MQSeries.net :: View topic - MQAMS CN and user ID

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQAMS CN and user ID

MQAMS CN and user ID

« View previous topic :: View next topic »

Author

Message

KIT_INC

Posted: Mon Mar 31, 2014 5:09 am Post subject: MQAMS CN and user ID

Knight

Joined: 25 Aug 2006
Posts: 589

We are using MQAMS V7 on linux
I am trying to understand who is the user allow to get message off a queue that has an AMS policy on it.

I have a policy
DRQDT3070I Policy details:
Policy name: MY.IN.QL
Quality of protection: PRIVACY
Signature algorithm: MD5
Encryption algorithm: AES128
Signer DNs:
CN=isp,OU=store_systems,O=ABC,L=Toronto,ST=Ontario,C=CA
Recipient DNs:
CN=abc_central,OU=RX_SCN,O=ABC,L=Toronto,ST=Ontario,C=CA
Toleration : 0

Is the CN name the user Id ?
Does it mean that I must have a user with Id = isp to PUT the message to
the queue MY.IN.QL ?
What happen if another user , say mqm try to put the message to MY.IN.QL ?

Does it mean that I must have a user with Id = abc_central to GET the message from the queue MY.IN.QL ?
What happen if another user , say mqm try to GET the message to MY.IN.QL ?

Can the CN name be a group name. This way I do not have to create policy for each user in the group.

fjb_saper

Posted: Mon Mar 31, 2014 6:19 am Post subject:

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

By default the user name should match the CN. However this is also used to impersonate a user. So if you have access to the certificate with the corresponding CN=abc labelled ibmwebspheremqabc you might be able to impersonate user abc... this being strictly for WMQ.
Now I imagine that labelling restrictions to be somewhat different with AMS... however the baseline: "your system is only as secure as its certificates are secure" still applies. If you have access to the keystore/truststore which has the relevant certificates, you should be able to read the message.

Have fun

_________________
MQ & Broker admin

KIT_INC

Posted: Mon Mar 31, 2014 9:33 am Post subject:

Knight

Joined: 25 Aug 2006
Posts: 589

I did not create the AMS policy. We just import it. That's why I want to know if I have to create users according to what is in the CN of the DNS.

This particular implementation is using the java interceptor. It is a jks keystore and does not contain certificates with lable ibmwebspheremqxxx. If my understanding is correct, AMS uses it's own keystores specified in keystore.conf.

RogerLacroix

Posted: Mon Mar 31, 2014 1:25 pm Post subject:

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

Hi,

Not to add to the complexity of your WMQ AMS setup, but you could add MQAUSX to the mix and it will handle several items:
- Keep users from impersonating another user
- Perform authentication (UserID & Password) against a target system (i.e. LDAP)
- Map a SSL UserID to a real UserID

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter

fjb_saper

Posted: Mon Mar 31, 2014 7:58 pm Post subject:

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

KIT_INC wrote:

You're right there. However you need to check that the keystore / truststore contains the right certificates and that the users who are supposed to decrypt and encrypt the messages have the right keystore / truststore and have the correct access rights...

_________________
MQ & Broker admin

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQAMS CN and user ID

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP