| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ v6 security question |
« View previous topic :: View next topic » |
| Author |
Message
|
| vatsanc |
 Posted: Tue Jun 27, 2006 2:32 pm Post subject: MQ v6 security question |
 |
|
Newbie
Joined: 27 Jun 2006
Posts: 6
|
We are using MQ v6 for a notification service over the internet. For this we have deployed MQ on our internet DMZ and configured the SSL channels to do user authentication based on x509 client certificates. Clients are expected to connect to this MQ server over the internet with client certificate that we provide. We also employ a security exit (BlockIP2) to block out certain IDs like mqm, root, op, op2 etc. Given this, is it necessary to have OAM ? The problem we are facing is that because OAM does authorization based on Operating System userid, the C/C++(possibly C#) clients are required to run as some known id, which is not desirable. We do not want to impose this requirement of user id creation on the client side. So, we are left with 3 options:
1) Disable OAM - dont know if this is safe to do
2) Configure OAM to pass all userids except mqm - dont know if this is possible
3) In the C/C++ client apps, override the userid with a known user id known to the server - dont know if this is possible.
Please advice on the best way (both pragmatic and safe) of doing this. JMS client apps work by passing the userid/passwd. |
|
| Back to top |
|
 |
| wschutz |
| Posted: Tue Jun 27, 2006 2:48 pm Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Why not just set a MCAUserid on the secured channel?
_________________
-wayne |
|
| Back to top |
|
|
| vatsanc |
| Posted: Wed Jun 28, 2006 7:13 am Post subject: |
|
|
Newbie
Joined: 27 Jun 2006
Posts: 6
|
| Thanks for your response. Can you please elaborate a bit more, as I am not a MQ admin. What is the purpose of MCAUserid option ? Does this require any client side security exit code (which is not desirable) ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jun 28, 2006 7:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Check out the System Administration manual for a detailed description of MCA UserId. Put simply it's used to authorise every connection via that channel. I think what wschutz is getting at is that if the clients are connected to the queue manager in your DMZ via SSL why use variated user id's in the channel?
(Though if that's not what you're getting at honoured sir, I apologise and await correction!)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Jun 28, 2006 8:01 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
You can let BlockIP2 act on the information in the SSL-certificate and set the MCAUSER according to that....  This prevents the need of knowing anything about the "local" users in the other end.
See the SSL= control statement.
-- Lock it or Lose it --
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
