| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WebSphere Queue Security Question |
« View previous topic :: View next topic » |
| Author |
Message
|
| paul52 |
 Posted: Sun Sep 08, 2002 7:04 am Post subject: WebSphere Queue Security Question |
 |
|
Novice
Joined: 01 Jul 2002
Posts: 22
|
Hello Everyone
1. What kind of access do developes need to PUT/GET/BROWSE message to the Queue Manager using JMS client interface.
1.1 I have a local queue ( e.g QL1), I want some developers only
to browse the message but not GET the message.
1.2 i need to let some develops only GET but not PUT on the
particular queue. How could i accomplish this.
2. Let's say Queue Manager (QM1) has the following local queue (QL1, QL2, QL3, QL4 etc.....). Can you restrict the queue by per developer. E.g only Developer A is authorized to use QL2 . Is it possible to do this in MQ.
Thanks very much for your help.
.....Paul |
|
| Back to top |
|
 |
| oz1ccg |
| Posted: Sun Sep 08, 2002 10:35 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Security,
the never ending story, well i'm not too stron in the distributed security, but it's easy to distinguish between get/put and browse:
Seen from OS/390 perspective:
you have to create one alias queues for PUT and one for GET and here INHIBIT the unwanted, and then give the developers ACCESS(UPDATE) to the GET and/or PUT queue. Browse is quite simple, just ACCESS(READ) to the QLOCAL.
Anyway I guess it's the same approach on the distributed platform.
There are a new manual only covering Security It come together with version 5.3. Isems to me it's not released yet on the web on:
http://www-3.ibm.com/software/ts/mqseries/library/manualsa/index.htm
This is "allmost" taken from the manual...:
Allow userid1 to put but not get:
| Code: |
| setmqaut -m [qmgr] -t Q -n [queuename] -p [userid1] +put -get -browse |
Allow userid2 to browse only:
| Code: |
| setmqaut -m [qmgr] -t Q -n [queuename] -p [userid1] -put -get +browse |
Allow userid3 to get only:
| Code: |
| setmqaut -m [qmgr] -t Q -n [queuename] -p [userid1] -put +get -browse |
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| jhalstead |
| Posted: Sun Sep 08, 2002 11:58 pm Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
One small add, probably a good idea to use groups rather than naming users explicitally...
e.g.
setmqaut -m [qmgr] -t Q -n [queuename] -g [group1] -put -get +browse |
|
| Back to top |
|
|
| Reconda |
| Posted: Wed Sep 11, 2002 4:10 am Post subject: |
|
|
Apprentice
Joined: 20 Jun 2002
Posts: 40
|
Paul,
If you are open to looking at 3rd party solutions to solve your issue I would encourage you to look at our solution QN-AppWatch for WebSphere MQ. QN-AppWatch was specifically designed to provide developers with secure access to only their queue and channel information without jeopardizing the integrity of the queue managers. QN-AppWatch provides 5 detailed levels of security all the way down to the message level. Our solution is web-based so no software is required on the servers running MQ or on the developer’s desktops.
You can check us out at www.reconda.com |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
