ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Windows Client to z Host security

Post new topic  Reply to topic
 Windows Client to z Host security « View previous topic :: View next topic » 
Author Message
SB
PostPosted: Tue Aug 31, 2004 12:44 pm    Post subject: Windows Client to z Host security Reply with quote

Newbie

Joined: 30 Aug 2004
Posts: 2
We are investigating the implementation of security to control appropriate access from Windows Clients to queues on a z host QMGR. It looks like the solution involves a combination of queue level security, including specific MCAUSERs in the Server Connection channel, plus SSL. If you stick with this client/host MQ configuration, are there any other better options?

The Windows Clients use JAVA programs.

Thanks

Last edited by SB on Wed Sep 01, 2004 5:04 am; edited 1 time in total
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Aug 31, 2004 2:11 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
You do not specify whether your windows clients will use Java or C to connect. With the C model all you should really need is to setup your authorization on MQ.
Remember anybody accessing queues will also need access to the qmgr.

Don't know enough about the RACF and security on the MF to be of more help. You'll need to talk to a mainframe expert there.

Enjoy
Back to top
View user's profile Send private message Send e-mail
EddieA
PostPosted: Tue Aug 31, 2004 3:47 pm    Post subject: Reply with quote

Jedi

Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
If you have a value for MCAUSER in the SVRCONN channel, then every connection through that channel will use that userID, unless you write a security exit.

Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Tue Aug 31, 2004 4:26 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
Quote:

You do not specify whether your windows clients will use Java or C to connect. With the C model all you should really need is to setup your authorization on MQ.


Yes, Java apps make it very easy to send any ID, or no ID at all, which then defaults to the ID that started the channel on the QM side. And yes, C apps, or any apps beside Java, do force the the actual logged ID over.

But since anyone can create a use called mqm on their Windows machine and run their app as mqm, it is not wise to rely on the logged on IDs of Windows machines for Authentication purposes. Never leave your MCAUSER blank on a SVRCONN channel unless you also have SSL and or a security exit.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Windows Client to z Host security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.