| Author |
Message
|
| HenriqueS |
 Posted: Thu Jan 18, 2007 12:58 pm Post subject: Secure SYSTEM.ADMIN.SVRCONN, accessing a remote QM |
 |
|
Master
Joined: 22 Sep 2006
Posts: 235
|
Hello,
It´s a common knowledge that I can enable remote administration of some QMs by creating and admin channel on these remote QMs:
def chl(SYSTEM.ADMIN.SVRCONN) chltype(SVRCONN) mcauser('mqm')
But as far that I´ve read this enables anyone in my LAN running MQExplorer or other admin tools to connect those QMs!
How can I make this safer? Just I create some user on my machine, run MQExplorer under this user rights ("Run as...") and set the mcauser on the admin channel to these username?
What are the solutions? We want no more than 3 people in my organization to be able to remote administer theses QMs.
Many thanks! |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Jan 18, 2007 1:08 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
SSL.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| pathipati |
| Posted: Thu Jan 18, 2007 1:19 pm Post subject: |
|
|
Master
Joined: 03 Mar 2006
Posts: 296
|
| yes MCA user also works.. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 18, 2007 1:22 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| pathipati wrote: |
| yes MCA user also works.. |
No, MCAUser ensures that anyone who can connect is authorized as a particular person. It does nothing to prevent the wrong people from connecting.
SSL does.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Thu Jan 18, 2007 1:52 pm Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
You are saying that I can set th MCAUSER to xxx and run MQ explorer under this xxx name, but it anyone who guesses who xxx is can use it to connect, right?
| jefflowrey wrote: |
| pathipati wrote: |
| yes MCA user also works.. |
No, MCAUser ensures that anyone who can connect is authorized as a particular person. It does nothing to prevent the wrong people from connecting.
SSL does. |
|
|
| Back to top |
|
|
| pathipati |
| Posted: Thu Jan 18, 2007 1:55 pm Post subject: |
|
|
Master
Joined: 03 Mar 2006
Posts: 296
|
| Quote: |
| You are saying that I can set th MCAUSER to xxx and run MQ explorer under this xxx name, but it anyone who guesses who xxx is can use it to connect, right? |
right, but if you think you can keep xxx harder to guess then it works. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 18, 2007 3:21 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
NO.
Anyone who connects to the channel will become XXXX, with all authorities granted to that user.
Setting an MCAUser actually decreases security in most cases where the channel connection is not otherwise secured. The only time it increases security is when it is set to a non-existent user.
If I know that there is a queue manager at SYSTEM.DEF.SVRCONN/TCP/hostname(port), and I connect to that with MQExplorer, then the OS level user ID I'm running MQ Explorer as is what is used to authorize me.
If SYSTEM.DEF.SVRCONN has an MCAUSER, then it doesn't matter what OS level user ID I'm running MQ Explorer on - I have all rights and priviledges that the MCA User has.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 19, 2007 3:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
If SSL is not an option then you can use 'poor mans SSL', the BlockIP2 channel exit.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bbburson |
| Posted: Fri Jan 19, 2007 6:59 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| exerk wrote: |
| If SSL is not an option then you can use 'poor mans SSL', the BlockIP2 channel exit. |
Internally managed, self-signed certificates are about as 'poor mans' as you can get.  |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 19, 2007 7:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bbburson wrote: |
| exerk wrote: |
| If SSL is not an option then you can use 'poor mans SSL', the BlockIP2 channel exit. |
Internally managed, self-signed certificates are about as 'poor mans' as you can get. |
Couldn't agree more...please tell my management lot here as perhaps they'll listen to you 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jan 19, 2007 7:21 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Tell your managment you're implementing provisions to secure your queue managers.
Don't bother them with the details - if they ask tell them you're using an IBM supplied and supported channel exit, that happens to be bundled with the product.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 19, 2007 7:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jefflowrey wrote: |
Tell your managment you're implementing provisions to secure your queue managers.
Don't bother them with the details - if they ask tell them you're using an IBM supplied and supported channel exit, that happens to be bundled with the product. |
Not too worried anymore, out of here in 5 weeks.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| KevinF23492 |
| Posted: Fri Jan 19, 2007 11:17 am Post subject: |
|
|
Novice
Joined: 26 Dec 2006
Posts: 22
|
| bbburson wrote: |
| exerk wrote: |
| If SSL is not an option then you can use 'poor mans SSL', the BlockIP2 channel exit. |
Internally managed, self-signed certificates are about as 'poor mans' as you can get. |
I would almost agree with you but you have been 'trumped' by.....
| Quote: |
Quote:
You are saying that I can set th MCAUSER to xxx and run MQ explorer under this xxx name, but it anyone who guesses who xxx is can use it to connect, right?
right, but if you think you can keep xxx harder to guess then it works. |
 |
|
| Back to top |
|
|
| bbburson |
| Posted: Fri Jan 19, 2007 11:33 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| KevinF23492 wrote: |
| bbburson wrote: |
| exerk wrote: |
| If SSL is not an option then you can use 'poor mans SSL', the BlockIP2 channel exit. |
Internally managed, self-signed certificates are about as 'poor mans' as you can get. |
I would almost agree with you but you have been 'trumped' by.....
| Quote: |
Quote:
You are saying that I can set th MCAUSER to xxx and run MQ explorer under this xxx name, but it anyone who guesses who xxx is can use it to connect, right?
right, but if you think you can keep xxx harder to guess then it works. |
|
Which was over-trumped by:
| jefflowrey wrote: |
NO.
Anyone who connects to the channel will become XXXX, with all authorities granted to that user.
Setting an MCAUser actually decreases security in most cases where the channel connection is not otherwise secured. The only time it increases security is when it is set to a non-existent user |
|
|
| Back to top |
|
|
| HenriqueS |
| Posted: Fri Jan 26, 2007 8:38 am Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
Continuing this thread, so a better approach would be setting specific authorizations for the MQ objects. Such authorization can be seen/set using the tools dspmqaut/setmqaut . Right? And a even better approach would be to provide secure channels.
Does anyone knows about any GUI tools that I may rely on for doing this (setmqaut/dspmqaut)? MQ Explorer does not seem to provide that and leaves only the command line utils. |
|
| Back to top |
|
|
|
|
