| Author |
Message
|
| shsiow |
 Posted: Thu Sep 01, 2005 7:13 pm Post subject: MQ Security |
 |
|
Newbie
Joined: 01 Sep 2005
Posts: 7
|
I am facing this "abnormal" security behavior that I hope someone will be able to help.
My MQ is V6 and running on Windows Server 2003 Enterprise Edition.
I found that whenever I create a Windows Service and install it to any machine in my network, as long as it is running using the LocalSystem account, I would be able to have full access to my MQ server/Queue Manager without any other authentication.
I am not sure if this is normal or what, someone please enlighten me.
Thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Sep 01, 2005 7:19 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Is the LocalSystem account part of the mqm group ??
 |
|
| Back to top |
|
|
| shsiow |
| Posted: Thu Sep 01, 2005 7:27 pm Post subject: |
|
|
Newbie
Joined: 01 Sep 2005
Posts: 7
|
Nope, the LocalSystem is the actually the local user in the client machine, not the MQ server.
I am aware that every machine will have this generic "LocalSystem" account, anyway, LocalSystem is not in administrator group or mqm group in the Mq server.
Any ideas?
Thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 01, 2005 7:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Has authentication been turned off ?
QMGR definition wise ? Environment variable wise ?
Is there an mcauser in the channel definition > |
|
| Back to top |
|
|
| shsiow |
| Posted: Thu Sep 01, 2005 7:42 pm Post subject: |
|
|
Newbie
Joined: 01 Sep 2005
Posts: 7
|
I am not sure if authentication had been turned off or not. How to check?
QMGR definition? Not sure too,
Environment variable? Not sure too, sorry, I am newbie 
as for MCAUser, this I am sure, there aren't any of it. BTW, the channel that I am talking about here is the default Server Connection, which is "SYSTEM.DEF.SVRCONN".
Thanks Again |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 01, 2005 7:57 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| shsiow wrote: |
I am not sure if authentication had been turned off or not. How to check?
QMGR definition? Not sure too,
Environment variable? Not sure too, sorry, I am newbie
as for MCAUser, this I am sure, there aren't any of it. BTW, the channel that I am talking about here is the default Server Connection, which is "SYSTEM.DEF.SVRCONN".
Thanks Again |
Read the security and admin manuals. !
This will give you an indication as to where to start looking
|
|
| Back to top |
|
|
| shsiow |
| Posted: Thu Sep 01, 2005 9:36 pm Post subject: |
|
|
Newbie
Joined: 01 Sep 2005
Posts: 7
|
I read. But cann't get any clue especially regarding Windows. Info there is way too high level for me 
I just want to know how to secure it properly so that all connection to the MQ server will need some kind of authentication. Please help
Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 02, 2005 3:46 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I think you will find that if someone logs on as a local administrator, the same thing will be true.
You should secure your SVRCONN (well, all) channels with SSL, and be very careful where you put your certificates.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Sep 02, 2005 4:52 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| shshiow wrote: |
I read. But cann't get any clue especially regarding Windows. Info there is way too high level for me
I just want to know how to secure it properly so that all connection to the MQ server will need some kind of authentication. Please help |
Listen, we would love to help you if this was a matter of "yea, just type CREATE SECURITY CHL(MQ1, MQ2) and you're good to go!" (FYI, this is not a real MQ command!). Thing is, making two channels work together with SSL is not trivial - it's not difficult, but it isn't trivial as well; Embrace the fact this will take you at least one week to figure this out top-to-bottom.
(Furthermore, this has been discussed here many a-time, searching takes half the time of posting questions)
However, since I have a reputation of being a nice guy - I will aid you in your hour of need; this is the gyst of what you should do, but it's all very platform-specific so I can't give you the details, you still HAVE to read the manuals, and search the forum:
1. Create certificates: a public CA cert, a private cert for client, a private cert for QM.
2. Put certs into cert stores: on the client machine put public CA cert and private client cert, on server machine put public CA cert and private QM cert.
3. Set SVRCONN to work with SSL.
4. Set client to work with SSL.
You should also take into consideration using the SSLPEER parm.
Enjoy!  |
|
| Back to top |
|
|
| shsiow |
| Posted: Mon Sep 05, 2005 2:42 am Post subject: |
|
|
Newbie
Joined: 01 Sep 2005
Posts: 7
|
Ok. I think we got diverted too far from it. Let me clarify it once more
Like I say, I am facing this "abnormal" security behavior.
My MQ is V6 and running on Windows Server 2003 Enterprise Edition. IT JOIN MY COMPANY DOMAIN. MY IBM MQService was started with LOCALSYSTEM account.
I found that whenever I create a Windows Service and install it to ANY machine in my network that JOIN THE SAME DOMAIN WITH THE MQ , as long as it is running using the LocalSystem account, I would be able to have full access to my MQ server/Queue Manager without any other authentication.
LOCALSYSTEM IS NOT in mgm group.
I NEED TO KNOW IF THIS IS NORMAL OR NOT.
Thanks |
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Sep 05, 2005 3:51 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Well, that's why
| fjb_saper wrote: |
| Read the security and admin manuals. ! |
Look, it's all very simple - once you connect via channel connection, default behavior is that the user is passed from the client machine to the qm. In your case, it means that the qm receives "LocalSystem" of that domain as a user from the channel and is thus authorized to do anything it likes.
Naturally, this is a security breach, since there's no authentication here that the user sent from the client is indeed the same as the local - it's simply passed as text. (this is OS dependant, but the general picture remains throughout)
Anyway, your only option of securing channels is using SSL, look at my post and many other posts on this forum on how to do this - this has been discussed here a thousand times and more. You should also read the Clients manual for further details.
(p.s there's also the option of writing/buying a security exit, up to you) |
|
| Back to top |
|
|
| shsiow |
| Posted: Mon Sep 05, 2005 7:02 am Post subject: |
|
|
Newbie
Joined: 01 Sep 2005
Posts: 7
|
| Quote: |
Look, it's all very simple - once you connect via channel connection, default behavior is that the user is passed from the client machine to the qm. In your case, it means that the qm receives "LocalSystem" of that domain as a user from the channel and is thus authorized to do anything it likes.
Naturally, this is a security breach, since there's no authentication here that the user sent from the client is indeed the same as the local - it's simply passed as text. (this is OS dependant, but the general picture remains throughout) |
Hmmm... Now it give me slightly better idea on how this "abnormality" is happening. Thanks for that.
Sound like my only choice in this case will be SSL, I did check the manual, it describe on how we can test by using some test cert/self-signed cert. Will try that soon. However, just for my understanding, once I need to put it for production use, does it mean I need to get some authority (e.g VeriSign, Entrust.net) to sign a cert for me, right? Is that is going to cost me BIG $$$? Sorry but I am working in a small time company that don't really can afford that. |
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Sep 05, 2005 4:05 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| shshiow wrote: |
| does it mean I need to get some authority (e.g VeriSign, Entrust.net) to sign a cert for me, right? Is that is going to cost me BIG $$$? |
You probably already have a CA somewhere on site and don't even know it - I think MSCS, for example, can issue production certificates, and I know there are many other products who can; sniff around your company and see if you can find one.
Otherwise, although i've never tried this, it doesn't seem expensive - I just googled "buy CA certificates" and prices range from 30-200$, no higher.
Maybe others who have experience with purchasing certs can help you, I've always had an MSCS or RACF hanging around. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Sep 05, 2005 7:21 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
|
|
