| Author |
Message
|
| specsri |
 Posted: Tue Aug 22, 2006 4:56 am Post subject: Server Connection Channel Security |
 |
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
Dear All,
I am a newbie for MQ Server. I have been facing a problem in setting up Security for my MQ Test (Linux) Environment. Our MQ Client (Java) program in running on a remote machine. It requires a server connection channel to connect to the queue manager. I need to prevent client users not use use this server connection channel for connecting to my queue Manager by MQ Explorer and other administrative activities.
Thanks & Regards,
Sridhar H |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Aug 22, 2006 5:01 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I commend to your attention chapter 7 of the Clients manual "Setting up Websphere MQ client security" (or it's online equivalent).
In here you will find detailed a number of possible solutions to your problem from which you can pick the one best suited to your needs.
Happy Reading! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| specsri |
| Posted: Tue Aug 22, 2006 6:01 am Post subject: |
|
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
Thanks for your reply vitor..
I just want to put it on the other way. I may have 3 ways of doing this connection from MQ Client.
1. Create a userid (not in mqm group), Make this user as MCAUSER for server-connection channel.
2. Create a userid and connect it to mqm group.
3. Create a userid (not in mqm group) and user setmqaut command to specify authorization information for server connection channel and queues.
Which is the right way?
Regards,
Sridhar H |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 22, 2006 6:15 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Sridhar H,
I think, there is no "right way". It depends on what you need:
| specsri wrote: |
| 1. Create a userid (not in mqm group), Make this user as MCAUSER for server-connection channel. |
This user must also permitted via setmqaut. Otherwise you cannot connect to the QMgr or open a queue.
| specsri wrote: |
| 2. Create a userid and connect it to mqm group. |
Does connect mean as member of? Then the user is permitted to all objects!
| specsri wrote: |
| 3. Create a userid (not in mqm group) and user setmqaut command to specify authorization information for server connection channel and queues. |
You have still to enter this user into the field MCAUSER or run you client app under this user.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 22, 2006 6:21 am Post subject: Re: Server Connection Channel Security |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| specsri wrote: |
| I need to prevent client users not use use this server connection channel for connecting to my queue Manager by MQ Explorer and other administrative activities. |
There is no right way, but method 2 will allow preciecly the scenario you seek to avoid. This sounds like the wrong way..... 
Don't see a difference between methods 1 and 3.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| specsri |
| Posted: Tue Aug 22, 2006 6:34 am Post subject: |
|
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
Thanks for your reply..
I am really confused with user specify as MCAUSER with the user allowed to access Server Connection Channel by setmqaut command. For one technote, I could understand that,
If a MQ Client uses server connection channel and MCAUSER specified in the channel will be considered for authentication.
setmqaut specfies the authentication for each MQ objects in the server.
Please correct me, if wrong.
Thanks & Regards,
Sridhar H |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 22, 2006 6:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The MCAUSER overrides whatever user is or is not specified by the client application.
So whoever connects to the channel will only be authorized as the mcauser, no matter what they specify - including null.
If the user in MCAUSER doesn't exist or has no mqauthorities, nobody can do anything with the channel.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 22, 2006 6:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| specsri wrote: |
If a MQ Client uses server connection channel and MCAUSER specified in the channel will be considered for authentication.
|
If the channel has an MCAUSER specified then all activity over that channel is performed as that user rather than the client's user. If you define a new user then you must use setmqaut in the usual way to set the new user's permission.
If you specify mqm as the MCAUSER you don't need to use setmqaut because mqm automatically has permission over everything. For this reason it's seldom used in the MCAUSER.
Hope this makes it clearer
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| specsri |
| Posted: Tue Aug 22, 2006 6:50 am Post subject: |
|
|
Novice
Joined: 12 Aug 2006
Posts: 16
|
Thanks All,
Now I am clear and preparing one test run for each cases.
Regards,
Sridhar H |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 22, 2006 6:56 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
The attribute MCAUSER defines a user name, which is used by MQ for authorization checking. A good method, to secure default chennel (like SYSTEN.DEF.SVRCONN) is, to alter this channel and set the MCAUSER to nobody (assuming nobody is a non-existing or unprivileged User).
You have to differ between authentication and authorization:
authentication means, checking the user's identity (e. g. username / password or credit card / PIN code).
authorization means setting privileges to objects for a specific user.
Sample: Wenn you want to read a file on a server you first log in (authentication) and the the operating system checks, if you are allowed to read the file (authorization).
MQ: When you set the MCAUSER in the channel, you override authentication. MQ does not ask for a password or so. But still you have to authorize this user, to have access to the queues.
When you set the MCAUSER to mqm, any user, who addresses this channel, will have all permissions (because mqm has all permissions).
When you leave the MCAUSER blank, MQ will take the user name wich comes with the channel (so this user must exist and be authorized).
BUT when you leave the MCAUSER blank, and the channel request come also with a blank user id, MQ uses the user which started the listener - mostly this will be mqm itself (a security hole).
Hope this helps
_________________
Regards
Hubert |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Aug 22, 2006 9:21 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Quote: |
Hubert wrote
When you set the MCAUSER to mqm, any user, who addresses this channel, will have all permissions (because mqm has all permissions).
|
Does that mean any one can connec to the queue manager when mqm is set as an MCAUSER? Genareally, we put a group name in MCAUSER and all the user in that group can do what is authorised. Does not the same principle appply in this case too? I mean only the users in mqm group are allowed? Or any users that comes in channel or blank user can connect to queue manager and can do anything? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 22, 2006 9:25 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| jeevan wrote: |
| Or any users that comes in channel or blank user can connect to queue manager and can do anything? |
Yes.
The MCAUSER replaces whatever ID is passed in or not passed in.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 22, 2006 10:27 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| jefflowrey wrote: |
| jeevan wrote: |
| Or any users that comes in channel or blank user can connect to queue manager and can do anything? |
Yes.
The MCAUSER replaces whatever ID is passed in or not passed in. |
Except you use SSL - then you may authenticate users via SSL certs!
_________________
Regards
Hubert |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Aug 22, 2006 10:45 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| HubertKleinmanns wrote: |
| jefflowrey wrote: |
| The MCAUSER replaces whatever ID is passed in or not passed in. |
Except you use SSL - then you may authenticate users via SSL certs! |
I think MCAUSER will still override that userid.
But, yes, using SSL is a good way to authenticate users on a particular channel.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 22, 2006 11:03 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| jefflowrey wrote: |
| HubertKleinmanns wrote: |
| jefflowrey wrote: |
| The MCAUSER replaces whatever ID is passed in or not passed in. |
Except you use SSL - then you may authenticate users via SSL certs! |
I think MCAUSER will still override that userid.
But, yes, using SSL is a good way to authenticate users on a particular channel. |
Jeff,
I agree, but the channel will not start when the certs are not accepted by the QMgr.
So you may connect (and authenticated) as the user, which you are logged in on your client machine. But afterwards you will be authorized using the MCA user.
E. g. you may define a channel with MCA user mqm - so everybody, who is able to start this channel is connected with mqm privileges - but only these users, who have a valid, cert are able, to start the channel (and so connect to the QMgr).
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
