| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Different users execute fteCreateTransfer with TLS? |
« View previous topic :: View next topic » |
| Author |
Message
|
| toshi78 |
 Posted: Wed Dec 13, 2017 2:13 am Post subject: Different users execute fteCreateTransfer with TLS? |
 |
|
Newbie
Joined: 04 May 2012
Posts: 9
Location: Germany
|
Hi all,
I do have a question regarding MFT and security. Yes, of course I was checking the internet to find a solution but wasn't successful. That's why I decided to ask you.
At first I would like to describe our setup. We do have a Hub-and-Spoke topology. At the hub the coordination qmgr is running and at several node qmgrs we are running commands and agents qmgrs.
Agents are running under user "mqm" in Linux environments. They are connecting to Agents and Commands qmgrs via SVRCONN channels secured with TLS. We also have defined CHLAUTH records to map SSLPEERNAME "CN=mqm,..." to local user "mft" at the Agents qmgr and set limited OAM rights for this usre resp. it's primary group.
We are only use MFT for message-to-file and file-to-message transfers. Usually we are using resource monitors to trigger the transfers and we never had any problems.
Now we have a new requirement that an application wants to execute fteCreateTransfer commands by itself. The application is running under user "admrun". How does this work?
My thoughts:
I don't think that it's possible to execute the fteCreateTransfer as "admrun" as the SVRCONN channels are secured with TLS and we only have a Java Keystore for user "mqm". Is it possible to use a own JKS for "admrun" and add the credentials to the property files and MQMFTCredentials.xml?
In other words...is it possible to run a MFT agent with user "mqm" but submit transfers as another user while using client connections with TLS?
Cheers,
Toshi |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Dec 13, 2017 5:06 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Have you tried having the application use a different channel for its file transfers? i.e. different channel authentication records... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Dec 13, 2017 6:08 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Easy enough to copy the JKS and rename the certificate label.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| toshi78 |
| Posted: Thu Dec 14, 2017 4:01 am Post subject: |
|
|
Newbie
Joined: 04 May 2012
Posts: 9
Location: Germany
|
Thanks for the responses but with both I don't know what to do. I think I need to be more precise.
This is our setup. I've obfuscated the internal qmgr names, agent names and IP addresses.
Definitions at Agent Qmgr / Command Qmgr:
-----------------------------------------
DEF CHL(MFT.QMGR) CHLTYPE(SVRCONN) MCAUSER('%%%') SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA)
SET CHLAUTH(MFT.QMGR) TYPE(BLOCKUSER) DESCR('enable MQ Admin') USERLIST('nobody') WARN(NO)
SET CHLAUTH(MFT.QMGR) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS)
SET CHLAUTH(MFT.QMGR) TYPE(SSLPEERMAP) ADDRESS(187.187.187.187) SSLPEER('CN=mqm,...') MCAUSER('mft')
SET AUTHREC OBJTYPE(QMGR) GROUP('gmft') AUTHADD(CONNECT, INQ, SETID)
SET AUTHREC PROFILE('SYSTEM.ADMIN.TRACE.ACTIVITY.QUEUE') OBJTYPE(QUEUE) GROUP('gmft') AUTHADD(PUT, SETALL)
SET AUTHREC PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(QUEUE) GROUP('gmft') AUTHADD(PUT, GET, DSP, BROWSE)
SET AUTHREC PROFILE('COORD') OBJTYPE(QUEUE) GROUP('gmft') AUTHADD(PUT) ### XMITQ to Coordination Qmgr ###
The agents SYSTEM.FTE* queues are defined as well and its OAM rights
User "mft" is the one and only user in its primary group "gmft". User and group are defined locally at Agent Qmgr / Command Qmgr.
Definitions at AGENT
--------------------
command.properties:
#
#Tue Mar 15 16:40:24 CET 2016
connectionQMgrChannel=MFT.QMGR
connectionQMgrPort=1414
connectionQMgrHost=agentqmgr
connectionQMgr=QMGR
connectionSslCipherSpec=TLS_RSA_WITH_AES_256_CBC_SHA
connectionSslPeerName=CN=QMGR,...
connectionSslTrustStore=/var/mqm/config/ssl/mqm_mft/key.jks
connectionSslTrustStoreType=jks
connectionSslTrustStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
connectionSslKeyStore=/var/mqm/config/ssl/mqm_mft/key.jks
connectionSslKeyStoreType=jks
connectionSslKeyStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
agent.properties:
#
#Tue Mar 15 16:40:36 CET 2016
agentQMgr=QMGR
agentQMgrPort=1414
agentDesc=
agentQMgrHost=agentqmgr
agentQMgrChannel=MFT.QMGR
agentName=AGENT
agentSslCipherSpec=TLS_RSA_WITH_AES_256_CBC_SHA
agentSslPeerName=CN=QMGR,...
agentSslTrustStore=/var/mqm/config/ssl/mqm_mft/key.jks
agentSslTrustStoreType=jks
agentSslTrustStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
agentSslKeyStore=/var/mqm/config/ssl/mqm_mft/key.jks
agentSslKeyStoreType=jks
agentSslKeyStoreCredentialsFile=/var/mqm/mqft/config/COORD/agents/AGENT/MQMFTCredentials.xml
enableQueueInputOutput=true
MQMFTCredentials.xml (obfuscated and file permissions set to 600):
<?xml version="1.0" encoding="UTF-8"?>
<tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MQMFTCredentials" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://wmqfte.ibm.com/MQMFTCredentials MQMFTCredentials.xsd">
<tns:file passwordCipher="08154711" path="/var/mqm/config/ssl/mqm_mft/key.jks"/>
</tns:mqmftCredentials>
@fjb_saper: How do you think to use a different channel for the application? Channels are defined in command.properties and agent properties and you only can configure one channel.
When the application submits the fteCreateTransfer how they should use a different channel? The only connection parameters at fteCreateTransfer are source and destination agent which are both the same
as we are doing message-to-file and file-to-message.
The only thing I've read about using diffrent channels is "Configuring an MFT agent for multiple channels: non-clustered" but this is just for channels betwenn two agents qmgrs.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.wmqfte.doc/configuring_channels_noncluster.htm
@zpat: What is the benefit of copying the JKS and rename the certificate label? It's just a hack. I can also get an own certificate respective a JKS for user "admrun". It's also not a problem to add a second CHLAUTH record of SSLPEERMAP to map CN=admrun... to user "mft" as well. But is it possible to add a second TrustStore/KeyStore & CredentialsFile in command.properties and agent.properties? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 15, 2017 7:26 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| toshi78 wrote: |
@fjb_saper: How do you think to use a different channel for the application? Channels are defined in command.properties and agent properties and you only can configure one channel.
When the application submits the fteCreateTransfer how they should use a different channel? The only connection parameters at fteCreateTransfer are source and destination agent which are both the same
as we are doing message-to-file and file-to-message.
The only thing I've read about using different channels is "Configuring an MFT agent for multiple channels: non-clustered" but this is just for channels betwenn two agents qmgrs.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.wmqfte.doc/configuring_channels_noncluster.htm |
Forget entirely about the FTE Agent.
For the app, creating a File transfer is nothing different than putting the corresponding xml message onto the agent's command queue....
For a WAS app to have 2 different profiles on the qmgr, all it takes is to have 2 different queue connection factories, each with their own channel, own mca and different authorizations....
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
