| Author |
Message
|
| kami |
 Posted: Wed May 16, 2007 8:31 am Post subject: Tivoli Monitoring and MQ Command Server - Security Concerns |
 |
|
Newbie
Joined: 16 May 2007
Posts: 2
|
I am deploying a Tivoli Monitoring for MQ (Omegamon XE for Messaging) infrastructure in my organization. Currently as part of the security policy the Command Servers on the Queue Mangers have been turned off. The problem is that the Tivoli MQ monitoring agents require the Command Server to be running on the queue managers in order to report their statistics.
Is there a secure way or best practice to ensure that security is not compromised when we activate command servers for monitoring purposes. I need this info to put on the table to go ahead with the project, will appreciate input. |
|
| Back to top |
|
 |
| Sartin |
| Posted: Mon May 21, 2007 5:10 am Post subject: |
|
|
Newbie
Joined: 15 May 2006
Posts: 9
Location: Poland
|
Which user owns the agent process? You can try to set permissions for user with setmqaut. If it's not enough You can always try to secure agent with passphrases, but I've never tested them.
UPDATE:
Well, passphrases for agent-TEMS communication don't work, at least on unix enviroment (both agent and TEMS), even if you specify to use your own passphrase the agent still connects to TEMS with default one. |
|
| Back to top |
|
|
| kami |
| Posted: Tue May 22, 2007 6:57 am Post subject: |
|
|
Newbie
Joined: 16 May 2007
Posts: 2
|
The concern is not how the agent authorizations are set ? The question raised is, when we activate the command server in MQ a malicious user or app posing as mqm can get access via the command queue.
I am not concerned about how tivoli agent and MQ communication, the real concerd is bringing up MQ command server to enable monitoring at what cost to security and how the risk could be minimized.
In fact the question should be: How to secure the Command Server in MQ?
By the way, thanks for your reply, I will appreciate further comments. |
|
| Back to top |
|
|
| Sartin |
| Posted: Thu May 24, 2007 5:02 am Post subject: |
|
|
Newbie
Joined: 15 May 2006
Posts: 9
Location: Poland
|
| But when command server receives MQSC message it will check if user from "UserIdentifier" in the message descriptor has required authorities. If you are afraid that some "unfriendly" user will try to do something through command server then just set the strict security policy. During the configuration of mq agent it creates some queues but AFAIK after that it doesn't need to create more mq objects, so after configuration you can set browse only permission for candle user. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu May 24, 2007 8:22 pm Post subject: Re: Tivoli Monitoring and MQ Command Server - Security Conce |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| kami wrote: |
| Currently as part of the security policy the Command Servers on the Queue Mangers have been turned off. |
I don't know who told you that this was security but it is not.
This is fool's gold. If the user knows the name of the queue then they can open any queue and insert / update any message in the queue.
| kami wrote: |
| Is there a secure way or best practice to ensure that security is not compromised when we activate command servers for monitoring purposes. |
Yes. It is called securing all channels especially SVRCONN channels.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| wmqadm |
| Posted: Fri Jul 27, 2007 6:44 am Post subject: |
|
|
Newbie
Joined: 01 Feb 2006
Posts: 7
|
You can secure the channels by altering the system default channels (mca user). That will secure from external users.
Local users on the box can pose a problem if they have permissions on the queue. Set authorities on the queue for the users. |
|
| Back to top |
|
|
| LouML |
| Posted: Mon Oct 15, 2007 10:15 am Post subject: Re: Tivoli Monitoring and MQ Command Server - Security Conce |
|
|
Partisan
Joined: 10 Nov 2005
Posts: 305
Location: Jersey City, NJ / Bethpage, NY
|
| RogerLacroix wrote: |
| kami wrote: |
| Currently as part of the security policy the Command Servers on the Queue Mangers have been turned off. |
I don't know who told you that this was security but it is not.
This is fool's gold. If the user knows the name of the queue then they can open any queue and insert / update any message in the queue.
| kami wrote: |
| Is there a secure way or best practice to ensure that security is not compromised when we activate command servers for monitoring purposes. |
Yes. It is called securing all channels especially SVRCONN channels.
Regards,
Roger Lacroix
Capitalware Inc. |
So, is there any reason why the command server should not be started?
We have multiple queue managers, most of which have the command server running. But we have a few (also monitored by Omegamon) that do not. I would prefer to start the rommand server on all, so that Omegamon can monitor things properly. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Oct 15, 2007 10:29 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If you're otherwise confident that nobody can put messages on the command server input queue that is not authorized to do so, then there's no reason not to run it.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
