ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » A security exposure..... ideas?!

Post new topic  Reply to topic
 A security exposure..... ideas?! « View previous topic :: View next topic » 
Author Message
GEMO!
PostPosted: Fri Mar 10, 2006 5:27 am    Post subject: A security exposure..... ideas?! Reply with quote

Apprentice

Joined: 08 Oct 2004
Posts: 33
Location: This World
I want to ask what are the suggestions about the following security issue

I think I have an exposure, in my systems, because we are using the SYSTEM.DEF.SVRCONN and SYSTEM.ADMIN.SVRCON, because anyone can connect to a QMgr just by trying to guess the hostname and listener port. It may take them a few tries, but it's not hard. More over we have assigned the mca UserId of mqm to the channel so it have full privileges. So anyone can inject a command and have it honored.

What do you think about the steps that I'm thinking to take:

Create a CLNT.<QMgr>, CLNT1,<QMgr> and CLNT2.<QMgr> on each of the QMgr. On UNIX assign the UserId of staff and on Intel create a local group of mqusers and UserId mcauser. Then grant STAFF and MQUsers access rights to all non-system queues.

Once all the accesses have been converted over to the new channels, we can disable (not delete) the SYSTEM.XXXXX.SVRCONN. In this way we secure the systems.
Comments, thoughs....

Cheeers!
_________________
GEMO!
Back to top
View user's profile Send private message Yahoo Messenger
sandiksk
PostPosted: Fri Mar 10, 2006 5:50 am    Post subject: Reply with quote

Centurion

Joined: 08 Jun 2005
Posts: 133
I found this link yesterday, just some info about security

http://www.sjg-enterpriseintegration.com/closingmqholes.asp
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Fri Mar 10, 2006 5:58 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981
I would, instead, set the MCAUser on the SYSTEM.DEF.SVRCONN channel to a user that doesn't exist, and then enable SSL on SYSTEM.ADMIN.SVRCONN, assuming your administration tools can support SSL on that channel.

Better still is to put the servers behind a firewall, and only allow access to the listener port from specific machines.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Fri Mar 10, 2006 9:14 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
Hi,

Here's a post I wrote a while ago that explains the security hole and how it works:
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842

And to expose the security hole with non-Java programs, here's another explanation by me:
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782


Now, if you would like a vendor product to close the security holes, Capitalware offers 2 solutions:
- MQ Authenticate User Security Exit
- MQ Standard Security Exit

If you have any questions or comments, you can email me or post them in the Capitalware forum here at MQSeries.net

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » A security exposure..... ideas?!
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.