncrypts selected portions of a message, leaving otherportions unencrypted. Range encryption is useful when partsof a message (such as routing instructions) need to be in theclear, while other parts (such as account numbers) need to beencrypted.Note: This feature is available only with the C/C andCOBOL APIs.18PathWAI Secure for WebSphere MQ Installation Guide, Version 300

How Do You Invoke PathWAI Secure?PathWAI Secure

WebSphere MQ product (PathWAI Secure) on OS/390 and z/OS, Windows, and UNIX operating systems. The term “installation” in this guide refers to the following tasks: n Copying the PathWAI Secure software from CDROM