| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Authenticating the sending party |
« View previous topic :: View next topic » |
| Author |
Message
|
| mqjeff |
 Posted: Thu Oct 16, 2008 6:27 am Post subject: |
 |
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
For the thousandth time.
MCAUSER replaces whatever user is passed in.
EVERYONE who connects to that channel BECOMES the MCAUSER user. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Oct 16, 2008 6:29 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Scenario:
You have a RECEIVER channel with an MCAUSER of letmein, which only has authority to PUT to a QLOCAL called NO.AUTHENTICATION.NECESSARY and the Dead-letter queue.
The original poster, sapna creates a SENDER channel to your RCVR channel, and connects to it; the userid flowed in the channel to you is mqm (we'll assume he's on UNIX).
I create a SENDER channel to your RCVR channel, and connect to it; the userid flowed is MUSR_MQADMIN (we'll assume I'm on Windows).
What (if anything) has authenticated either of the two connections? Discuss...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Fri Oct 17, 2008 3:05 am; edited 1 time in total |
|
| Back to top |
|
|
| ranganathan |
| Posted: Thu Oct 16, 2008 6:39 am Post subject: |
|
|
Centurion
Joined: 03 Jul 2008
Posts: 104
|
I was wrong...
From info centre....
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzaf.doc/cs11910_.htm
| Quote: |
Access control in WebSphere MQ is based upon the user identifier associated with the process making MQI calls. For WebSphere MQ clients, the process that issues the MQI calls is the server-connection MCA. The user identifiers used by the server-connection MCA are that contained in the MCAUserIdentifier and LongMCAUserIdentifier fields of the MQCD. The contents of these fields are determined by:
Any values set by security exits
The user ID from the client
MCAUSER (in the server-connection channel definition)
Depending upon the combination of settings of the above, the user-identifier fields are set to appropriate values. If a server-connection security exit is provided, the user-identifier fields can be set by the exit. Otherwise they are determined as follows:
If the server-connection channel MCAUSER attribute is nonblank, this value is used.
If the server-connection channel MCAUSER attribute is blank, the user ID received from the client is used.
|
I was thinking that if we use a non blank user id as MCAUSER and if the client/app connects using different user id it will not connect...
Thanks exerk ... |
|
| Back to top |
|
|
| sapna |
| Posted: Fri Oct 17, 2008 3:00 am Post subject: |
|
|
Novice
Joined: 14 Oct 2008
Posts: 10
|
 Thanks for the replies. The discussion has solved my doubts on MCAUSER and SSL as well.
The reason I was apprehensive about SSL were
1. I was under the impression it authenticates each and every message
2. We already have encryption and signing being done separately.
3.Both encryption and digital signing on our end happen using hardware. So it is unlikely that the client would agree to replace that with Software option provided by MQ.
4.I also was apprehensive about the overhead using SSL would introduce into the system.
But we still needed to authenticate the sending user because
1. To avoid a scenario like the one mentioned by exerk.
2. The Encryption happens on our end at the Router level and not at the application level.
3. The client wants some MQ level authentication apart from the application level authentication(h/w digital signing).
I will surely try out the NULL_MD5 or NULL_SHA and get back to the forum for posting the results.
Thanks and Regards,
Sapna  |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Fri Oct 17, 2008 4:03 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
> 1. I was under the impression it authenticates each and every message
It does, but not using digital signature. If you use either the NULL_SHA, or NULL_MD5 cipherspec, then a SHA-1 or MD5 crytographic check-sum is appended. So there is some overhead.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 17, 2008 4:06 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Dont forget a Security Exit can solve your problem as well.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
