| Author |
Message
|
| vjsony |
 Posted: Tue Jul 30, 2002 12:52 am Post subject: MQ Visual Edit |
 |
|
Apprentice
Joined: 01 Aug 2001
Posts: 45
|
Hi all,
I've downloaded the beta version MQ Visual Edit.
I've tried putting a message on queue belonging to a queue manager on a remote machine. I'm not a user on that machine but the MQPut still went through. No authorisation errors ..
Any idea how this was done?
Regards
VJ |
|
| Back to top |
|
 |
| cmdmqm |
| Posted: Tue Jul 30, 2002 1:10 am Post subject: |
|
|
Novice
Joined: 04 Feb 2002
Posts: 24
Location: Berlin
|
| If no user id is supplied via the application (which is obviously the case here, as it is with MQJExplorer), the user id is taken of the user which started the server connection channel - if it's an AIX machine, this is normally mqm, on a Win2k machine this is MUSR_MQADMIN. No need to say that this is a way to open up a machine quite widely. |
|
| Back to top |
|
|
| mrlinux |
| Posted: Tue Jul 30, 2002 6:32 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
What srvconn channel did you configure MQ Visual Edit to use ???
I would check that definition on the remote box and see if there is a MCAUSER setup.
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| clindsey |
| Posted: Tue Jul 30, 2002 9:31 am Post subject: MQ Visual Edit |
|
|
Knight
Joined: 12 Jul 2002
Posts: 586
Location: Dallas, Tx
|
Another suggestion is to set the putaut field on the receiver
side of the channel to CTX. Then the userientifier field is
copied to the alternateuserid field and authentication is
done against this id rather than the process owner. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jul 30, 2002 8:28 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
clindsey, what you described does not apply to SVRCONN channels (PUTAUTH is not a valid option).
What most people forget or don't realize is that there is NO default security with client channels (SVRCONN). You can drive a truck through this security hole.
I have been to many banks in the last few years who told me that they had tight security on their production queue managers. All I do is plug my laptop into their network, start-up one of my various Java programs, point it to the hostname, use SYSTEM.DEF.SVRCONN, and guess at the port # (usually 1414) and bingo - I'm in.
If you want security then you need exits at both ends.
If you are running MQ Visual Edit in a non-binding mode then the UserId used to put the message on the queue will be the UserId of the MCA (MUSR_ADMIN for Windows, mqm for Unix, ****CHIN for MVS, QMQM for OS/400, etc...).
If you set the MCA UserId field of the SVRCONN channel to another UserId then that particular UserId will be used for the put of the message.
later
Roger Lacroix
Enterprise Architect
Capitalware Inc.
http://www.capitalware.biz
----------------------------------------
IBM Certified Specialist - MQSeries
IBM Certified Developer - MQSeries
IBM Certified Solutions Expert - MQSeries
---------------------------------------- |
|
| Back to top |
|
|
| vjsony |
| Posted: Tue Jul 30, 2002 10:10 pm Post subject: |
|
|
Apprentice
Joined: 01 Aug 2001
Posts: 45
|
Hi ,
How do you get the user id of the MCA?
While opening a queue, its possible to specify the user id.
But how are connection errors handled? During a MQConn call, its possilbe to get MQRC_NOT_AUTHORIZED errors. Is there any way of avoiding these?
Regards,
VJ |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Jul 31, 2002 7:45 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
I (MQ Visual Edit) don't get the MCA's UserId. Since I did not specify one then the MCA uses its own (nice security hole  ).
For Java programs, a UserId can be set using the MQEnvironment.userID variable. But then the UserId must exist plus have the appropriate security level on the target platform or you will receive the not authorized reason code.
So, I thought it was better not to specify a UserId, hence the user will get free rein of the queue manager. 
later
Roger... |
|
| Back to top |
|
|
| vjsony |
| Posted: Thu Aug 01, 2002 7:23 pm Post subject: |
|
|
Apprentice
Joined: 01 Aug 2001
Posts: 45
|
Hi Roger,
I've written a C program on UNIX which connects to a MQServer on NT. But I've encountered MQRC_NOT_AUTHORIZED during the MQCONN operation (since the current user on UNIX is not a authorized user on NT)
I'm wondering will the same happen if MQ Visual Edit was installed on UNIX connecting to a queue manager on NT? Or since MQ Visual Edit is Java-based, this error won't occur?
Awaiting your reply.
Regards,
VJ. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Aug 01, 2002 7:50 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
IBM implemented client connectivity differently for Java vs C/C++/COBOL/VB.
For C/C++/COBOL/VB client programs, the UserId associated with the MQ application will be checked on the remote queue manager to verify if the action can be done.
But for Java, if the MQ Java application does NOT fill-in the MQEnvironment.userID and MCA UserId is blank then security checking on the remote queue manager is skipped.
Like I said, a great big security hole.
later
Roger... |
|
| Back to top |
|
|
| vjsony |
| Posted: Thu Aug 01, 2002 10:20 pm Post subject: |
|
|
Apprentice
Joined: 01 Aug 2001
Posts: 45
|
Thanks Roger.
Regards,
VJ. |
|
| Back to top |
|
|
|
|
