| Author |
Message
|
| madiba |
 Posted: Thu Nov 09, 2006 12:12 pm Post subject: Tying A Queue To A Channel |
 |
|
Novice
Joined: 14 Oct 2005
Posts: 23
|
Is it possible to tie a channel to a queue so that one can only get and put messages from the queue attached to this channel.
Thanks in advance
Last edited by madiba on Thu Nov 09, 2006 12:28 pm; edited 1 time in total |
|
| Back to top |
|
 |
| kevinf2349 |
| Posted: Thu Nov 09, 2006 12:25 pm Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
| Quote: |
| Is it possible to tie a channel to a ueue |
I assume you are not refering to a transmission queue but rather to who (or what) can use the transmission queue?
I believe there is such a thing, I think it is called a security system  |
|
| Back to top |
|
|
| madiba |
| Posted: Thu Nov 09, 2006 12:32 pm Post subject: |
|
|
Novice
Joined: 14 Oct 2005
Posts: 23
|
| This is a client connection to a MQ server. I can specify user ids, etc. but that would allow me to access perhaps other queues on the system as well. I need to restrict messages coming in from a client on the channel to a specific queue. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Nov 09, 2006 12:49 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You want to say that anyone connecting to Channel A can only access Queue 1 - regardless of who they are?
Then set an MCAUser on the channel.
But that means that anyone connecting to that channel will be able to access Queue 1 - regardless of who they are.
If you want to make sure that only certain people who connect to Channel A can access Queue 1 - then you need to authenticate them.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| madiba |
| Posted: Thu Nov 09, 2006 1:09 pm Post subject: |
|
|
Novice
Joined: 14 Oct 2005
Posts: 23
|
| For now I just want to restrict to a queue. Will setting the MCAUSER allow me to only work on a specific queue. What if there are other queues on the Q Manager that dont have any user authorizations on them? I am trying to connect to another organizations QM and they have a bunch of queues set up for different clients. Problem is there are no user authorization on them i.e. anyone who has a channel connection to them can put messages in their queues. Their security consists of the fact that you can only put messages in their queues, but none of the queues has get authorization. We would like to get messages from our queue now and they can set it up like this if we can figure out a way that the channel configured for us can only get messages from our queue and not other queues on their Q manager. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Nov 09, 2006 1:48 pm Post subject: |
|
|
Guest
|
To summarize your issue: you run a client application (no qmgr on your platform) that connects to a queue manager.
No, a channel cannot be restricted to a queue. SVRCONN channels service multiple client connection channels.
The folks that administer the queue manager could alter the SVRCONN channel definition to include a PUTAUT (CTX). This tells the mca to use the context field of the message descriptor (the logged on user on the client platform) for authorization checking. This requires that the admins/security folks at the queue manager create the appropriate auth rules that allow the mca to open the destination queue and put your messages in it. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Nov 09, 2006 1:51 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You can't explicitly restrict connections coming over a channel to a queue or set of queues based on the channel itself.
You can, as I've said, set the MCAUser on the channel. This will force everyone who connects to the channel to be that user.
Then you can restrict that user to a particular queue or set of queues.
Then you can use SSL to authenticate people connecting TO the channel.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Nov 10, 2006 6:26 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| bruce2359 wrote: |
| The folks that administer the queue manager could alter the SVRCONN channel definition to include a PUTAUT (CTX). This tells the mca to use the context field of the message descriptor (the logged on user on the client platform) for authorization checking. This requires that the admins/security folks at the queue manager create the appropriate auth rules that allow the mca to open the destination queue and put your messages in it. |
Problem is - Context fields are under the complete control of the sender, so they are easily forged, this is not a very good solution.
Better go with what jeff said, which is the standard better-all-around configuration used. And just to clarify: authorizations are given to users (using setmqaut on open platforms, look it up) and you can set a certain channel to work with the authorizations of that user using the MCAUSER parameter.
Oh, and read the manuals! - there is no way that you can understand MQ security properly without investing some learning time; it's a complex topic. |
|
| Back to top |
|
|
|
|
