|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
Java Clients and Security Hole??? |
« View previous topic :: View next topic » |
Author |
Message
|
techno |
Posted: Tue Aug 10, 2004 10:54 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003 Posts: 429
|
It is fine now. I restarted qmgr. It works fine now. I am sorry for the trouble.
My concern is:
If I put the userid and password of mqm (or any other user), that would be big problem. First of all, you are disclosing the password to Client(where the code is deployed). Also, there may be a change in the password in the future. So, I need to update the password at client side.
What should be done?
Thanks. |
|
Back to top |
|
 |
oz1ccg |
Posted: Fri Aug 13, 2004 5:20 am Post subject: |
|
|
 Yatiri
Joined: 10 Feb 2002 Posts: 628 Location: Denmark
|
You don't need to give the password. It's not verified (unless you have written your own security exit).
So don't expose it!
Just my $0.02  _________________ Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
Back to top |
|
 |
techno |
Posted: Fri Aug 13, 2004 7:58 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003 Posts: 429
|
In case of BlockIP2 exit, it is not necessary.
In case where I create connection giving userid and password, password gets exposed( qcf. createQueueConnection("mcauser", "pwd")
Coming back to BlockIP2, I guess SSL is still needed to encrypt and decrypt the message. BlockIP2 is used authenticates that the connection is from known/listed IP. Am I correct here?
Thanks |
|
Back to top |
|
 |
fjb_saper |
Posted: Fri Aug 13, 2004 11:59 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
Techno I checked
Quote: |
createQueueConnection("mcauser", "pwd")
|
The passwd could be anything and is not checked. |
|
Back to top |
|
 |
techno |
Posted: Fri Aug 13, 2004 12:36 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003 Posts: 429
|
I too checked. Password is getting verified
$ mqver
Name: WebSphere MQ
Version: 530.5 CSD05
CMVC level: p530-05-L030926
BuildType: IKAP - (Production)
$
$ uname -a
HP-UX rdasr1 B.11.11 U 9000/800 |
|
Back to top |
|
 |
fjb_saper |
Posted: Sat Aug 14, 2004 6:09 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
Connecting in Client Mode from a 5.3 base windows (JMS) to a qmgr on unix at 5.3 CSD07 with a blank MCAUSER in the svrconn chl:
An imaginary password did not bring up any exception.
A wrong userid does. A blank userid does not.
If you connect in bindings mode any attempt to use a userid different of the one that is running the process will get you in trouble. I have no doubt that the password gets checked in bindings mode.
Enjoy |
|
Back to top |
|
 |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|