| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| InHouse Client Security |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Tue Oct 09, 2001 1:24 pm Post subject: |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
If one is within the firewall, and happens to know the HostName of a machine and the SVRCONN channel responsible for accepting Client Connects, you have the info needed to connect to a Queue Manager and, say, browse messages. If this is a production box, this person has access to possibly sensitive data. I was able to connect to a production box today and were I so inclined, could've cleared some queues.
How do we secure access to these boxes via rogue MQClients (while allowing the good guys in)? It's not to difficult to get the HostName in-house and our Client Channels follow a specific naming convention, so that can be easily figured out.
I assume this has something to do with the MCAUSERIDENTIFIER field? Maybe not, as I can go to 3 different Queue Managers and connect to all of them, even though they all have a different value in this field. What about the SYSTEM.DEF.SVRCONN channel. Should that also have some special security setting set?
Is a firewall adequate to stop outside Clients from connecting if they know the hostname?
Peter Potkay
Peter.Potkay@TheHartford.com
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| EddieA |
| Posted: Tue Oct 09, 2001 4:19 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Peter,
You say that these 3 channels have values in MCAUSERIDENTIFIER. Do you mean MCAUSER. If so, then this is your security hole.
When this field is set, every incomming connection is authenicated using that value. Not the user who originated the request.
So, if that MCAUSER ID is part of group mqm, they have free reign over everything.
Change that field to a blank, and then every connection is validated based on the user who makes the connection.
Cheers.
Cheers.
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| NickB |
| Posted: Wed Oct 10, 2001 12:08 am Post subject: |
|
|
Centurion
Joined: 20 May 2001
Posts: 107
Location: Zurich Financial Services
|
However, don't forget that because there is no explicit password checking with client connections, if you know the id of a valid mqm-type user, you can log on to your own machine as that user and then bingo - you're in.
There are 2 ways of solving this problem:
1) Don't define any SVRCONNs to your qmgr!
2) Write a security exit such that on the client side you are challenged for an id and pwd and on the server side this information is then used to check against some security database. For servers such as OS/390 you can make SAF calls to either ACF/2 or RACF, on other platforms there is no real "standard" security product so this becomes more tricky.
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
