| Author |
Message
|
| HenriqueS |
 Posted: Wed Oct 24, 2007 11:32 am Post subject: Making MQ secure on z/OS |
 |
|
Master
Joined: 22 Sep 2006
Posts: 235
|
Hello folks,
I´d like to know a list of procedures to secure MQ on z/OS. Any pointer to IBM documentation is helpful. I expect to find specific to z/OS or non-specific measures.
Also, I need to be able to make exceptions since some midrange servers o fours also have MQ installed and they do communicate with the mainframe.
I´ve got into a new job and was suprised that several flaws do exist, where I can even connect from my workstation using those administration tools (RFHUTIL and MQMONNTP) and perform anything I want remotely...
Thanks,
_________________
HenriqueS
Certified Websphere MQ 6.0 System Administrator |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Oct 24, 2007 12:34 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It's useless to secure MQ if you don't have a firewall separating your production network from your desktops and the outside world.
Start there.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Wed Oct 24, 2007 2:08 pm Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
That´s the first thing I asked for the networking team...only the servers that do communicate with the MQ on the mainframe will be able to reach the tcp port...
Only the default 1414 port is used or anything else is negotiated?
_________________
HenriqueS
Certified Websphere MQ 6.0 System Administrator |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Oct 24, 2007 3:23 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
MQ only needs on port open on the qmgr side.
There's no particular reason it has to be 1414.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Wed Oct 24, 2007 4:40 pm Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
But it is the default port by sure...
| jefflowrey wrote: |
MQ only needs on port open on the qmgr side.
There's no particular reason it has to be 1414. |
_________________
HenriqueS
Certified Websphere MQ 6.0 System Administrator |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Oct 25, 2007 4:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Yes. But if your listener isn't using it, then it doesn't matter whether it's open or closed.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Oct 25, 2007 10:49 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Oct 27, 2007 9:44 am Post subject: |
|
|
Guest
|
| Quote: |
| It's useless to secure MQ if you don't have a firewall separating your production network from your desktops and the outside world. |
This is true of all platforms; but less so the mainframe. z/OS is the most secure platform. RACF (or equivalent) offers the most security for MQ and other applications.
As suggested, refer to the System Setup Guide chapter on securing MQ.
If you are new to the mainframe, take an introductory class from IBM. Or download the ABC of System Programming (Redbooks). One of 'em covers RACF.
IBM's MQ201 WebSphere MQ z/OS System Administration 4-day course covers mainframe MQ security, too.
Mainframes don't get hacked; mainframes don't get viruses. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Oct 27, 2007 10:03 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| bruce2359 wrote: |
| Mainframes don't get hacked; mainframes don't get viruses. |
True - but an open client channel on a MF is still a security risk.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Oct 27, 2007 11:37 am Post subject: |
|
|
Guest
|
| Quote: |
| True - but an open client channel on a MF is still a security risk. |
An open (unsecured) client channel on any MQ is a security risk - not limited to mainframes. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Oct 27, 2007 11:49 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| bruce2359 wrote: |
| Quote: |
| True - but an open client channel on a MF is still a security risk. |
An open (unsecured) client channel on any MQ is a security risk - not limited to mainframes. |
You aren't disagreeing with me.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Oct 27, 2007 11:53 am Post subject: |
|
|
Guest
|
| Quote: |
| You aren't disagreeing with me. |
No. Sorry. Maybe I'll disagree with you next time. :D |
|
| Back to top |
|
|
| JonB |
| Posted: Tue Oct 30, 2007 4:21 am Post subject: |
|
|
Apprentice
Joined: 14 Nov 2002
Posts: 27
Location: Dublin, Ireland
|
Also have a look at the following redbook:
WebSphere MQ Security in an Enterprise Environment
http://www.redbooks.ibm.com/abstracts/SG246814.html?Open
Its a bit out of date now, but the concepts are fine.
_________________
Jon Barry
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified Solution Designer - WebSphere MQ V5.3 |
|
| Back to top |
|
|
|
|
