| Author |
Message
|
| fatboyjim |
 Posted: Tue Jul 25, 2006 11:23 am Post subject: Security issues |
 |
|
Novice
Joined: 25 Jul 2006
Posts: 12
|
Hi all,
First post so please be gentle 
Just been playing around with c# and WMQ today, and hitting a few teething problems.
I have a server on my Windows 2000 box, this runs fine, and my little C# app can put and get to any of the queues in my queue manager. However, when I run the app on another box I get an error regarding security (sorry I don't have it to hand at the moment, but will post when I have it)
I have tried configuring the server, but I do not know which account to give the rights to, as the client is running as Administrator on a box on a different domain. This also means I cannot add the remote user to the mq admin's group on the server.
So I would like to know:
- How do I allow "SomeAccount" on "SomeMachine" access to my queue manager and queues?
- If that is not possible, can I just turn off the security? (I can see it under installable services for my queue manager in the WebSphere Explorer, but can't see how to remove it!)
Sorry if this isn't explained very well, it's been a long day
Thanks for any help
Jim |
|
| Back to top |
|
 |
| wschutz |
| Posted: Tue Jul 25, 2006 11:35 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
We wouldn't suggest turning security off 
"Administrator" is a problem for MQ as MQ can only handle userids up to 12 characters 
Can you run the client app under a userid that you can then give authority to on your server?
Also, see the "MCAUSER" attribute of svrconn channels in the info center, that will allow you to set the userid at the channel level (good for testing, but present obvious security exposures in a production env).
_________________
-wayne |
|
| Back to top |
|
|
| fatboyjim |
| Posted: Tue Jul 25, 2006 12:45 pm Post subject: |
|
|
Novice
Joined: 25 Jul 2006
Posts: 12
|
Thanks for the reply
| Quote: |
| Can you run the client app under a userid that you can then give authority to on your server? |
Is that going to work? The client app is running on a box which has a different domain controller. That's not how I see the client app working at the moment, as "Administrator" has full rights to the queue manager yet I am still getting the security error. Or is it the case that as MQ cannot handle userids > 12 chars, that the rights for Administrator don't do anything anyway?
MCAUSER attribute, not quite sure what you mean, the only attributes I have set are the environment variables in the C# class itself, which it seems to ignore anyway (I have had to set an MQSERVER environment variable on the client system itself to get it to connect to the remote server).
As for turning security off, obviously it's frowned upon in a production environment, but it's running on a secure LAN at the moment, so no major problem. It would be handy to turn it off just to show that it is connecting and messages can be put and got.
Cheers
Jim |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 25, 2006 1:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| MCAUSER attribute, not quite sure what you mean, the only attributes I have set are the environment variables in the C# class itself, which it seems to ignore anyway (I have had to set an MQSERVER environment variable on the client system itself to get it to connect to the remote server). |
MCAUSER attribute is an attribute of the qmgr channel. You can set it to a user on the qmgr's machine and it will make all messages going through that channel look like they were sent by the user set up in the MCAUSER attribute of the channel.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fatboyjim |
| Posted: Wed Jul 26, 2006 2:12 am Post subject: |
|
|
Novice
Joined: 25 Jul 2006
Posts: 12
|
Thanks for all of your help, fixed the problem by setting MCAUSER to the local administrator.
Just for future reference, is there a way to turn off security completely, although it is not advised?
Thanks
Jim |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Jul 26, 2006 2:24 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
|
| Back to top |
|
|
| fatboyjim |
| Posted: Wed Jul 26, 2006 3:02 am Post subject: |
|
|
Novice
Joined: 25 Jul 2006
Posts: 12
|
Superb, thanks for that
Another quickie. As I understand it, the client sends to the server the name of the logged-on user.
Surely then, for example, if an unscrupulous user discovered that username "John" had full rights to the system, could he not just create a user John on his system and connect with full rights?
Ta
Jim |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Jul 26, 2006 3:16 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Thats why SSL secured channels are important....
_________________
-wayne |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jul 26, 2006 8:40 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fatboyjim wrote: |
| Surely then, for example, if an unscrupulous user discovered that username "John" had full rights to the system, could he not just create a user John on his system and connect with full rights? |
You don't even need to create a User account if you are using a Java application!!!  Simply have the Java application set the UserId to whatever value you want!
| wschutz wrote: |
| Thats why SSL secured channels are important.... |
Or use a security solution like MQ Authenticate User Security Exit
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
