| Author |
Message
|
| dude1 |
 Posted: Mon Jun 09, 2008 9:06 am Post subject: Anonymous User authentication for MQ servers... |
 |
|
Novice
Joined: 20 Feb 2007
Posts: 10
|
Hello there.....
I am not a great MQ person... But i need some information...
I searched this forum... but i want to make sure if my understanding is correct... if not hoping one u experts can throw some knowledge on me about this.
We have a IBM MQ server... Windows box, V6.0
we have a different company (client) who wants to connect to our server...and get the message...
They have a UNIX box............... everything went fine... untill the authentication issue poped up..........
They have a system which cannot enter user name n password... so they need to access our MQ server anonymously.........
My Q manager settings...
Q manager is set with just one server connection channel.........
Two local Q........ and the client access us over the Internet
My MCA user is blank in the Server-Connection channel property page..
This means the channel does not have any authetication.........
As far as my knowledge goes... for MQ server... it authenticates with the system logged in username n password... (windows log in info)
but they diff need anonymous authentication..........
I read that if we buy and install Security exit for the MQ server... it gives the capability to allow anonymous authentication..... but is there any way we can do so .. without buying this capitalware product...??
Any help is appreciated... |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Jun 09, 2008 1:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Use SSL and set an MCAUser on the channel.
This will restrict what they can do to the MCAUser on the channel. All svrconn channels on that box need to be secured...
You can also choose to use MQIPT. Same deal about SSL and an MCAUser on the channel.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jun 11, 2008 8:31 pm Post subject: Re: Anonymous User authentication for MQ servers... |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| dude1 wrote: |
| As far as my knowledge goes... for MQ server... it authenticates with the system logged in username n password... (windows log in info) |
This is not correct. The default setup of MQ does NOT authenticate a connection.
| dude1 wrote: |
| I read that if we buy and install Security exit for the MQ server... it gives the capability to allow anonymous authentication..... but is there any way we can do so .. without buying this capitalware product...?? |
You could buy Primeur's product or IBM ESE product or use SSL.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| vinbud117 |
| Posted: Thu Jun 12, 2008 4:36 am Post subject: |
|
|
Acolyte
Joined: 22 Jul 2005
Posts: 61
|
| Until you set up the MQIPT or SSL, I would suggest you set the MCAUSER and use setmqaut to provide necessary access to the MCAUSER id. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jun 12, 2008 9:07 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| vinbud117 wrote: |
| set the MCAUSER and use setmqaut to provide necessary access to the MCAUSER id. |
People suggest this all the time but it is NOT security. 
I.e. Default MQ security is like having all the doors and windows in your house wide open. Now you decide to close all the windows / doors that face North. 
Anyone, anytime, can access those queues and do whatever they want and nobody will know. 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Thu Jun 12, 2008 11:19 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| RogerLacroix wrote: |
Hi,
| vinbud117 wrote: |
| set the MCAUSER and use setmqaut to provide necessary access to the MCAUSER id. |
People suggest this all the time but it is NOT security.
I.e. Default MQ security is like having all the doors and windows in your house wide open. Now you decide to close all the windows / doors that face North.
Anyone, anytime, can access those queues and do whatever they want and nobody will know.
Regards,
Roger Lacroix
Capitalware Inc. |
Roger,
very nice explanation  .
Dude1,
securing a door without buying a lock is very difficult  .
_________________
Regards
Hubert |
|
| Back to top |
|
|
| frodon |
| Posted: Fri Jun 20, 2008 1:06 pm Post subject: |
|
|
Newbie
Joined: 06 Jun 2008
Posts: 4
Location: Luxemburg
|
setting MCAUSER to a dedicated user and giving appropriate authorities via setmqaut to restrict access to lonely queues needed is the right approch ! ... but only if you are using
1) SSL wich permit to certify and authenticate the connecting partner
2) Using SSLPEER to restrict the use of only one certificate being able to be used to access this channel.
Then you garanteed that the user/application using the channel is the authorised one and no other one can access the same channel.
Regards. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jun 20, 2008 1:15 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| frodon wrote: |
setting MCAUSER to a dedicated user and giving appropriate authorities via setmqaut to restrict access to lonely queues needed is the right approch ! ... but only if you are using
1) SSL wich permit to certify and authenticate the connecting partner
2) Using SSLPEER to restrict the use of only one certificate being able to be used to access this channel.
|
3) or you use a Security Exit instead of SSL.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
