| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| User/password authenticaton when using JMS/XMS |
« View previous topic :: View next topic » |
| Author |
Message
|
| ophir azulai |
 Posted: Wed Jul 02, 2008 12:35 pm Post subject: User/password authenticaton when using JMS/XMS |
 |
|
Novice
Joined: 29 May 2008
Posts: 13
|
Hi,
I have a MQ installed in Windows or Linux which has to be accessed from Windows (JMS and XMS) and from Linux (JMS) in a secure way.
When using JMS, it is either from WAS or J2SE application
The installation is on a private network and sniffing is not possible.
Following is an example code for how the connection should be created.
MQQueueConnectionFactory connectionFactory = new MQQueueConnectionFactory();
connectionFactory.setHostName(params[index].ip);
connectionFactory.setPort(params[index].port);
connectionFactory.setChannel(params[index].channelName);
connectionFactory.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
QueueConnection connection = connectionFactory.createQueueConnection(params[index].user, params[index].password);
connection.start();
I read the MQ documentation (which is not very clear) and did a search and it seems that the authentication is done just from the user ID/name and not by the password.
It looks like you just have to connect to MQ when you logged as the same user defined in the MQ server (you don't have to create the connection with user/password). Can the same user with a different password on the MQ client machine connect to the MQ server ?
My question is how to configure the MQ server so I could connect only if I supply the user/password when creating the connection.
Thanks in advance,
Ophir |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Jul 02, 2008 1:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
A little more precision on user authorization:
you have basically 3 cases:
- java client The User is either being set by the container J2EE JNDI JAAS setup of the qcf or by the qcf.createConnection(user,passwd) method.
- .NET managed client see java client.. however read up on the manual you could be in the average case
- average case The C code aquires the user from the OS. (Java code would need a JNI call to do that so it not supported from java hence the differences.) If you need a different user/group you should have different channel with an mcauser set on the channel.
My guess is that with your XMS installation you are using the underlying C code and as such supply the username from the OS. Verify the XMS documentation for that.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jul 02, 2008 7:42 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| ophir azulai wrote: |
I read the MQ documentation (which is not very clear) and did a search and it seems that the authentication is done just from the user ID/name and not by the password.
...
My question is how to configure the MQ server so I could connect only if I supply the user/password when creating the connection. |
There are only 3 supported MQ security products in the market place that do full UserId and Password authentication:
- Capitalware's MQ Authenticate User Security Exit
- IBM's WebSphere MQ Extended Security Edition V6
- Primeur's Data Secure for WebSphere MQ
I'll gladly answer any questions you have related to MQAUSX and UserId & Password authentication.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| ophir azulai |
| Posted: Wed Jul 02, 2008 9:09 pm Post subject: |
|
|
Novice
Joined: 29 May 2008
Posts: 13
|
Hi,
The XMS I used is the .NET version.
Can you please further explain what is the supported authentication in WebSphere MQ ?
In particular I would like to understand if the password is also transferred to the MQ server and if the server authenticate with it ?
I think that in the default installation in Windows you can connect from other computer with a different user and it will works.
Also what is the difference between the IBM's WebSphere MQ Extended Security Edition V6 and the basic version.
If there is no choice and this is needed, is there also a installation in client side or just in the MQ server ? Does XMS (.NET) is supported ? and does it require a change in the application ?
I found the following in WebSphere QM documentation:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzaf.doc/intexttrancl.htm
"
Identification and authentication
When an application puts a message on a queue, the UserIdentifier field in the message descriptor contains a user ID associated with the application. However, there is no data present that can be used to authenticate the user ID. This data can be added by a message exit at the sending end of a channel and checked by a message exit at the receiving end of the channel. The authenticating data can be an encrypted password or a digital signature, for example.
This service might be more effective if it is implemented at the application level. The basic requirement is for the user of the application that receives the message to be able to identify and authenticate the user of the application that sent the message. It is therefore natural to consider implementing this service at the application level. For more discussion about this, see Identification and "
Thanks,
Ophir |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jul 03, 2008 9:07 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
| ophir azulai wrote: |
| Can you please further explain what is the supported authentication in WebSphere MQ ? |
For a default install of WMQ, nothing.
| ophir azulai wrote: |
| I would like to understand if the password is also transferred to the MQ server and if the server authenticate with it ? |
For a default install of WMQ, the queue manager does not do authentication of any sort.
| ophir azulai wrote: |
| I think that in the default installation in Windows you can connect from other computer with a different user and it will works. |
Sure. You could be using one of the many security holes in the default install of WMQ.
| ophir azulai wrote: |
| Also what is the difference between the IBM's WebSphere MQ Extended Security Edition V6 and the basic version. |
It adds the missing security pieces!! Of course for a 6 figure dollar amount.
The URL is bad but the text is talking about adding message/security exits to secure your WMQ environment. Hence, that is why I originally posted the following:
| RogerLacroix wrote: |
There are only 3 supported MQ security products in the market place that do full UserId and Password authentication:
- Capitalware's MQ Authenticate User Security Exit
- IBM's WebSphere MQ Extended Security Edition V6
- Primeur's Data Secure for WebSphere MQ |
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
