| Author |
Message
|
| scravr |
 Posted: Fri Mar 26, 2010 5:18 am Post subject: Access from MQExplorer to UNIX QM |
 |
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
I have MQ/MB both V7 installed on Solaris with configuration of 3 QM (DEV, UAT, PROD).
For UAT and PROD I revoke access from all users by creating a new UNIX group named dvlpr and associating all users to that group.
Then issued this for both QM:
setmqaut -m uatqm -t qmgr -g dvlpr +none
setmqaut -m prdqm -t qmgr -g dvlpr +none
That way I am hopping to prevent any kind of access/connection to both QMs from anyone that is not in mqm/mqbrkrs UNIX groups.
For DEV, (in addition to the default SYSTEM.ADMIN.SVRCONN, SYSTEM.BKR.CONFIG, and SYSTEM.DEF.SVRCONN that do not have MCA user ID attached to them)
I created a new SRVCONN channel named SYSTEM.DVLPR.SVRCONN and put the UNIX dvlpr group on the MCA user ID.
Also gave the following access to dvlpr group on the QM:
setmqaut -m DEVQM -t qmgr -g dvlpr +none
setmqaut -m DEVQM -t qmgr -g dvlpr +connect +inq
setmqaut -m DEVQM -n SYSTEM.DVLPR.SVRCONN -t channel -g dvlpr +dsp +ctrl
setmqaut -m DEVQM -n DLQ.DEVQM -t queue -g dvlpr +get +put
setmqaut -m DEVQM -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g dvlpr +browse +get +inq +dsp
In addition, gave dvlpr access to application queues, and variety of SYSTEM.BROKER……. queues.
All 3 QMs have SSL requirements. Users do not have SSL on their windows box.
1. I am not sure what is missing, but users in dvlpr group get access permission error while connecting from MQExplorer. Any ideas what is missing?
2. Do I need to give dvlpr access to DEVQM listener, and/or other QM objects?
3. Is I am 100% save no one can access the UAT and PROD QM?
Please advide,
Thanks - Moshe |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Fri Mar 26, 2010 5:26 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
A configuration many of my clients use is putting each of your three QM instances on separate hardware on separate network segments and requiring authentication to a firewall to access each. Just don't give developers ability to authenticate to QA or PROD firewalls.
Placing the 3 QMs on the same server is not 100% guaranteed to deny access to those you don't want to access PROD nor would it pass HIPAA or PCI compliance audits. |
|
| Back to top |
|
|
| scravr |
| Posted: Fri Mar 26, 2010 5:57 am Post subject: Access from MQExplorer to UNIX QM |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
| Does anyone have a real ideas? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Mar 26, 2010 6:13 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Hi Moshe,
Based on your second question, what is the point of the exercise then if you are not choosing to secure your installation? Why do this or what is the desired benefit? Putting all three QMs on the same system does nothing to secure the interaction between them?
Sirlancelotlinc
Rorqual qualified. |
|
| Back to top |
|
|
| scravr |
| Posted: Fri Mar 26, 2010 6:23 am Post subject: Access from MQExplorer to UNIX QM |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
Current hardware limitation have 3 QM on single UNIX box. This may change in future.
No one can access QA and PROD since they are not on mqm group. This is way I post question #3. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 26, 2010 6:28 am Post subject: Re: Access from MQExplorer to UNIX QM |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| scravr wrote: |
| 1. I am not sure what is missing, but users in dvlpr group get access permission error while connecting from MQExplorer. Any ideas what is missing? |
It's a question of at what point the access error is coming out; which call and which object.
| scravr wrote: |
| 2. Do I need to give dvlpr access to DEVQM listener, and/or other QM objects? |
Clearly. I think you're at least one queue short. Is it your intention to give the developers full access or read only access to the queue manager?
| scravr wrote: |
| 3. Is I am 100% save no one can access the UAT and PROD QM? |
They're only as secure as any 2 queue mamangers. Your phrase:
| scravr wrote: |
| I revoke access from all users |
is a little misleading; you're removing all queue manager access from the dvlpr group. That's not all users nor all access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| scravr |
| Posted: Fri Mar 26, 2010 8:07 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
How can I find where it goes wrong on windows side and/or unix side?
Developers should have +connect +inq on QM, and put/get to few specific appl Qs + required Broker Qs. No access to COMMAND Q.
……….is a little misleading; you're removing all queue manager access from the dvlpr group. That's not all users nor all access.
What other access should be revoked?
In addition to setmqaut -m PRODQM -t qmgr -g dvlpr +none
should I revoke access to channels, listener,…. ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 26, 2010 8:50 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| scravr wrote: |
| How can I find where it goes wrong on windows side and/or unix side? |
Enable security events. Don't forget to switch them off again once you've found the problem.
| scravr wrote: |
What other access should be revoked?
In addition to setmqaut -m PRODQM -t qmgr -g dvlpr +none
should I revoke access to channels, listener,…. ? |
Well how many other groups are there on the Unix machine? 
Securing a queue manager involves a few steps, documented & discussed at some length in here. A lot will depend on how far you want to go, and how good external security controls (e.g. box logons, group membership, etc) are.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| scravr |
| Posted: Tue Mar 30, 2010 6:05 am Post subject: Access from MQExplorer to UNIX QM |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
Is there any easy way to delete/remove a specific message from SYSTEM.AUTH.DATA.QUEUE on QM V7?
It looks like -remove does not work on -t qmgr.
What tool can be used? |
|
| Back to top |
|
|
|
|
