| Author |
Message
|
| yeahyeah |
 Posted: Sun Aug 06, 2006 7:22 pm Post subject: PCF command authority |
 |
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
Do PCF command has any access control?
like, i wrote a simple java PCF that clears a queue, i found that every one own this pgm could clear the queue..... |
|
| Back to top |
|
 |
| wschutz |
| Posted: Mon Aug 07, 2006 8:51 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Aug 07, 2006 9:56 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Users also need PUT permission to SYSTEM.ADMIN.COMMAND.QUEUE.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| yeahyeah |
| Posted: Mon Aug 07, 2006 6:01 pm Post subject: |
|
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
Thanks for reply.
I am sure he's not in my mqm group, his account is not defined on the OS of mq server, not in any group.
Indeed how do mqm knows which user profile is the issuer using? I have read the JavaDoc of PCF and i can find no method to define user profile (like JMS, ConnectionFactory.createConnection(UserID, PW).
Forgot to mention, i am using MQ6.0 + win2000 + java1.4.2. The product will implement on AIX. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Aug 07, 2006 9:07 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| yeahyeah wrote: |
Thanks for reply.
I am sure he's not in my mqm group, his account is not defined on the OS of mq server, not in any group.
Indeed how do mqm knows which user profile is the issuer using? I have read the JavaDoc of PCF and i can find no method to define user profile (like JMS, ConnectionFactory.createConnection(UserID, PW).
Forgot to mention, i am using MQ6.0 + win2000 + java1.4.2. The product will implement on AIX. |
Simple.
It is a Java application where you did not explicitly set a UserId. Therefore, you are exploiting a security hole - hence, you are actually using the 'mqm' UserId.
For more information, read my posting about MQ Visual Edit which is a Java program:
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| yeahyeah |
| Posted: Mon Aug 07, 2006 10:29 pm Post subject: |
|
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
Thank you RogerLacroix.
I have read the post you provided. Yet aren't channel exposes to public (i think i need to use define MCAUSER since attackers can simply blanks the MQEnvironment.userID)? Did channel has any authenticate method (other than Certificate Auth, CA is cumbersome for me....)?
Another question, how do i defince USERID in PCFMessageAgent? Need to do it by first creating MQQueueManager object? |
|
| Back to top |
|
|
| yeahyeah |
| Posted: Mon Aug 07, 2006 11:25 pm Post subject: |
|
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
when i use a non-mqm group userid for MCAUSER, the following error appears:
com.ibm.mq.MQException: MQJE001:completion code 2、reason 2035
at com.ibm.mq.MQQueueManager.accessQueue(MQQueueManager.java:2841)
at com.ibm.mq.pcf.PCFAgent.open(PCFAgent.java:406)
at com.ibm.mq.pcf.PCFAgent.open(PCFAgent.java:383)
at com.ibm.mq.pcf.PCFAgent.connect(PCFAgent.java:317)
at com.ibm.mq.pcf.PCFAgent.<init>(PCFAgent.java:211)
at com.ibm.mq.pcf.PCFMessageAgent.<init>(PCFMessageAgent.java:150)
at ClearQueue.<init>(ClearQueue.java:1
at ClearQueue.main(ClearQueue.java:10)
I wonder what queue it going to access? it is just connect call:
pcfa = new PCFMessageAgent("*.*.*.*", 1414, "SYSTEM.DEF.SVRCONN"); |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Aug 08, 2006 1:49 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| I wonder what queue it going to access? |
| jefflowrey wrote: |
| Users also need PUT permission to SYSTEM.ADMIN.COMMAND.QUEUE. |
_________________
-wayne |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 08, 2006 1:49 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| jefflowrey wrote: |
| Users also need PUT permission to SYSTEM.ADMIN.COMMAND.QUEUE. |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| yeahyeah |
| Posted: Tue Aug 08, 2006 5:44 pm Post subject: |
|
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
| wschutz wrote: |
| Quote: |
| I wonder what queue it going to access? |
| jefflowrey wrote: |
| Users also need PUT permission to SYSTEM.ADMIN.COMMAND.QUEUE. |
|
I had. I even gave +all authorities. It still comes out with the same error message.... |
|
| Back to top |
|
|
| yeahyeah |
| Posted: Tue Aug 08, 2006 11:38 pm Post subject: |
|
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
An update, i had tried to use MQQueueManager to connect to my mqm and the result is success, even no authorities given to SYSTEM.ADMIN.COMMAND.QUEUE. Yet when i use this MQQueueManager obj as a parm to initialize the PCFMessageAgent obj, it gives the same error....
What's the difference? I am totally confused..... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 09, 2006 1:23 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
what authorizations do you have on the Model queue to build your response queue ?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| yeahyeah |
| Posted: Wed Aug 09, 2006 5:53 pm Post subject: |
|
|
Novice
Joined: 06 Aug 2006
Posts: 18
Location: HK
|
| fjb_saper wrote: |
| what authorizations do you have on the Model queue to build your response queue ? |
Thanks....i didn't give any....i gave it get, crt and dsp. Why dsp is needed?....
Did anywhere say i have to do this?...i am too stupid....
And, can i specify which queue to be used as a response queue? |
|
| Back to top |
|
|
|
|
