Author |
Message
|
reldb |
Posted: Wed Mar 07, 2007 11:12 am Post subject: MQ Security - Everyone is able to access |
|
|
Apprentice
Joined: 06 Sep 2006 Posts: 34
|
Hi,
In my test environment, we have Queue manager and queues on SUN OS
all our team members are using Windows MQ Explorer to connect to these QMs, Everyone on that network can connect to QMs without any problem
People are creating or deleting queues, which i want to avoid.
Is there any way so that i can stop few people accessing them and other few able to access Qms, is there any password kind of concept or any other concept to restrict some people access the QMs
Thanks
Rel |
|
Back to top |
|
 |
Michael Dag |
Posted: Wed Mar 07, 2007 11:58 am Post subject: |
|
|
 Jedi Knight
Joined: 13 Jun 2002 Posts: 2607 Location: The Netherlands (Amsterdam)
|
many topics on this subject, use the search button and search for explorer and security... _________________ Michael
MQSystems Facebook page |
|
Back to top |
|
 |
zpat |
Posted: Wed Mar 07, 2007 12:24 pm Post subject: |
|
|
 Jedi Council
Joined: 19 May 2001 Posts: 5866 Location: UK
|
But to give you a clue - look at the MCAUSER on the SVRCONN channels. |
|
Back to top |
|
 |
reldb |
Posted: Wed Mar 07, 2007 2:29 pm Post subject: |
|
|
Apprentice
Joined: 06 Sep 2006 Posts: 34
|
I did
setmqaut -m TEST1 -t qmgr -p mqm +connect +inq +dsp
but still it happens like
dspmqaut -m TEST1 -t qmgr -p mqm
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
I am not sure why it is not changing the permision |
|
Back to top |
|
 |
mvic |
Posted: Wed Mar 07, 2007 4:52 pm Post subject: |
|
|
 Jedi
Joined: 09 Mar 2004 Posts: 2080
|
mqm group is the MQ admins group. Users in that group can do anything to MQ. Hint: only have MQ administrators in the mqm group.
As has been said before: look closely at MCAUSER and what it does to your channels security model. |
|
Back to top |
|
 |
reldb |
Posted: Wed Mar 07, 2007 5:25 pm Post subject: |
|
|
Apprentice
Joined: 06 Sep 2006 Posts: 34
|
great
i did
setmqaut -m TEST -t qmgr -p readaccount +connect +inq +dsp
and then
dspmqaut -m TEST1 -t qmgr -p readaccount
following authorizations for object TEST1:
inq
connect
dsp
its fine now
but
1 : display channel(SYSTEM.ADMIN.SVRCONN)
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN)
TRPTYPE(TCP) DESCR( )
MCAUSER(mqm)
here on the channel MCAUSER is mqm
Even though i am login to window machine using my userid as reldb
but i am able to access all the queues and qm.
I tried a search and reading stuff, but its going top of my head. can someone pls give me initial detail so that i can read more,
How MQExplorer makes a connection to MQ and using which user. as MCAUSER is mqm on channel but i am login to window as reldb so where is the connection etc |
|
Back to top |
|
 |
mvic |
Posted: Wed Mar 07, 2007 6:47 pm Post subject: |
|
|
 Jedi
Joined: 09 Mar 2004 Posts: 2080
|
reldb wrote: |
Even though i am login to window machine using my userid as reldb |
Read this site and the MQ docs, about MCAUSER. Take some time, understand it all. If you have specific questions, please ask - but there's enough info out there already to get started. |
|
Back to top |
|
 |
marcin.kasinski |
Posted: Tue Mar 13, 2007 5:38 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004 Posts: 850 Location: Poland / Warsaw
|
You can also use security exit to secure your QM.
Marcin |
|
Back to top |
|
 |
Toronto_MQ |
Posted: Tue Mar 13, 2007 6:36 am Post subject: |
|
|
 Master
Joined: 10 Jul 2002 Posts: 263 Location: read my name
|
|
Back to top |
|
 |
tillywern |
Posted: Tue Mar 13, 2007 8:41 am Post subject: Group permissions on *nix systems. |
|
|
 Centurion
Joined: 28 Jan 2003 Posts: 109 Location: Colorado
|
Remember to grant/revoke at the group level on *nix systems. Grants/revocation on a user go to the primary group of that user. Plus it just makes sense to use groups to ease your administration. |
|
Back to top |
|
 |
DTran |
Posted: Wed Mar 14, 2007 9:18 am Post subject: |
|
|
 Acolyte
Joined: 11 May 2006 Posts: 62 Location: Amsterdam
|
What we are using is SSL to secure the ADMIN channel. Every one of us has his own certs to connect to the qmgr. Perhaps that's worth for considering.  |
|
Back to top |
|
 |
MB |
Posted: Tue Jun 05, 2007 3:44 am Post subject: |
|
|
Acolyte
Joined: 25 Jun 2004 Posts: 52
|
Hi DTran,
I would like to know what exactly you did in the MQ Explorer to use the ssl enabled ADMIN channel.
Our Project Setup:
(1) IBM WMQ v6 Server on HP-UX Server (QMs are created on this box)
(2) IBM WMQ v6 client for Windows on Windows XP PCs
(3) Java Based Application (developed by us to connect to MQ), IBM WMQ Explorer v6 on the above mentioned PCs.
We have our company signed ssl certificates, we defined the key stores appropriately for the Queue Manager and the Java based client application. This Java based application connects to the Queue Manager using an SSL enabled SVRCONN channel (not the default SYSTEM.ADMIN.SVRCONN channel) and this channel details are specified only in a Channel Definition Table (AMQCLCHL.TAB file). This Java application connection is successful and we are able to put and get messages successfully.
Now, we intend to use this ssl enabled SVRCONN channel from MQ Explorer so that only a particular group of people can see and administer the Queue Manager using MQ Explorer.
I followed some set of steps (that I found in the MQ Explorer Help; if you have MQ Explorer v6 installed, search in your installation folder for a file named e_qmanager_showremote.htm and open the English version of it; in that html page, look for the section with heading: 'Creating a new SSL-enabled connection'). But after following these steps, I am getting an error saying 'Queue Manager not available for connection. (AMQ4043)'.
The Queue manager, Listener are running fine.
Please let me know if I am missing something.
The Java based client application is using the jks Key Store. Is it fine to use the same key store for the MQ Explorer?
Please let me know your comments/ suggestions if any.
Thanks and Regards,
MB |
|
Back to top |
|
 |
|