| Author |
Message
|
| irony |
 Posted: Thu Dec 28, 2006 1:26 pm Post subject: MCA User |
 |
|
Apprentice
Joined: 18 Nov 2005
Posts: 35
Location: US
|
Hello ,
If I use the MCAUSER parameter for a 'cluster' receiver channel (and retain putaut to DEF), what queues (other than the application specific queues) should the MCAUSER have authorities to?
(Like in case I use CTX for putaut on a cluster receiver channel, I will be giving rights to the userid for SYSTEM.CLUSTER.TRANSMIT.QUEUE).
Thanks,
irony |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Thu Dec 28, 2006 1:57 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Hmmm, this is a bad idea.
You should not grant any ID privileges to the SYSTEM.CLUSTER.TRAMIT.QUEUE. If you do, you have given that ID rights to put to any queue on a remote QMGR unless you also specify CTX on the receiver or requester channel at the other end.
Use an alias queue at the originating point QMGR that has the target Q as the cluster queue hosted on a remote QMGR. Now you can grant permissions to the alias Q.
I would never grant anything to anybody for any queue that starts SYSTEM.*
_________________
Joseph
Administrator - IBM WebSphere MQ (WMQ) V6.0, IBM WebSphere Message Broker (WMB) V6.1 & V6.0
Solution Designer - WMQ V6.0
Solution Developer - WMB V6.1 & V6.0, WMQ V5.3 |
|
| Back to top |
|
|
| irony |
| Posted: Thu Dec 28, 2006 2:19 pm Post subject: qalias |
|
|
Apprentice
Joined: 18 Nov 2005
Posts: 35
Location: US
|
Hello,
Here is my scenario; I have a remote external server(A) connecting to internal server(B), which is clusered with C.
Server A puts a request to cluster queue(s) on B & C. In case I use ctx(putaut); there is an exposure - in that, Server A can issue runmqs commands to any server in the cluster. Hence, use of mcauser field will be more secure. So, if I give a value for mcauser for the cluster receiver, Should I give permissions to the mcauser to any queues other than the cluster request queues?
Thanks in advance,
irony |
|
| Back to top |
|
|
| jsware |
| Posted: Fri Dec 29, 2006 12:10 am Post subject: |
|
|
Chevalier
Joined: 17 May 2001
Posts: 455
|
When we've had external qmgrs connecting to our internal network, I've set the mcauser on the receiver channel to a specific user ID and only given authority to the application queues and the dlq. Then if they send a runmqsc command it will go on the dlq.
You could choose to have no dlq. I believe the channel will fail, refusing the unauthorised msg. This might be a bad idea depending upon your requirements.
My understanding is that if you use PUTAUT(CTX), then the user ID embedded in the message is used for authorisation. Thus if I were at qmgr A sending to your PUTAUT(CTX) channel, I could put a message as mqm and it would be allowed to go anywhere. If qmgr A is external, you probably don't have control over who has access to mqm, root user IDs.
_________________
Regards
John
The pain of low quaility far outlasts the joy of low price. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 29, 2006 12:46 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Or consider a 'Gateway' queue manager that uses a point-to-point connection from the external but distributes the messages to your cluster via a qmgr alias.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| irony |
| Posted: Fri Dec 29, 2006 4:29 pm Post subject: mca user |
|
|
Apprentice
Joined: 18 Nov 2005
Posts: 35
Location: US
|
Hello,
Thanks for the inputs. I will have to stick to mcauser in my case then; Right now we do not have the previlege of a 'gateway' queue manager.
So I just need to authorise the mcauser for application queues only; What about the SYSTEM.CLUSTER.COMMAND.QUEUE? Should the exertnal user have authority for this queue?
Thanks again,
irony |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Dec 29, 2006 5:31 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| JosephGramig wrote: |
| I would never grant anything to anybody for any queue that starts SYSTEM.* |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| irony |
| Posted: Fri Dec 29, 2006 5:46 pm Post subject: never grant permissions for SYSTEM.* queues |
|
|
Apprentice
Joined: 18 Nov 2005
Posts: 35
Location: US
|
Yes; I agree.
But in my situation, where in, I do not have a gateway , but still need to cluster the external server, is there a work-around?
Thanks,
irony |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Dec 29, 2006 6:28 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| JosephGramig wrote: |
| Use an alias queue at the originating point QMGR |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
