ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » InHouse Client Security

Post new topic  Reply to topic
 InHouse Client Security « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Tue Oct 09, 2001 1:24 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

If one is within the firewall, and happens to know the HostName of a machine and the SVRCONN channel responsible for accepting Client Connects, you have the info needed to connect to a Queue Manager and, say, browse messages. If this is a production box, this person has access to possibly sensitive data. I was able to connect to a production box today and were I so inclined, could've cleared some queues.

How do we secure access to these boxes via rogue MQClients (while allowing the good guys in)? It's not to difficult to get the HostName in-house and our Client Channels follow a specific naming convention, so that can be easily figured out.

I assume this has something to do with the MCAUSERIDENTIFIER field? Maybe not, as I can go to 3 different Queue Managers and connect to all of them, even though they all have a different value in this field. What about the SYSTEM.DEF.SVRCONN channel. Should that also have some special security setting set?

Is a firewall adequate to stop outside Clients from connecting if they know the hostname?

Peter Potkay
Peter.Potkay@TheHartford.com


_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
EddieA
PostPosted: Tue Oct 09, 2001 4:19 pm    Post subject: Reply with quote

Jedi

Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles

Peter,

You say that these 3 channels have values in MCAUSERIDENTIFIER. Do you mean MCAUSER. If so, then this is your security hole.

When this field is set, every incomming connection is authenicated using that value. Not the user who originated the request.


So, if that MCAUSER ID is part of group mqm, they have free reign over everything.

Change that field to a blank, and then every connection is validated based on the user who makes the connection.

Cheers.
Cheers.

_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0
Back to top
View user's profile Send private message
NickB
PostPosted: Wed Oct 10, 2001 12:08 am    Post subject: Reply with quote

Centurion

Joined: 20 May 2001
Posts: 107
Location: Zurich Financial Services

However, don't forget that because there is no explicit password checking with client connections, if you know the id of a valid mqm-type user, you can log on to your own machine as that user and then bingo - you're in.

There are 2 ways of solving this problem:
1) Don't define any SVRCONNs to your qmgr!
2) Write a security exit such that on the client side you are challenged for an id and pwd and on the server side this information is then used to check against some security database. For servers such as OS/390 you can make SAF calls to either ACF/2 or RACF, on other platforms there is no real "standard" security product so this becomes more tricky.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » InHouse Client Security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.