| Author |
Message
|
| TonyK |
 Posted: Fri May 20, 2005 5:02 am Post subject: newbie security question |
 |
|
Newbie
Joined: 20 May 2005
Posts: 2
|
Hello,
We are having quite simple MQ infrastructure that consists of one qmgr, several channel and queues and would like to separate the JMS clients to give different applications different access rights. Some of the clients are running on the same box under the same user account.
So as far as I understand there are just two standard ways to protect queues
The SSL certificates and security exit. Is it correct?
Thank you
Tony. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri May 20, 2005 5:18 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Neither of those protect queues.
Those both are methods of authenticating users. Queue protection is a problem of authorization.
Authorization in MQ is handled using the OAM (unless you're on z/OS).
If you have two clients running as the same user and both making BINDINGS/SERVER connections - you can not treat them differently from an authorization point of view.
If they are using CLIENT connections, then you can treat them differently by changing what Channel they connect to.
But since both of the methods you mention only apply for client connections (since they only work on channels!), I'll assume your apps are not using Bindings.
So create a different SVRCONN channel for each distinct set of priviledges you want. Assign a unique username to the MCAUSER property of the channel. Use setmqaut to assign the priviledges to queue resources for that MCA user. Change the application configuration to use that server connection channel.
And use a security exit or SSL to authenticate the application to the SVRCONN channel it needs.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| TonyK |
| Posted: Mon May 23, 2005 12:18 am Post subject: |
|
|
Newbie
Joined: 20 May 2005
Posts: 2
|
Jeff,
Thank you for the reply,
That is exactly what we are going to do. I just wonder if there are other ways to authenticate the user.
Are there some standard IBM’s implementations of security exits for simple authentication? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon May 23, 2005 3:00 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| TonyK wrote: |
| Are there some standard IBM’s implementations of security exits for simple authentication? |
Not that I know of.
But a lot of people seem to like BlockIP.
And Capitalware has what seems to be a nice product.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon May 23, 2005 12:37 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I don't think BlockIP authenticates, other than you could set it up to only allow connections from a particular IP address. That's kinda authentication I guess, if you assume to know "who" if you know the source IP.
MQAUSX from Capitalware can be configured to prompt for an ID and password.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
