locked
Security Vulnerbality in IBM MQ Series impact on BizTalk RRS feed

  • Question

  • Our security department in Germany has in one of their security demand send-outs required us to upgrade our IBM Websphere MQ Series installation to at least version 7.1.0.1. We are using MQ together with Microsoft Biztalk Server 2010 and when I look at the compability list for the adapters in Biztalk 2010 only the version we are using today (7.0) is supported. http://www.microsoft.com/biztalk/en/us/adapters-included.aspx. I have now made a test installation of IBM MQ Series 7.5 and had some trouble to get it to work together with our test installation of Biztalk Server 2010. It looks like IBM had put a layer of security in the product and for instance MQ now seems to use the MSDTC service to query the domain. I had to change the user for the service to a domain account to be allowed to do that. Now the communication between the products is working. One problem still persists though, when browsing the server from a port configuration for Queue Managers an error occurs.  

    <//span>My question is if an update for the MQ adapter will be available so we can upgrade our production environment to a safe level.

    • Changed type P_lund Tuesday, August 14, 2012 1:45 PM Still no answer
    Friday, August 10, 2012 12:14 PM

Answers

  • Here is the reply I got back from the BizTalk product group:

    In the past IBM version of MQ have always been backwards compatible with earlier versions.  So the MQ adapters  continue to work fine with newer version of the MQ clients and Servers.   Though that may have changed with 7.5.   Users usually open a case with IBM to see whether any configuration change is needed. 

    We are already planning on going to the new MQ dependency libraries in the next version of BizTalk and HIS 

    So I think version 7.5 may or may not work properly. I do not think they have tested BizTalk 2010 on 7.5 so they are not sure it will work.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline



    • Edited by Ben Cline1Moderator Friday, October 19, 2012 5:45 PM
    • Marked as answer by P_lund Wednesday, October 24, 2012 6:16 AM
    Friday, October 19, 2012 5:44 PM
    Moderator

All replies

  • Yes, we have been struggling with the same problem.  Testing shows the problem was introduced at 7.1 and still exists with 7.5 when using BizTalk 2010.   It would be nice if Microsoft would respond to this.   I see no clear upgrade to 7.1+ until Microsoft addresses this.  Have you tried opening a problem ticket with Microsoft support?   We may end up doing this.
    Tuesday, October 16, 2012 1:29 PM
  • Hey, I can send this directly to the Microsoft team and ask if there are any plans to upgrade the adapter support for new MQ Series versions.

    The most direct answer to the question can come through a support ticket. I will reply when I hear back, it usually takes a couple days.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Wednesday, October 17, 2012 6:13 AM
    Moderator
  • Hi,

    That should be great, thanks!

    Peter


    Peter L

    Wednesday, October 17, 2012 6:18 AM
  • I've had no problem with version > 7.4. I did a small blog post about it, maybe it can help you during the installation and configuration?

    I just did a test with 7.5 and had some problems, I can look more into it, however all versions before that works fine for me.

    Best regards

    Tord Glad Nordahl
    Bouvet ASA, Norway
    http://www.BizTalkAdmin.com | @tordeman

    Please indicate ”Mark as Answer” if this post has answered the question.

    Wednesday, October 17, 2012 6:40 AM
  • Here is the reply I got back from the BizTalk product group:

    In the past IBM version of MQ have always been backwards compatible with earlier versions.  So the MQ adapters  continue to work fine with newer version of the MQ clients and Servers.   Though that may have changed with 7.5.   Users usually open a case with IBM to see whether any configuration change is needed. 

    We are already planning on going to the new MQ dependency libraries in the next version of BizTalk and HIS 

    So I think version 7.5 may or may not work properly. I do not think they have tested BizTalk 2010 on 7.5 so they are not sure it will work.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline



    • Edited by Ben Cline1Moderator Friday, October 19, 2012 5:45 PM
    • Marked as answer by P_lund Wednesday, October 24, 2012 6:16 AM
    Friday, October 19, 2012 5:44 PM
    Moderator
  • Thank you for the answer though I think that waiting for the next version of BizTalk to be able to upgrade IBM MQ might not be the best solution.

    Peter Lundberg

    Volkswagen Group Sweden


    Peter L

    • Proposed as answer by balley8780 Wednesday, October 24, 2012 8:03 PM
    • Unproposed as answer by balley8780 Wednesday, October 24, 2012 8:04 PM
    Wednesday, October 24, 2012 6:19 AM
  • I have a solution that at least works for me.  I can now upgrade from upgrade from WebSphere MQ 7.0.1.x to 7.5 if I am sure to follow the following notes.

    1. Make sure I do run the "upgrade" option and not the side-by-side.  You should have no choice here.

    2.  In Component Services > Computers > My Computer > Distributed Transaction Coordinator, right click Local DTC and select Properties.  Select the Security tab and enter a DTC Logon Account that is an actual Domain account that can be used to query the Domain Controller.  This replaces the default NT AUTHORITY\NetworkService account.  Save and allow DTC to restart.  This was at the heart of my problem. 

    Other things I needed to configure in this upgrade:

    3. Execute runmqsc and enter the command: "ALTER QMGR CHLAUTH(DISABLED)" .   This allows remote access to the queue manager from MQ Explorer.  This is an old issue.

    4. Execute the following command: "setmqinst -i -n Installation1"  but substitute your installation name that was specified in the MQ 7.5 install.  THis is a new issue as well for an upgrade.  It is documented in the 7.5 migration documentation. Be sure to reboot after this.

    Once I followed these simple rules, upgrade was easy and BizTalk 2010 has no problem reading and writing the queue of a 7.5 queue manager.

    Hope this helps


    Barry



    • Proposed as answer by balley8780 Wednesday, October 24, 2012 8:21 PM
    • Edited by balley8780 Wednesday, October 24, 2012 8:25 PM
    Wednesday, October 24, 2012 8:21 PM
  • Barry,

      I will mention your workaround back to the BizTalk team. It would be great if you could create a TechNet Wiki article for this!

    Thanks!


    If this answers your question, please use the "Answer" button to say so | Ben Cline


    Wednesday, October 24, 2012 9:03 PM
    Moderator