| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQSeries authorise |
« View previous topic :: View next topic » |
| Author |
Message
|
| gye |
 Posted: Mon Apr 08, 2002 7:17 pm Post subject: |
 |
|
Novice
Joined: 07 Apr 2002
Posts: 13
|
I know there is the "setmqaut"/"dspmqaut" to setup/display the MQ authorise to access the objects. I would appreciate if someone could tell me how it works!
I tried to run the command and I can see the authorisation rules have been added to the configuration of the specified QUEUE. But there is still no any restriction for the client to connect to the QUEUE.
For example, I set browse only permission for group usr to access QUEUE LOCAL1, but the user of user group still can get the messages from that queue by running "amqsgetc". What's wrong with my configure, or design?
Thanks a million.
New guy to MQ |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Mon Apr 08, 2002 8:13 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
If you are using MQ v5.2, did you issue the "REFRESH SECURITY" command? If you are on an older verson of MQ (non-MVS), you need to recycle the queue manager (stop then start - no joke).
Also, you mentioned / listed a client MQ program. Is there a UserId associated with the client channel (e.g. Is the MCAUSER set to a UserId?)?
later
Roger...
|
|
| Back to top |
|
|
| gye |
| Posted: Tue Apr 09, 2002 1:01 am Post subject: |
|
|
Novice
Joined: 07 Apr 2002
Posts: 13
|
Hi Roger,
Thanks for your reply.
I just found that MCAUSER of channel definition could be another small things. For my previous question, it was set as ' '. But after I set it as 'usr' or 'guest', I got the error code of 2035.
In general, I want to know how set SERVER CHANNEL and authorise QUEUE to ensure one user, and only this user could access a specified queue.
I guess the solution is to set the MCAUSER as sth., while use "setmqaut" to grant the previlidge to sth. Could you let me know what is the exact value I shoudl set?
Thanks |
|
| Back to top |
|
|
| mqonnet |
| Posted: Tue Apr 09, 2002 5:18 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
I just found that MCAUSER of channel definition could be another small things. For my previous question, it was set as ' '. But after I set it as 'usr' or 'guest', I got the error code of 2035.
---The reason you got 2035 is because you need to add this user 'usr' or 'guest' to the mqm group to be able to perform admin operations on the QM.
In general, I want to know how set SERVER CHANNEL and authorise QUEUE to ensure one user, and only this user could access a specified queue.
---You could always leave it BLANK. This way, whatever userid comes in along with a request, say an MQCONN, would be restricted access to only those for whom there is already a user defined within the mqm group on this system. The other way of doing this is discussed below.
I guess the solution is to set the MCAUSER as sth., while use "setmqaut" to grant the previlidge to sth. Could you let me know what is the exact value I shoudl set?
---You are right. When you add "ANYTHING" to MCAUSER attribute, by default you allow permission to ANYONE to access the objects of this QM. But this access is granted only and only if the userid coming in has a respective userid mapping on this system(where you define the svrconn channel). Otherwise no one is allowed. And if this userid is mapped to a non-mqm userid, you could use setmqaut to allow specific permissions to this mapped userid, for specific access.
Hope this helps.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| gye |
| Posted: Wed Apr 10, 2002 12:17 am Post subject: |
|
|
Novice
Joined: 07 Apr 2002
Posts: 13
|
Thanks Kumar!
Now I know that MCAUSER stands for the userid to MQ Server. For example, when MCAUSER set as 'USER1', no matter you are using whatever user to send message through this channel, to the MQ Server, the message will be mapped as from the user 'USER1'. Of course there are the restrictions for the 'USER1' on the Server.
One more question is that, how to prevent the user using unauthorised channel to connect to the server. Is there any protection to the channel itself?
Appreciate deeply for your kind response.
George |
|
| Back to top |
|
|
| mqonnet |
| Posted: Wed Apr 10, 2002 4:40 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Now I know that MCAUSER stands for the userid to MQ Server. For example, when MCAUSER set as 'USER1', no matter you are using whatever user to send message through this channel, to the MQ Server, the message will be mapped as from the user 'USER1'. Of course there are the restrictions for the 'USER1' on the Server.
---You got it there,
One more question is that, how to prevent the user using unauthorised channel to connect to the server. Is there any protection to the channel itself?
---Starting and stopping of channels is an Admin operation specific to the QM. And this is Only permissible if the user belongs to the "mqm" group. And hence, your channels are always secure from any user outside of the "mqm" group. The only way you can authorize a non-mqm user to access admin objects and functions on qm is to make him part of the mqm group.
Hope this helps.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| gye |
| Posted: Thu May 02, 2002 9:21 pm Post subject: |
|
|
Novice
Joined: 07 Apr 2002
Posts: 13
|
Hi Kumar:
One more question is that, how to prevent the user using unauthorised channel to connect to the server. Is there any protection to the channel itself?
>>> Starting and stopping of channels is an Admin operation specific to the QM. And this is Only permissible if the user belongs to the "mqm" group. And hence, your channels are always secure from any user outside of the "mqm" group. The only way you can authorize a non-mqm user to access admin objects and functions on qm is to make him part of the mqm group.
>>>>>> my question is not who can start/stop the channel, but who can use it. As we know the MCAUSER definition of the channel could restrict the action through this channel, only on the objects (queues) belong to this MCAUSER.
But if I know other's channel name, I could steal his queue messages. How to prevent that |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Tue May 07, 2002 12:46 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Hi Kumar:
With the current version of MQSeries up to 5.2 you will have to write a security exit,
IBM released a supportpack (MS05) some time ago and withdrawn it again. This support pack might inspire you how to create the verfication you need. (If you want MS05, send me a mail, I've got a copy)
Next version 5.3 have some improvements of channel security, but I've not seen the specs yet, but I think they will do the trick, release date i end of june 2002.
[ This Message was edited by: oz1ccg on 2002-05-07 01:50 ] |
|
| Back to top |
|
|
| mqonnet |
| Posted: Fri May 10, 2002 4:04 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
One more question is that, how to prevent the user using unauthorised channel to connect to the server. Is there any protection to the channel itself?
---Channels dont have any protection by themselves. It is the OAM which does this job for you. As per my earlier reply, any user can have access to any channels if and only if he/she is in the mqm group.
>>>>>> my question is not who can start/stop the channel, but who can use it. As we know the MCAUSER definition of the channel could restrict the action through this channel, only on the objects (queues) belong to this MCAUSER.
---Only users belonging to the "mqm" group can have access to admin commands such as start/stop channels.
But if I know other's channel name, I could steal his queue messages. How to prevent that
---Just having access to start/stop channels does not guarentee that you have access to specific queues as well. You could always restrict the number of users to a particular queue. Exits are one of the best alternatives in all the above scenarios.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
