I have a legacy app accessing MQ Server from an MQ Client using the C++ API. How is this API used to add encryption over the Server Connection Channel? I can't find a location where the certificate is provided to the imqChannel object.
You don't provide any code that is not working to help you with so I can provide only some general direction.
You specify the cipher like this:
pchannel->setSslCipherSpecification("TLS_RSA_WITH_AES_256_CBC_SHA256");
You can specify the location of the kdb and sth file like this:
(note in this example it would expect to find two files, /tmp/key.kdb and /tmp/key.sth)
manager.setKeyRepository("/tmp/key");
You can also specify the location of the key repository non-programmatically using the mqclient.ini or setting the MQSSLKEYR environment variable, if you are interested in these options comment and I'll expand this answer.
Related
I am trying to implement secure communication between a server and client in c++. The limitation is that both the client and server must run on windows and have to be in c++. This is for a research project I am working on at my university.
So far I have found that SChannel is the best option, but the documentation is extremely confusing and I can not find any guides/tutorials on how to use it. I have already looked at this link https://learn.microsoft.com/en-us/windows/desktop/secauthn/creating-a-secure-connection-using-schannel but still do not understand how to get it working. Could someone guide me through this if this is the best way?
I also looked into use SSLStream using the CLR to have .net run inside of a c++ application. However I can not use this because the client application is threaded and threads can't be used with CLR.
I already have a dummy client and server set up with communication between the two, I am just trying to secure and encrypt that communication.
Any help is greatly appreciated!
Whichever SSL library you choose to use there are a few things you need to know as a beginner in this field:
The server and client implementations will end up looking quite different in places.
Your server is absolutely going to need a certificate with a private key. During development you clearly don't want to get one from Verisign or something so you need to create a self-signed certificate. You can do this with openssl or other tools.
The certificate consists of a private part and a public part. The public part needs to go to the client, and will be used to validate the connection. When you are using something like SChannel the certificates (private and public) will need to be installed in the certificate stores of the server and client respectively.
SChannel does not send or receive data for you. So the core of your implementation is going to be: when the network has data: read ciphertext from socket and write to SChannel. Read clear text from SChannel (if any) and pass to application. When the application has data to send, get clear text from Application and pass to SChannel. Get the resulting ciphertext buffers from SChannel and write to the socket.
buffers from the internet may be partial, and negotiations and re-negotiations means there's no 1:1 mapping of passing data into SChannel and getting data out.
You therefore can't get away with a naive implementation that calls SChannel once to pass data in, and once again to get un/encrypted data. There will potentially be nothing available, or a whole lot of packets to send between the client and the server, before you'll get any application bytes. i.e. You will need some kind of state machine to keeptrack of this.
Obviously, don't write both the client and server at the same time: Start with your client against an https server.
That's the general outline of the process - the things that confused me when I first encountered SSL and why none of the samples were nearly as simple as I had hoped them to be.
I am trying to publish/subscribe to AWS IoT MQTT broker from a client that does not support SigV4 or Client Certificates, it just has SSL with username and password. From what I can tell this won't be possible, so what is the best way to integrate this client?
Currently the client is publishing to a CloudMQTT broker which is working nicely, but I want to integrate Amazon Echo/Alexa into the solution to allow voice control so I need some way to connect it instead to the AWS IoT MQTT broker where I have Alexa publishing data (using Lambda and IoT Device Shadows).
What is the best approach, because as far as I can tell I can't connect the client to AWS MQTT using SSL, it insists on certificates. Should I try and bridge cloudMQTT to AWS MQTT? Or is there some way I could get the Echo to publish to a different MQTT broker than Amazons?
Bridging the brokers is one possible solution as described at
https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/
This did turn out to be quite a complicated process though. I bridged using a local mosquitto install, and it failed to connect with 'unknown error'. Having done some searching online it looks like this problem has just appeared in the latest release of mosquitto. Instead I tried bridging with a mosquitto broker running on an AWS Linux EC2 instance and I was successful in bridging using this.
The better solution I came up with is to modify my Lambda function to publish directly to the MQTT broker I was already using. To do this you need to include the node.js module 'mqtt.js' (or a similar library), which is not in the aws-sdk and so does require a bit of reading to figure out how to do it. I have just been using the AWS Lambda web interface inline editor to write code up till now, which unfortunately doesn't allow you to include external libraries. Instead you need to create your own deployment package.
Below are two useful links which help you get started with making your own deployment package, but they are missing a couple of crucial bits of info I have mentioned below:
https://aws.amazon.com/blogs/compute/nodejs-packages-in-lambda/
http://docs.aws.amazon.com/lambda/latest/dg/nodejs-create-deployment-pkg.html
You will need to write the code in a file on your hard drive, then use npm-install from the command line to put the required dependencies into the folder your code is in. You then need to zip the whole lot so that there is no top level folder containing it all. That is to say your code needs to be in the root of the zip, not in a folder in the root of the zip (which is what you get if you right click your code containing folder and send to zip).
What is also not mentioned is that if you are moving from working in the online editor you need to include a couple of lines at the top of your JavaScript so that paths resolve correctly. You need to add the following:
var child_process = require('child_process');
var path = require('path');
You can then upload this code in the lambda function web editor and build your function as normal. Unfortunately you can no longer use the inline web editor, so you need to re-zip and upload again to make changes.
We have a C++ application connecting as client to WebSphere MQ using configurable queue manager and queue name. We have been asked to migrate to SSL channels for security reasons. So far we have taken care of configuring Sender and Receiver channels to use SSL.
Do we need to move the SVRCONN channels as well to use SSL?
If yes, how do we provide key-store details in code to connect to channel?
I could not find any option in MQOPEN API to provide.
I could not find any option in MQOPEN API to provide.
Its not in MQOPEN but rather MQCONNX API call. It is far better to use a CCDT (Client Channel Definition Table) file because then your code just needs to issue an MQCONN API call.
I'm developing a way to connect to a Wifi using VS2010 and currently stuck on how to make it connect with a network security key. I am able to enumerate all the Wifi hotspot in my area and get their SSID, MAC addresses, etc using Windows Native Wifi Functions (WlanOpenHandle, WlanEnumInterfaces, WlanQueryInterface, WlanGetNetworkBssList). I've already read about WlanConnect() on MSDN but I'm still clueless. Can you give me some hints that would make the code connect to a Wifi that asks for a network security key?
Assuming you have at least one saved Wifi connection run the command
netsh wlan export profile
This will export all your Wifi profiles as XML files in the current directory.
When you call WlanConnect you can supply a literal XML profile string in the WLAN_CONNECTION_PARAMETERS structure if wLanConnectionMode is set to wlan_connection_mode_temporary_profile.
If you can use the XML from one of your exported profiles to connect successfully to a secured network, then presumably you should be able to alter the XML and use the same technique to connect to new networks.
I've never tried this, and I've no idea what encoding is used for the key stored in the XML, but it seems like a possible way of solving your problem.
You will need an example profile to start with, as arx had suggested.
When exporting a profile, add the key=clear arg. This will export the profile with the key in it. You can than see the setup that you would need to adjust.
Example : netsh wlan export profile name=”<profileName>” folder=”<SaveLocation>” key=clear
The resulting xml will contain a section with:
<MSM>
<security>
<authEncryption>
<authentication>WPA2PSK</authentication>
<encryption>AES</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>YourPaswordTextHERE</keyMaterial>
</sharedKey>
</security>
</MSM>
So once you have your profile string, update the keyMaterial element with your programmatically obtained password. Once this is done you should be able to call wlanConnect.
this might be a dumb question...
I wrote a C++ client program that communicates with a web service over HTTPS with the help of the cURL library.
I am wondering if the person using the client can see clearly the traffic originating from his computer using some sniffing program?
Or would he see encrypted data?
Thanks!
Using a utility like netcat to sniff data on the wire, the user would only see encrypted data. The only way to see the raw data is to log it inside the app, before it's passed to cURL, OR to find it in the machine's active RAM (much more difficult since it's likely to be fragmented).
Not if your app checks for valid certificates.
If your users have the ability to use a proxy server with your app, they could use fiddler's decrypt https sessions function to do this, but it results in an invalid certificate which could be made to stop it from working when detected.
He would see the encrypted data. Sniffers only see the packets, so if HTTPS is working as it should, the packets should be encrypted, and that's all the program could see.
If you would like to try it yourself, learn about ettercap-ng.
I doubt that an average user would be able to do that...
BUT there are ways to do this like:
replacing the cURL library with a proxy (if you link dynamically)
running your program under a debugger and placing breakpoints on the cURL functions
replacing the cURL program with a proxy (if you use it as a commandline utility)
digging deep and diessecting the memory at runtime
From my POV it is improbable (since you need some skill + knowledge + some control over the client environment to pull that off) but possible...
The SSL/TLS protocol is typically implemented at the application layer, so the data is encrypted before it is sent.
If the user has access to the certificate key(s) used to encrypt/decrypt the data, then he/she can plug them into WireShark and it can then decode sniffed HTTPS packets off the wire.