MyOpenTech (PGP SupportPac v1.0.0.1)

PGP SupportPac for IBM Integration Bus

======================================================

Security facilities offered by IBM Integration Bus

Security facilities in IBM Integration Bus are typically based on

1. Websphere MQ security.
   
2. Transport layer security (e.g. SSL/TLS) provided by underlying transport mechanism.
   
3. Access Controls (e.g. Authentication and Authorization) mechanism powered by internal (broker’s security manager) and external security providers (e.g. WS-Trust v1.3 compliant security token servers, Tivoli Federated Identity Manager, Lightweight Directory Access Protocol)
   
4. WS-Security for Web Services using SOAP nodes.
   

Limitation in security features offered by IBM Integration Bus

1. Webservice technology is not considered as a preferred solution in today’s enterprise integration world for asynchronous and one-way data communication especially while dealing with large volume of data communication and data transfer in batch mode. In this scenario WS-Security standard can not be applied.
   
2. Use of SSL at transport layer slows down overall transfer rate as it encrypts the entire traffic. Use of SSL can be eliminated while transferring data over trusted network (e.g. Intranet) by encrypting only sensitive and confidential information at application layer itself.
   
3. External applications (e.g. third party vendors, customers, government agencies) often ask for data encryption before transferring to/from them, even if SSL is used at transport layer.
   
4. Apart from WS-Security standard (which is applicable for Webservices only), IBM Integration Bus does not provide any in-built solution for data security enforcing data confidentiality (Encryption) and integrity (Digital Signature).
   
5. Many organizations use various third party softwares/tools for implementing data security. But those third party softwares/tools are completely decoupled from IBM Integration Bus.
   
6. Why to use such third party softwares/tools at Integration Layer if IBM Integration Bus provides a solution.

Solution (PGP)

1. Solution to the above stated problems requires implementing a strong industry standard cryptographic solution to enforce data confidentiality and integrity with an optional data compression feature.
   
2. PGP (Pretty Good Privacy) is a widely used cryptographic solution for data communication. It was created by Phil Zimmermann in 1991. PGP follows the OpenPGP standard (RFC 4880) for encrypting and decrypting data. Besides data confidentiality and integrity, PGP also supports data compression.
   
3. PGP SupportPac (version 1.0.0.1) for IBM Integration Bus v9 implements PGP cryptographic solution providing encryption, decryption, and signature functionalities as an extended feature (SupportPac) of IBM Integration Bus product.
   
4. This SupportPac leverages Bouncy Castle PGP Java libraries for core PGP functionalities. Bouncy Castle is a Java based open source (MIT License: https://www.bouncycastle.org/licence.html) solution for PGP implementation.
   

PGP SupportPac Features

===============================================================

Easily pluggable to IBM Integration Bus Toolkit

Once PGP SupportPac plugins is applied to the IBM Integration Bus Toolkit, PGP Encrypter/Decrypter nodes will be available in the PGP drawer of the message flow node palette.

Easy Runtime Installation

It requires standard UserDefined Node installation process. SupportPac ships with following runtime libraries (.jar files) which needs to be placed at Broker's User Lil Path.

bcpg-jdk15on-149.jar
bcprov-ext-jdk15on-149.jar
com.ibm.broker.supportpac.PGP.jar

PGP key pair generation and key/repository management

This SupportPac ships with a Java based command-line tool (pgpkeytool) for PGP key generation and key/repository management. You do not need any third-party open source or commercial tool for PGP key/repository management.

Centralized key repository and some default parameters configuration through UserDefined Configurable Service

1. You do not need to specify private/public key repository details, default sign key and passphrase, decryption key passphrase information at each PGP Encrypter/Decrypter node used in the messageflow.
   
2. Just create a UserDefined Configurable Service for all (or a group of messageflows) and specify the service name at node properties.
   
3. In general just one Configurable Service is sufficient for all the messageflows deployed in a Broker.
   

PGP Encrypter Node

1. Provides PGP signature generation (optional) and encryption functionalities.
   
2. Supports both Message and File encryption regardless of transport protocol or message domain.
   
3. Node can be configured to write encrypted data into Output Message Tree or File System directly.
   
4. In case of File encryption, Input file can be deleted or archived (with or without timestamp suffix) after successful encryption process.
   
5. Some node properties can be overridden at node's input local environment during runtime. Node properties overridden at input local environment are applicable at current invocation of the messageflow only.
   
6. Node reads PGP private/public keys and default signature key/passphrase information configured at UserDefined Configurable Service.
   
7. Key information can be provided as either Key User Id (e.g. Sender [email protected]) or Hexadecimal Key Id (e.g. 0x73E56D78)
   
8. Supports wide range of required algorithms.
   Hash (Digest) Algorithms: MD5, SHA1, RIPEMD160, MD2, SHA256, SHA384, SHA512, SHA224
   Cipher Algorithms: IDEA, TRIPLE_DES, CAST5, BLOWFISH, DES, AES_128, AES_192, AES_256, TWOFISH
   Compression Algorithms: UNCOMPRESSED, ZIP, ZLIB, BZIP2
   

PGP Decrypter Node

1. Provides PGP signature validation (optional) and decryption functionalities.
   
2. Supports both Message and File decryption.
   
3. Node can be configured to write decrypted data into Output Message Tree or File System directly.
   
4. In case of File decryption, Input file can be deleted or archived (with or without timestamp suffix) after successful decryption process.
   
5. Some node properties can be overridden at node's input local environment during runtime. Node properties overridden at input local environment are applicable at current invocation of the messageflow only.
   
6. Node reads PGP private/public keys and default decryption key passphrase information configured at UserDefined Configurable Service.

Conclusion

1. This SupportPac provides application-layer security enforcing data confidentiality and integrity powered by PGP cryptographic solution.
   
2. Current version (v1.0.0.1) of this SupportPac only supports signature generation/validation integrated with encryption/decryption process.
   
3. Future version will provide isolated signature generation/validation functionalities.
   
4. Future version will provide better GUI at node properties view.
   
5. Future version of pgpkeytool will be powered by user-friendly GUI similar to IBM Key Management tool shipped with Websphere MQ.
   

Resources

1. PGP SupportPac binary, source code, documents, samples and other artifacts are available at GitHub (https://github.com/dipakpal/MyOpenTech-PGP-SupportPac)

2. Do you have any question ? Just put your question(s) at following IBM developerWorks public community forum (https://www.ibm.com/developerworks/community/groups/community/pgpsupportpaciib) or MQSeries.net public forum (http://www.mqseries.net/phpBB2/viewtopic.php?t=68728)

Feedback

You can provide your valuable feedback/suggestion to [email protected]