ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WMB6 ConfigMgr on Unix - security question

Post new topic  Reply to topic
 WMB6 ConfigMgr on Unix - security question « View previous topic :: View next topic » 
Author Message
sjensen
PostPosted: Tue Jan 31, 2006 9:33 am    Post subject: WMB6 ConfigMgr on Unix - security question Reply with quote

Centurion

Joined: 18 Dec 2003
Posts: 134
Location: London
Hi,

With WMB6 you can run the config manager on unix.

AFAIK this default ACL entry is created for the Unix account you install WMB6 with :

Code:
BIP1778I: mqsi                          -  USER  -  F  -  ConfigManagerProxy  -  ConfigManagerProxy


What is there to stop a windows toolkit user creating a local windows
Code:
mqsi
account and thereby gaining full access?

I feel pretty sure removing the ACL will cause the ConfigMgr to stop working.

I realise we can put the ConfigMgr on windows and make it domain aware but we would like to run it on Unix.

It should not matter for this but WMB6, Solaris 8 and Windows 2000 Server. WMQ 5.3 CSD 8

Many Thanks

Stefan
Back to top
View user's profile Send private message
vennela
PostPosted: Tue Jan 31, 2006 10:10 am    Post subject: Reply with quote

Jedi Knight

Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
I didn't quite understand the problem
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mqmatt
PostPosted: Tue Jan 31, 2006 10:12 am    Post subject: Reply with quote

Grand Master

Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
That default ACL doesn't need to be there; it's added when you create a Config Manager so that at least one user can do everything.
Feel free to remove it - although remember to add another all-permissions ACL entry in it's place first.

-Matt
Back to top
View user's profile Send private message
sjensen
PostPosted: Tue Jan 31, 2006 11:59 am    Post subject: Reply with quote

Centurion

Joined: 18 Dec 2003
Posts: 134
Location: London
Hi Matt,

Thanks a lot!

So any domain user will do? BTW is there a fix for the passing of domain instead of machine names yet?

Thanks again
Stefan
Back to top
View user's profile Send private message
mqmatt
PostPosted: Wed Feb 01, 2006 7:34 am    Post subject: Reply with quote

Grand Master

Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
Yes, any user should be fine. Note that the userid that starts the Config Manager (and the service userid, if it's different) are implicitly always given complete authority over objects in the domain.

I think the fix you're after regarding domain support is APAR IC47922; the problem was that the shared library that provides domain support (LogonInfo.dll / ToolingLogonInfo.dll) was not always available on toolkit installs.

Regards
-Matt
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WMB6 ConfigMgr on Unix - security question
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.