| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Working of Commandserver |
« View previous topic :: View next topic » |
| Author |
Message
|
| muthum_2000 |
 Posted: Fri Jul 27, 2007 3:58 am Post subject: Working of Commandserver |
 |
|
Voyager
Joined: 10 Jul 2006
Posts: 85
|
Guys
Need your suggestion here.
Whenever I start a queuemanager,I do not use any scripts,instead I start it manually and then will start the command server and listener.
But I read a document from IBM which says the following
_________________________________________________________
Command server
The command server is very powerful and can render weak security even weaker. For instance, on a system running MQSeries version 2 in which users do not have the authority to use the client channel, they could still connect using a sender channel called SYSTEM.DEF.RECEIVER. This could put messages on the command server’s input queue requesting it to create a channel and transmission queue back out. This could then be used for further breaches of security. If you’re not confident of your system’s security, it’s advisable to start the command server only when it is needed and to grant users only the minimum required levels of authority to it.
____________________________________________________________
But as per my knowledge,command server is a must to carry out any mq admin command to work.So,after starting a qmgr,it is mandatory to start command server right?
Please correct me with your suggestions.Iam confused. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri Jul 27, 2007 4:02 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It's not mandatory to start a command server.
It's very very useful to run it.
But you don't need it - runmqsc doesn't use it. I think none of the mq commands use it.
However, it's true that it's something to keep in mind when considering security - particularly in v6 when one can use it to define and start services and authorizations.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 27, 2007 4:08 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Where did you read it? The only place Mr Google could find it for me was
http://www.sjg-enterpriseintegration.com/closingmqholes.asp
and that's copywrited at 1999. And not an IBM document!
If there is an IBM document that still refers to MQ version 2, you should bring it to the attention of the IBM authors.
Back on topic, it's something to consider as part of an overall security strategy.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| muthum_2000 |
| Posted: Fri Jul 27, 2007 4:20 am Post subject: |
|
|
Voyager
Joined: 10 Jul 2006
Posts: 85
|
| jefflowrey wrote: |
It's not mandatory to start a command server.
It's very very useful to run it.
But you don't need it - runmqsc doesn't use it. I think none of the mq commands use it.
However, it's true that it's something to keep in mind when considering security - particularly in v6 when one can use it to define and start services and authorizations. |
Thankyou very much jeff for your help. |
|
| Back to top |
|
|
| wmqadm |
| Posted: Fri Jul 27, 2007 6:45 am Post subject: |
|
|
Newbie
Joined: 01 Feb 2006
Posts: 7
|
You can secure the channels by altering the system default channels (mca user). That will secure from external users.
Local users on the box can pose a problem if they have permissions on the queue. Set authorities on the queue for the users. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
