| Author |
Message
|
| offshore |
 Posted: Wed Feb 11, 2004 9:52 am Post subject: MQ Security (MMC - MQ Explorer) |
 |
|
Master
Joined: 20 Jun 2002
Posts: 222
|
All,
I downloaded a Support Pac from IBM (MS0E) that can prevent users from executing runmqsc commands. <Not installed yet>
The documentation states that it has no effect on PCF format commands.
So my question is... Does the MMC - MQ Explorer use runmqsc commands under the covers??
We have people who can modify MQ objects<because they're NT local admins> from the MMC MQ Explorer. They're not MQ Admins, so they don't need to be in there messing around with MQ settings.
I'm trying to find a practical way to try and prevent this from occurring. So if anyone else has any different approaches they're welcome to have input too. Lets just call it a brain-storming session.
Thanks, |
|
| Back to top |
|
 |
| offshore |
| Posted: Wed Feb 11, 2004 11:21 am Post subject: |
|
|
Master
Joined: 20 Jun 2002
Posts: 222
|
Well,
Looks like it doesn't stop access to the MMC - MQ Explorer.
It does work well for stopping access to the runmqsc cmd line though.
The bad thing about it you have to issue a command to start the "wrapper". That leaves the runmqsc command wide open if you have root/administrator access.
On a side <just incase anyone is interested> it does look as though you can define user programs somehow.
I'll continue looking for another solution.... |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Feb 11, 2004 11:54 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
offshore,
it is a very interesting topic!
security is one thing, auditability another.
config audit trails should be one of the improvements for the next release as it is also in the z/OS version...
unfortunately I don't know what is in the next release and our friends from IBM on this board are not allowed to discuss it.
Michael |
|
| Back to top |
|
|
| offshore |
| Posted: Thu Feb 12, 2004 4:12 am Post subject: |
|
|
Master
Joined: 20 Jun 2002
Posts: 222
|
Michael,
Yes audit trails would be great and part of MQSeries, especially on the distributed side. <NT mostly as I haven't much experience w/ the UNIX version.>
The z/OS side had good security features via RACF, ACF2 or what ever security you may have running. Currently only 2 of us can access MQ via commands or a custom menu based on CSQOREXX.
In the past we had issue with local administrators going into MQ Series via MMC and trying to troubleshoot a problem. Then after screwing everything up even more they call people who can actually fix the problem.
To me it's more of a problem that didn't own up to "trying to fix" the problem than it is they got into MMC - MQ Explorer. In Windows there is basically no "audit" type info like there is in z/OS with SMF data.
I noticed in the new version of WebSphere Application Server you can configure a password and assign roles to who can get into the console. <I don't care for WAS, but we have it and it absorbed the full version of MQ when Embedded Messaging is installed>, so I started reading the manuals for WAS.
WAS doesn't use MMC, but it sure would be nice to have something like that for MQ Explorer, even though I personally don't use it much anymore.
Just my $.0.0000002 |
|
| Back to top |
|
|
| ediazinfante |
| Posted: Sat Jul 24, 2004 8:51 pm Post subject: RE: MQ Security (MMC - MQ Explorer) |
|
|
Newbie
Joined: 24 Jul 2004
Posts: 6
Location: Mexico
|
You can restrict access to those users by configuring a user or group in the QManager with specific permissions on MQ objects, for example, inq and disp only.
Then install a security exit on the SYSTEM.ADMIN.SVRCONN that modifies the MCA_USER according to a validated user.
Check Neil Kolban's page: http://www.kolban.com/mq/Security/security.htm
This solution might help, however, it won't keep audit trail of what everyone used. I am actually looking for any solution that does that, any suggestion is welcome.
Regards,
Enrique |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jul 25, 2004 7:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Offshore:
The easiest answer of all. Make sure that your NT Admin stick to their ethics and have them remove themselves from the mqm group.
Only MQ administrators should be in the mqm group!
just my 2 cts. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jul 26, 2004 5:09 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Quote: |
NT Admin stick to their ethics and have them remove themselves from the mqm group.
|
That alone will not prevent the NT Admins from using MQExplorer, since MQ will allow any member of the Administrators group access via MQExplorer, even if they are not in the mqm group.
You have to use SSL and/or a Security Exit to prevent Windows Administrators MQExplorer access to a QM that you want other legitimate MQ Admins to still be able to access via MQExplorer.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jul 26, 2004 10:03 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Peter is right.
We are running in a unique situation: administration is done from windows (first MMC now QPasa) but all our qmgrs run on UNIX.
If the user on windows does not have correct authorization (part of mqm group or specific authorization on the qmgr) on UNIX! MMC displays following message:
Access not authorized. You are not authorized to perform this operation. (AMQ4036)
(in this case the user running on windows did not exist in Unix).
However if access is granted to the command queue and the queue manager for the group (unix security is at group level) the qmgr is wide open... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Jul 26, 2004 10:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you're using QPasa, you should set up and configure the QPasa security components, and shut down your queue managers for access from MQExplorer.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jul 26, 2004 10:55 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
We did. But we do have some old leftovers that are not at a compliant QPasa OS level (not MQ but OS level).
Still got to deal with those...
Thanks |
|
| Back to top |
|
|
|
|
