| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Is an ANONYMOUS connection possible in MQ? |
« View previous topic :: View next topic » |
| Author |
Message
|
| exerk |
 Posted: Sun Aug 16, 2009 11:10 am Post subject: |
 |
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Bruce,
I'm having problems reconciling one of your statements, which you keep repeating.
| bruce2359 wrote: |
| mqm group members have explicit access to everything. |
That one, no problem, and always worth stressing.
| bruce2359 wrote: |
| With NO setmqauts, non-mqm users have application-level (MQI or equivalent) access to all qmgrs and all objects. |
But this one I do have trouble with. In my experience, by default, unless authorities are explicitly set, non-mqm users have NO access to any queue managers or objects.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
 |
| jeevan |
| Posted: Sun Aug 16, 2009 11:20 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
Bruce,
I'm having problems reconciling one of your statements, which you keep repeating.
| bruce2359 wrote: |
| mqm group members have explicit access to everything. |
That one, no problem, and always worth stressing.
| bruce2359 wrote: |
| With NO setmqauts, non-mqm users have application-level (MQI or equivalent) access to all qmgrs and all objects. |
But this one I do have trouble with. In my experience, by default, unless authorities are explicitly set, non-mqm users have NO access to any queue managers or objects. |
exerk,
Thank you for bringin the point I am asking bruce repeatedly. I do not think that this is true.
However, the following is true.
WebSphere MQ authorizes based on the user ID associated with the
process that connects to it but does not authenticate that ID in any way.
• In bindings mode, that ID is an application service account (usually)
which has been authenticated by the operating system..
• For any remote connection, the ID is that of the message channel agent.
– The MCA will attempt to assert an ID associated with the message or
connection.
– If no such ID is available, the MCA will PUT messages with full
administrative authority.
if an app comes to connect to mq without an id, in this case mca connects to qmgr and put the message with full permission that of mqm.
Lets us discuss a scenario.
The MCAUSER is blank
An application comes with an user id (xxx). The mq has not granted a connection and put /get message to and from a queue to any
id. Lets say to any id. qmgr has just been created and a queue has just been added. setmqaut has not run at all
According to you, this user can connec to qmgr and put /get message?
Are you sure?
Don't you agree that the MCA inserts the id which comes with the app and connects to qmgr and puts the message with that id?
Your statement is in contradict with the above point, and if you do not agree with this, any id can connect to mq and put/get message.
To me, it is not possible. It only happens when the MCAUSER is blank and app comes to connect to mq without any id. And if an id is
not set explicitely in an app, an app comes with a blank id( this is still disputable. I am not an app expert and do not know but one of contributors in this discussion says that and I have to agree until I know other truth.
In this case, this app can put message/get message. I think this is what is happening in our case. But if the app comes with an id,
it can not connect without granting a permissiont it to connect and put/get messages.
Last edited by jeevan on Thu Oct 01, 2009 9:35 pm; edited 1 time in total |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Aug 16, 2009 12:45 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| But this one I do have trouble with. In my experience, by default, unless authorities are explicitly set, non-mqm users have NO access to any queue managers or objects. |
I am corrected here. I did a quick test on Windows, MQv7, new qmgr, new queue, new non-admin user, 2035. What was I thinking? What was I smoking?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Aug 16, 2009 1:24 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| Quote: |
| But this one I do have trouble with. In my experience, by default, unless authorities are explicitly set, non-mqm users have NO access to any queue managers or objects. |
I am corrected here. I did a quick test on Windows, MQv7, new qmgr, new queue, new non-admin user, 2035. What was I thinking? What was I smoking? |
Don't know, but may I have some please? 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Aug 24, 2009 8:18 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| bruce2359 wrote: |
| Quote: |
| But this one I do have trouble with. In my experience, by default, unless authorities are explicitly set, non-mqm users have NO access to any queue managers or objects. |
I am corrected here. I did a quick test on Windows, MQv7, new qmgr, new queue, new non-admin user, 2035. What was I thinking? What was I smoking? |
Don't know, but may I have some please? |
I understand this. If there is not mcauser set to channel, and if the application is not sending any user id, the MQ(MCA in fact) can /will make a anonymous connection and put /get message with full authority of the id the mca is running under.
Once we have MCAUSER setup, any userid or blank userid, the MCA will replace that with the MCAUSER. Is not that again dangerous? Although, the MCAUSER is restricted for only accessing the queues - putting/getting /browsing queue messages?
Is there anyway to tell MQ(MCA) to allow if the incoming user is such and such and do not allow if the user is blank or not in the list?
Last edited by jeevan on Thu Oct 01, 2009 9:25 pm; edited 1 time in total |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 24, 2009 8:40 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jeevan wrote: |
| ...Is there anyway to tell MQ(MCA) to allow if the incoming user is such and such and do not allow if the user is blank or not in the list? |
If the MCAUSER attribute is populated, it doesn't matter what user is passed, or whether it is blank, the 'value' will be over-ridden by the MCAUSER set. If you want to do different things for different users use an exit, BlockIP2 for example or a commercial offering from the likes of CapitalWare.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 24, 2009 10:08 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
If MCAUSER() is non-blank, the MCAUSER(name) is used as a surrogate for authorization to open and put the message into the desination queue (or DLQ).
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Sep 22, 2009 8:39 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| bruce2359 wrote: |
| Quote: |
| But this one I do have trouble with. In my experience, by default, unless authorities are explicitly set, non-mqm users have NO access to any queue managers or objects. |
I am corrected here. I did a quick test on Windows, MQv7, new qmgr, new queue, new non-admin user, 2035. What was I thinking? What was I smoking? |
Recently, I have a situation such that a Tibco client ( jms compliant), could not connect to queue manager. We tried with and without passing an user id ( passing user while creating connection factory) but it failed both situation. When I asked for the tibco folks, under what the Tibco process is running and when I authorised that id to qmgr, it worked.
I am not an applicaiton expert. when it is a MQ client usign the same mq library (jar files) whether it is a Tibco or a java/jms, should not it be the same and consistent that when an user is not passed, it would be able to connect to qmgr?
http://www.mqseries.net/phpBB2/viewtopic.php?t=50812
Is there any difference when the app is written in base java API or JMS? or any jms comliant client such as Tibco?
If not, when the app is written in Java and no id was set, it connected to qmgr and put/get message without any problem, which we already discussed, but when the client was written in Tibco, it needed to authorise the id which the Tibco process was running under.
Note: Both cases, we do not have MCAUSER set in channel.
Last edited by jeevan on Wed Sep 23, 2009 8:06 am; edited 2 times in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 22, 2009 10:00 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
No but it makes a huge difference whether the application is connecting in server mode (bindings) or in client mode.
It also makes a difference whether the application is using a container authorization (JAAS).
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Sep 22, 2009 10:08 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| fjb_saper wrote: |
No but it makes a huge difference whether the application is connecting in server mode (bindings) or in client mode.
It also makes a difference whether the application is using a container authorization (JAAS).
Have fun |
First, my understanding was that the binding mode can be used only when the client resides on the same server as the MQ queue manager resides. Means client is local to the queue manager.
Second, is not JAAS only used with WAS or at least with a Java compliant app server? In our cases, first when I have problem of application connecting without an id and second time, applicaiton can not connect without an ID, are connecting to MQ directly not through the WAS or any container. |
|
| Back to top |
|
|
| jazzu |
| Posted: Mon Oct 12, 2009 4:38 am Post subject: |
|
|
Newbie
Joined: 12 Oct 2009
Posts: 5
|
| So as I understood you need to be in the MQ users group so you still need to be authenticated. Is that correct ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 12, 2009 4:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jazzu wrote: |
| So as I understood you need to be in the MQ users group so you still need to be authenticated. Is that correct ? |
Not quite. Authentication and authorization are 2 different concepts.
Being in the mqm group gives you all authorizations.
MQ does not care about authentication. That is a function of your OS/SSL.
MQ will work with SSL and may require you to provide some authentication in SSL.
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Oct 12, 2009 5:29 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Security Exits can also provide authentication functionality for MQ.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
