| Author |
Message
|
| oomran |
 Posted: Wed May 30, 2007 8:15 am Post subject: Securing Queue Managers |
 |
|
Novice
Joined: 19 Feb 2007
Posts: 16
|
Hello All
I have a queue manager and receiver channel, through it sender channel from other MQ can send messages to me.
the problem is that any user name can send the messages to me even if users outside the domain.
I want to make only specific can send the messages to me.
thanks in advanced |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed May 30, 2007 8:27 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Then you need to implement security.
There's an entire manual devoted to the subject. Have you read it?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| oomran |
| Posted: Wed May 30, 2007 11:50 pm Post subject: |
|
|
Novice
Joined: 19 Feb 2007
Posts: 16
|
I tried to do the commands in the administration manual but it did not work (no effect)
I tried those command:
setmqaut to a specific username but it was not effect
and the command :
dspmqaut to ensure that the previous user has no connect authority to the queue manager.
I don' know if there is some thing missing |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Wed May 30, 2007 11:59 pm Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
Can you explain "it was not effect" ?
Please give us any context ,any example what you exactly wanted to do.
_________________
Marcin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 31, 2007 12:20 am Post subject: Re: Securing Queue Managers |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| oomran wrote: |
I have a queue manager and receiver channel, through it sender channel from other MQ can send messages to me.
the problem is that any user name can send the messages to me even if users outside the domain.
I want to make only specific can send the messages to me.
|
Is the "other" MQ under your control, i.e. is this where you're running the commands? If not, then anyone who can connect to the other queue manager can send to yours. Setting connect authority on your queue manager if this is the case will not be effective.
Give more details of your set up, the command you tried and the output you received.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| oomran |
| Posted: Thu May 31, 2007 1:30 am Post subject: |
|
|
Novice
Joined: 19 Feb 2007
Posts: 16
|
tnak u all for ur participation
the case is as the following:
I setup the mq 6 on two machines with thier queue managers let's say : Machine 1, Machine 2
on the Machine 1:
I created a reciever channel on Machine 1
and run the following command:
C:\Program Files\IBM\MQSI\6.0>setmqaut -t qmgr -connect -p mabed
The setmqaut command completed successfully.
on Machine 2:
I created a sender channel and configure it to connect to Machine 1 queue manager.
I log on as "mabed" and start the sender channel and send message through a remote queue and all worked without any problems.
is there any way to prevent other MQ (as Machine 2) from connecting to the queue manager of the Machine 1 |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 31, 2007 1:36 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| oomran wrote: |
| is there any way to prevent other MQ (as Machine 2) from connecting to the queue manager of the Machine 1 |
This is what I was trying to get at in my previous post. Your setmqaut command is controlling who can connect to the queue manager on Machine1. Anyone can connect to Machine2 and use the remote queue because you've not secured it.
And you don't actually want to prevent Machine2 connecting to Machine1 - this eliminates the point of having MQ. If you do want to prevent that, delete the receiver channel.
What I suspect you want to do is control who can log onto Machine2 and send messages to Machine1. For this you need setmqaut on Machine2.
Check the security manual for full details.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu May 31, 2007 3:32 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Or you want to ensure that only the actual qmgr on Machine 2 can actually connect to qm on Machine 1, and then ensure that everything coming in from Machine2 is authenticated as a specific user local to machine 1, and that user has only the authorizations it requires.
The two words I have left out of the above explanation are MCAUSER and SSL.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| oomran |
| Posted: Thu May 31, 2007 4:17 am Post subject: |
|
|
Novice
Joined: 19 Feb 2007
Posts: 16
|
then if I want to prevent any one except user 'x' from sending to the queue on any machine (as Machine 2), I have to use the command setmqauth on the queue (which is local on Machine 1 and remote on machine 2) .
but the problem is that by default any one can send to that remote queue, how can I prevent every one from sending to a specific queue. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu May 31, 2007 4:31 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Is Machine 2 under your control?
If so, use setmqaut to control who can write to the qremote. And then secure that qmgr so that only the proper people can access it.
If not, then see my previous message.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 31, 2007 4:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| oomran wrote: |
| but the problem is that by default any one can send to that remote queue |
That's what you need to stop, by using setmqauth or other means.
Note that there's no connection, in terms of authority or ownership, between the local q on machine 1 and the remote q on machine 2. Changes you make to the local queue will not affect the remote q, which is a different, separate and unconnected object on a different queue manager.
Also communication between the 2 queue managers is done by the MCA, which runs as an administrator. Once the message is in flight, nothing out of the box will prevent a message from a user you don't want arriving on your local queue.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu May 31, 2007 4:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Vitor wrote: |
| Once the message is in flight, nothing out of the box will prevent a message from a user you don't want arriving on your local queue. |
I think that the local authorities on the queue do have an effect when the MCA goes to do the final put...
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 31, 2007 4:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jefflowrey wrote: |
| Vitor wrote: |
| Once the message is in flight, nothing out of the box will prevent a message from a user you don't want arriving on your local queue. |
I think that the local authorities on the queue do have an effect when the MCA goes to do the final put... |
Really? On a standard MQ setup with no exits or other interference? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| oomran |
| Posted: Thu May 31, 2007 5:08 am Post subject: |
|
|
Novice
Joined: 19 Feb 2007
Posts: 16
|
| ok thaen if other machines is out of my controll then I have to use MCA to ensure that the message arriving to my local queue is from a specific queue manager on a specific machine |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu May 31, 2007 5:09 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
|
|
