| Author |
Message
|
| rkford11 |
 Posted: Thu Nov 01, 2007 8:53 am Post subject: MCA user |
 |
|
Partisan
Joined: 06 Jun 2004
Posts: 316
|
I have set the MCA USERID to be blank on server connection channel,
Java application with defined userid and password is working fine as defined with setmqaut commands, but the same java application with blank userid and password is able to connect to the queue manager and put & get messages from the queue going against the defined policy. We are running MQ v6 fix pack 2 on unix environment. Please guide me thru this. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Nov 01, 2007 9:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Don't set the MCAUSER to be blank.
This is a known security issue.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Nov 01, 2007 11:52 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
If you want to control this, you need both SSL and a security exit. There is a support pack for the exit that can do many things. You should purchase your security exit if you want support...
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| rkford11 |
| Posted: Thu Nov 01, 2007 12:07 pm Post subject: |
|
|
Partisan
Joined: 06 Jun 2004
Posts: 316
|
Thanks For your replies.
But If a user is defined on MCA attribute, application with any user id will acquire the rights of the user defined on MCA attribute once they hit the server connection channel. But I want only the application running with a specific USER ID to interact with QMgr and perform operations.
Thanks |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Nov 01, 2007 12:17 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
and if you leave it blank anyone can connect as mqm and do whatever they want to your QM.
If you leave it blank make sure you control who can connect in using SSL -OR- a Security Exit (like MQAUSX). If you at that point you trust those people 100% not to do anything bad, fine. I would code the MCAUSER even then to something like USER1, and then grant that user only the access they need. Yes, that means anyone that comes over that channel is seen as USER1. If you need more granularity give USER2 its own channel (SSL or exit protected as well) and set USER2's rights appropriatly.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Nov 01, 2007 12:19 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
yes, so if the MCAUSER is blank, you need SSL to ensure it is from who you expect it from. The exit is to be sure they don't present a different ID.
Even with SSL, they can still present a different ID as the user.
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Nov 01, 2007 12:24 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Is SSL needed if there is a proper exit in place? I don't know. I think maybe not. The exit will verify / authenticate the user. What else does SSL buy above that?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Nov 01, 2007 12:35 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Well, if the exit is passing the user ID and password in encrypted form, then you are correct.
You can peek at MS0R and see if it does this (yet). It might...
It can take a user ID and password and authenticate it at the server. That means the ID must exist on the server (which is true also for the OAM to work).
Most of my text assumes you are using UNIX. (As the use of Windows would indicate security is not an concern for you  )
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Nov 01, 2007 1:07 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hello,
Just to add my 2 cents.
SSL is good node-to-node security but that implies a 'secure' server (limited / no access for non essential people) and you have a method to verify the incoming UserId.
Now, MS0R does not send anything. It is a server-side ONLY component that accepts UserId and Password in plain text from a client application that send the info in the MQCSP structure (both client & server MQ must be at v6). MS0R can disable authentication and function just like BlockIP. Neither SupportPac / component are supported and are issued 'AS IS'.
As Peter pointed out, if you use a true authenticating product then you do not need SSL.
If you want proper end-to-end security for MQ then you have 3 choices:
1. Capitalware's MQ Authenticate User Security Exit (MQAUSX)
2. IBM's WebSphere MQ Extended Security Edition V6
3. Primeur's Data Secure for WebSphere MQ
Note: MQAUSX works with MQ v5.2, v5.3 and v6.0 (distributed) and MQ v5.3.1 and v6.0 for z/OS. It uses 128-bit encryption to encrypt the password. MQAUSX has many, many other features (LDAP support), so please see its overview page.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
