| Author |
Message
|
| marcin.kasinski |
 Posted: Tue May 22, 2007 10:53 am Post subject: |
 |
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| Toronto_MQ wrote: |
I would be very careful with what you've just done. You've enabled a very big security loophole.
Now anyone with knowledge of your IP address and channel name will be able to do anything with your queue manager.
You may want to look into setting up a security exit.
Steve |
I would say "Don't do it!!"
Is it PRD environment ?
_________________
Marcin |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed May 23, 2007 4:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Toronto_MQ wrote: |
I would be very careful with what you've just done. You've enabled a very big security loophole.
|
If you set mcauser to anything, set it to a generic id and authorise that. With only the rights it needs.
Search the forum for a number of discussions on this.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Smarty05 |
| Posted: Wed May 23, 2007 5:33 am Post subject: |
|
|
Apprentice
Joined: 02 May 2007
Posts: 26
|
| Toronto_MQ wrote: |
I would be very careful with what you've just done. You've enabled a very big security loophole.
Now anyone with knowledge of your IP address and channel name will be able to do anything with your queue manager.
|
You are Right, i just tried a scenario and now any other user is able to connect to my QM with these details... |
|
| Back to top |
|
|
| Smarty05 |
| Posted: Wed May 23, 2007 5:41 am Post subject: |
|
|
Apprentice
Joined: 02 May 2007
Posts: 26
|
| marcin.kasinski wrote: |
I would say "Don't do it!!"
Is it PRD environment ? |
No. Actually at the moment, I am trying to find out how MQ Client-Server Security can be implemented in DEV environment and after thorough testing same needs to implemented in PRD enviornment. |
|
| Back to top |
|
|
| Smarty05 |
| Posted: Wed May 23, 2007 6:11 am Post subject: |
|
|
Apprentice
Joined: 02 May 2007
Posts: 26
|
Thanks all for throwing light on this topic…
From this topic thread, I understood that
Option1: Setting MCAUSER (mqm) can be big threat from unintended users & is not a Safe solution.
Option2: Creating appl’n user id’s on MQ Server Solaris box and add them into ‘mqm’ group. It doesn’t sound good solution in large environment. (100> appl’n and every appl’n has min 8-10 users)
Option3: Security exit – It means that IBM MQ Client-server interface doesn’t have strong and built in easy security configurable features. And IBM expects customers to build their own security exit code...not sure abt complexity involved...exploring this option at the moment...
Apart from above 3 options, Is there any way to grant limited access to appl’n users(without creating users (option 2) on MQ Server OS box) and allow them to access only intended QM resources?
Your suggestions are very much appreciated.
Thanks again.. |
|
| Back to top |
|
|
| bbburson |
| Posted: Wed May 23, 2007 6:34 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| Smarty05 wrote: |
| Option2: Creating appl’n user id’s on MQ Server Solaris box and add them into ‘mqm’ group. It doesn’t sound good solution in large environment. (100> appl’n and every appl’n has min 8-10 users) |
This in effect is the same as option 1 and should be avoided. If you're going to use MCAUSER attribute on the channel, then that userid should not be in the mqm group. Instead grant it access to the queues it needs via the setmqaut command. Better than that, though, would be to use SSL in combination with a channel security exit. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed May 23, 2007 6:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bbburson wrote: |
| Smarty05 wrote: |
| Option2: Creating appl’n user id’s on MQ Server Solaris box and add them into ‘mqm’ group. It doesn’t sound good solution in large environment. (100> appl’n and every appl’n has min 8-10 users) |
This in effect is the same as option 1 and should be avoided. If you're going to use MCAUSER attribute on the channel, then that userid should not be in the mqm group. Instead grant it access to the queues it needs via the setmqaut command. Better than that, though, would be to use SSL in combination with a channel security exit. |
This is kind of what I was attempting to articulate...
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 23, 2007 12:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And remember you should not set authorizations for users. Instead create groups and set the authorizations for the groups (a lot less work). Then you just add the users to the groups.
And remember if using JMS that you will have to add inq to the list of authorizations needed.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Toronto_MQ |
| Posted: Thu May 24, 2007 7:32 am Post subject: |
|
|
Master
Joined: 10 Jul 2002
Posts: 263
Location: read my name
|
| fjb_saper wrote: |
And remember you should not set authorizations for users. Instead create groups and set the authorizations for the groups (a lot less work). Then you just add the users to the groups.
And remember if using JMS that you will have to add inq to the list of authorizations needed.
Enjoy |
Not to mention that because the server is Solaris in this case, it must be done by group 
Cheers
Steve |
|
| Back to top |
|
|
|
|
