| Author |
Message
|
| gmabrito |
 Posted: Mon Sep 30, 2002 12:00 pm Post subject: MCAUSER |
 |
|
Apprentice
Joined: 19 Mar 2002
Posts: 35
|
| If the MCAUSER is set to a blank ' ', can an application use a single blank to get access to the queue manger via the svrconn channels? |
|
| Back to top |
|
 |
| dgolding |
| Posted: Tue Oct 01, 2002 1:53 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
If the MCAUSER is not set, then the login ID of the client side will be used. This is what authority will be checked against on the server end. Use SETMQAUT (Unix/NT/W2K) to enable MQ authority on the server end.
HTH |
|
| Back to top |
|
|
| gmabrito |
| Posted: Tue Oct 01, 2002 4:12 am Post subject: |
|
|
Apprentice
Joined: 19 Mar 2002
Posts: 35
|
| What if the login ID is a blank on the client side? |
|
| Back to top |
|
|
| dgolding |
| Posted: Tue Oct 01, 2002 5:15 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
"If it is blank, the message channel agent uses its default user identifier"
in other words, what your current login ID is (on an NT client, your domain userID or your local one). |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Oct 01, 2002 7:29 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
This is true for 'C', COBOL, VB, etc.. MQ clients. But for Java it is different.
If the Java developer does not set the MQEnvironment.userID to a value (e.g. remains null) and if the MCA is set to blank then all MQ API calls done by the app. will done under the MCA's UserId (e.g mqm).
And yes, this is a great big security hole!!
later
Roger...
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| gmabrito |
| Posted: Mon Nov 04, 2002 7:12 am Post subject: |
|
|
Apprentice
Joined: 19 Mar 2002
Posts: 35
|
| Thank you, that is what I was curious about. |
|
| Back to top |
|
|
| fasselin |
| Posted: Fri Nov 08, 2002 6:13 am Post subject: |
|
|
Newbie
Joined: 08 Nov 2002
Posts: 3
|
We're having problems plugging this big security hole. What can we do to secure the client channel ?
We're tried to set the MCAUSER to blank and remove the autority of the mqm user, but what it does is that whatever the user the client appilcation (written in JMS) uses to connect, there's an authority exception.
If we set the MCAUSER to something different than blank and that user does have acces to the queue, everyone has access. Il that user doesn't have access, nobody has access because the userid used to access the queue seems to always be the MCAUSER specified (independant of the user I pass when connecting in the client app).
For info, the MQSeries server is version 5.2 running on z/OS v1.2 |
|
| Back to top |
|
|
|
|
