| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Effects of Enabling broker administration security in V8 |
« View previous topic :: View next topic » |
| Author |
Message
|
| skrv |
 Posted: Fri Sep 20, 2013 5:07 pm Post subject: Effects of Enabling broker administration security in V8 |
 |
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
Hi,
We have message broker at Version 8.0.0.2 and we have 30 odd applications (30 Execution groups). When we created the broker we din't enable the broker admin security.
Systems people have notified us that during the security auditing it was found that - "Unauthorised people were able to connect to broker and were able to perform admin functions on broker" and they have asked us to address this issue.
We think that - since broker admin security is not enabled, they were able to connect to broker and we want to enable the security now.
Considering we already have 30 odd applications using broker, HOW THIS ENABLING BROKER ADMIN SECURITY NOW WILL EFFECT US and HOW THIS EFFECTS THESE APPLICATIONS?
[mqadmin@xxxxxx]/home/mqadmin>mqsireportbroker ABCD_BRK
BIP8927I: Broker Name 'ABCD_BRK'
Last mqsistart path = '/opt/IBM/mqsi/8.0'
mqsiprofile install path = '/opt/IBM/mqsi/8.0'
Work path = '/var/mqsi'
Broker UUID = 'xxxxxxxxxxxxxxxxxxxxxxxxxx'
Process id = '12345'
Queue Manager = 'ABCD'
User lil path = ''
User exit path = ''
Active user exits = ''
LDAP principal = ''
LDAP credentials = ''
ICU converter path = ''
Trusted (fastpath) Queue Manager application = 'false'
Configuration change timeout = '300' seconds
Internal configuration timeout = '60' seconds
Statistics major interval = '60' minutes
Operation mode = 'advanced'
Fixpack capability level = '' (effective level '8.0.0.1')
Broker registry format = 'v8.0'
Administration security = 'inactive' |
|
| Back to top |
|
 |
| Simbu |
| Posted: Fri Sep 20, 2013 8:27 pm Post subject: Re: Effects of Enabling broker administration security in V8 |
|
|
Master
Joined: 17 Jun 2011
Posts: 289
Location: Tamil Nadu, India
|
| skrv wrote: |
Hi,
We have message broker at Version 8.0.0.2 and we have 30 odd applications (30 Execution groups). When we created the broker we din't enable the broker admin security.
Systems people have notified us that during the security auditing it was found that - "Unauthorised people were able to connect to broker and were able to perform admin functions on broker" and they have asked us to address this issue.
We think that - since broker admin security is not enabled, they were able to connect to broker and we want to enable the security now.
Considering we already have 30 odd applications using broker, HOW THIS ENABLING BROKER ADMIN SECURITY NOW WILL EFFECT US and HOW THIS EFFECTS THESE APPLICATIONS?
[mqadmin@xxxxxx]/home/mqadmin>mqsireportbroker ABCD_BRK
BIP8927I: Broker Name 'ABCD_BRK'
Last mqsistart path = '/opt/IBM/mqsi/8.0'
mqsiprofile install path = '/opt/IBM/mqsi/8.0'
Work path = '/var/mqsi'
Broker UUID = 'xxxxxxxxxxxxxxxxxxxxxxxxxx'
Process id = '12345'
Queue Manager = 'ABCD'
User lil path = ''
User exit path = ''
Active user exits = ''
LDAP principal = ''
LDAP credentials = ''
ICU converter path = ''
Trusted (fastpath) Queue Manager application = 'false'
Configuration change timeout = '300' seconds
Internal configuration timeout = '60' seconds
Statistics major interval = '60' minutes
Operation mode = 'advanced'
Fixpack capability level = '' (effective level '8.0.0.1')
Broker registry format = 'v8.0'
Administration security = 'inactive' |
Plz infocenter topic on Broker administration security. Also note that
effective level of your broker is still 8.0.0.1. you need to change it to latest fixpack to avail new features of 8.0.0.2. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Sep 23, 2013 3:25 am Post subject: Re: Effects of Enabling broker administration security in V8 |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| skrv wrote: |
| HOW THIS ENABLING BROKER ADMIN SECURITY NOW WILL EFFECT US |
Well for a start you'll need to ensure all the administrators now have the correct permissions to be administrators. You'll also need to develop procedures for new administrators to be added and people who are no longer administrators to be removed. IMHO now the auditors have found a security breach not only will they be checking for remediation but they'll be all over you for while.
This is a self inflicted wound - there's no excuse for not enabling this at broker create except laziness. If the broker doesn't need to be secured (i.e. it's a development sandbox) then get an exemption from the audit function when it's built. As they've insisted security be switched on I'm assuming that it's the kind of environment that does need be secured and shame on you (collectively) for not doing it at creation time.
(You might be looking at a broker built 6 months before you even started at the site, hence collective not personal shame  )
| skrv wrote: |
| HOW THIS EFFECTS THESE APPLICATIONS? |
In theory it doesn't, but if administrative security wasn't in place and unauthorized people know this to a point where audit found out then there's a significant risk that one or more of these applications are connecting to the broker using one of the unsecured admin mechanisms because it saves them having to request proper application access via the proper procedures. So you can't assume any one of these applications will continue to function without a regression test with security in place.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
