Auditing the WebSphere MQ environment

This article shows you how to configure the WebSphere MQ environment to generate audit events, including security access failures on the queue manager, changes to the configuration of the queue manager, and MQ Script (MQS) and Programmable Command Format (PCF) commands issued to the queue manager. System administrators can use WebSphere MQ auditing capabilities to improve their control and monitoring of the WebSphere MQ environment, while security specialists use it to generate audit trails and improve system governance. This article also shows you how to use IBM SupportPac MH05 and IBM Tivoli Composite Application Manager (ITCAM) for Applications to view and monitor audit events.

Share:

Rui Guo Lai (lairg@sg.ibm.com), Consultant, IBM Software Services for WebSphere, IBM

Photo or Lai Rui GuoLai Rui Guo is an Application Integration and Middleware (AIM) Solutions Specialist on the IBM Software Services for WebSphere team in Singapore. He specializes in WebSphere software consulting and he is an IBM Certified WebSphere Instructor. You can contact Rui Guo at lairg@sg.ibm.com



03 October 2012

Also available in Chinese

Introduction

As IT security and accountability become increasingly important, and as tasks and scripts become increasingly automated, it is becoming more and more challenging for companies to keep track of changes made to their systems. Thus the ability to generate a meaningful audit trail is become more and more valuable. In IBM® WebSphere® MQ V7.0.1 and later, there are new configuration changes and administrative actions that were previously available only on z/OS®. New events can be captured as a WebSphere MQ instrumental event message and put into the defined event queue, leading to enhanced auditing and governance. Auditing can answer questions such as:

  • How can we keep track of who makes changes to various WebSphere MQ object attributes?
  • How do we know when and how the values of various object attributes changed?
  • How do we know what remote PCF commands were issued and how issued them?

Auditing concepts

WebSphere MQ instrumental events are used to monitor the operation of the queue manager. In WebSphere MQ V7.0.1 or later, two additional WebSphere MQ instrumental events were added: Command events, and Configuration events, which are very useful for generating audit trails. The images below show the event settings on the queue manager before and after WebSphere MQ V7.0.1. The Start and Stop events are enabled, while all other events are disabled:

Event setting on WebSphere MQ V7.0 or earlier
Event setting on WebSphere MQ V7.0 or earlier
Event setting on WebSphere MQ V7.0.1 or later
Event setting on WebSphere MQ V7.0.1 or later

If you are using MQS commands, event parameters end with EV. For example, configuration events will be CONFIGEV. The image below is from WebSphere MQ V7.0.1, with the events attribute in yellow:

Events attribute in queue manager
Events attribute in queue manager
Event categoryEvent typesEvent queueDescriptions
Queue ManagerAuthority events, Inhibit events, Local events, Remote events, Start and Stop eventsSYSTEM.ADMIN.QMGR.EVENTQueue manager events are related to the use of resources within queue managers, such as when an application tries to put a message on a queue that does not exist.
Channel and BridgeChannel events, Channel auto definition events, and SSL eventsSYSTEM.ADMIN.CHANNEL.EVENTChannels report these events as a result of conditions detected during their operation, such as when a channel instance is stopped.
PerformancePerformance eventsSYSTEM.ADMIN.PERFM.EVENTPerformance events are notifications that a resource has reached a threshold condition, such as when a queue depth limit has been reached.
ConfigurationConfiguration eventsSYSTEM.ADMIN.CONFIG.EVENTConfiguration events are generated when a configuration event is requested explicitly, or automatically when an object is created, modified, or deleted.
CommandCommand eventsSYSTEM.ADMIN.COMMAND.EVENTCommand events are generated when an MQS or PCF command runs successfully.
LoggerLogger eventsSYSTEM.ADMIN.LOGGER.EVENTLogger events are reported when a queue manager that uses linear logging starts writing log records to a new log. (O i5/OS®, they are written to a new journal receiver. On WebSphere MQ for z/OS, logger events are not available.)

For a more detailed explanation of each of the events, see the Instrumentation events topic in the WebSphere MQ information center.

Sequence of events when a configuration event is triggered
Sequence of events when a configuration event is triggered
  1. The Configuration events attribute is enabled for the queue manager. The condition for a Configuration event to be triggered in this example is when a queue object is deleted, a new MQ object is created, the attribute of an MQ object is changed, or a refresh is issued to an MQ object.
  2. A Configuration event message is generated and placed into the event queue, which in this example is the SYSTEM.ADMIN.CONFIG.EVENT queue. A Configuration event caused by a change in an MQ object attribute will actually generate two event messages: one shows the MQ object before the attribute values changed and the other shows the MQ object after the attribute values changed.
  3. Applications can then pick up the event messages from the queue and process them. You need to understand the format of the event message in order to display it in a human-readable format.

Monitoring and viewing events for auditing

SupportPacs

Several IBM SupportPacs facilitate the viewing and monitoring of MQ events:

  • MO01: Event and Dead Letter Queue Monitor
  • MH05: WebSphere MQ -- Events Display Tool
  • MS0K: WebSphere MQ -- Events Monitor Tool
  • MS0P: WebSphere MQ -- Explorer Configuration and Display Extension Plug-ins
  • MS12: WebSphere MQ for z/OS – Print Event Messages

The advantage of using SupportPacs is that they are free and can be used immediately without additional development work. The disadvantages are that most SupportPacs have no warranty or service arrangement, and the event viewing they provide can be limited. This article will use SupportPac MH05 to demonstrate the three scenarios below.

Monitoring software

Several third-party software products provide the ability to monitor WebSphere MQ. This article introduces an IBM monitoring product -- IBM Tivoli Composite Application Manager for Applications (ITCAM) to show you the output from the three scenarios. To monitor WebSphere MQ, install the ITCAM agent for WebSphere MQ on the MQ server.

The advantages of using monitoring software is that little development work is needed, and it is supported by a product warranty. Disadvantages are obviously the cost of a license, and the need for some configuration.

Custom application

Alternatively, you can build your own custom application to consume event messages. However, you need to understand the MQFMT_EVENT format for event messages. Sample application code to monitor these event messages is provided under the Event monitoring topic in the WebSphere MQ information center. The sample code serves as a reference to build your own custom application, and does not include all possible outcomes of specified actions.

The advantages and disadvantages of building your own custom application are obvious -- you can tailor it to the exact requirements of your enterprise, but you need to invest the time and expense to develop and test it.

Three scenarios

This article focuses on the Configuration events and will show three scenarios when they are trigged:

  • Creating a new MQ object
  • Changing an MQ object attribute
  • Deleting an MQ object

In an ideal WebSphere MQ environment, access control for MQ objects is enforced via the Object Authority Manager (OAM) or via a third-party component that conforms to the WebSphere MQ Authorization Service Interface. This enforcement plus the use of WebSphere MQ events can give you a better understanding of who accessed a particular object, since you will be able to determine the user who issued the change and the timestamp when it was issued. This article will simulate the scenarios using the operator user call mqopr, which can create, change, or delete an MQ object. This article will not show you how to configure the MH05 SupportPac or the ITCAM monitoring software.

Enabling the Configuration events

In order for these events to be generated, you need to enable them by specifying the appropriate values in the queue manager attributes. You can configure via MQS commands or via MQ Explorer. The queue manager name is QM_ABC.

Via MQS commands

ALTER QMGR CONIFGEV(ENABLED)
Enable Configuration events via MQS commands
Enable Configuration events via MQS commands

Via MQ Explorer

Right-click Queue Manager => Properties => Events => Enabled configuration events.

Enable Configuration events via MQ Explorer
Enable Configuration events via MQ Explorer

Creating a new MQ object

Create a new MQ object (local queue) in queue manager QM_ABC and name this new local queue AUDIT.QL:

Create new local queue
Create new local queue

You can see that a Configuration event message is dropped into the Configuration event queue:

Queue depth of Configuration event queue
Queue depth of Configuration event queue
Browse event message via MQ Explorer
Browse event message via MQ Explorer

As you can see from the figure above, MQ Explorer can't present the event message in a readable format when browse it and therefore you need another way to view the event messages.

Output From SupportPac MH05

The following command manually puts the event message into a file. You can also use triggering to automate the process. For more details about the command and its available parameters, see the SupportPac.

Command to process event queue via MH05
xmqdspev -m QM_ABC -q SYSTEM.ADMIN.CONFIG.EVENT -d -f create.txt
MH05 in action
MH05 in action
Output from MH05
Output from MH05
Detailed output from MH05
Detailed output from MH05

Output from ITCAM monitoring software

Overview of ITCAM Portal Console
Overview of ITCAM Portal Console
Event generated in ITCAM Portal Console
Event generated in ITCAM Portal Console
Details of event generated
Details of event generated

Changing an attribute of an MQ object

To change the MAXMSGL attribute of the local queue AUDIT.QL:

Alter MAXMSGL attribute
Alter MAXMSGL attribute

As mentioned previously, two event messages are generated -- before change and after change, in order to show which attributes were altered.

Queue depth of Configuration event queue
Queue depth of Configuration event queue

Output from SupportPac MH05

Output from MH05 -- Before change
Output from MH05 -- Before change
Output from MH05 -- After change
Output from MH05 -- After change

Output from ITCAM monitoring software

Events generated in ITCAM Portal Console
Events generated in ITCAM Portal Console
Event generated -- Before change
Event generated -- Before change
Event generated -- After change
Event generated -- After change

Deleting MQ Object AUDIT.QL that you created earlier

Delete MQ object
Delete MQ object
Output from SupportPac MH05
Output from SupportPac MH05
Event generated in ITCAM portal console
Event generated in ITCAM portal console
Details of event generated
Details of event generated

Conclusion

With these new instrumental events, you can generate useful audit events from the WebSphere MQ environment, and provide details about any changes made to the queue manager and about any commands issued to the queue manager.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=838965
ArticleTitle=Auditing the WebSphere MQ environment
publish-date=10032012