| Author |
Message
|
| klamerus |
 Posted: Tue Nov 13, 2007 9:02 am Post subject: Enqueuing across domains |
 |
|
Disciple
Joined: 05 Jul 2004
Posts: 199
Location: Detroit, MI
|
We have the following security related question.
Our environment is WebSphere MQ 5.x on Windows 2003. We'll get to WebSphere v6 eventually.
In the meantime, we want to send messages from one Windows domain (the client application) to a queue hosted on a server in another domain.
There is no trust between these domains.
So far as we know, there is no way to do this. It is not possible to pass domain/username/password data as parameters in a connection to the server from the sending application.
In the Windows world, the account that is running the sending application must be given permission to the queue on the server and since the server is in a different domain, we're out of luck.
Can anyone confirm or provide information on how to do this? We have the ability to change the code to provide a domain/username/password if that's something we've just overlooked, but we asked this question before and the answer we got was that this wasn't available.
Thanks,
_________________
Careful with that VAX Eugene |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Nov 13, 2007 9:54 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
MCAUser on the client channel.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| klamerus |
| Posted: Tue Nov 13, 2007 7:08 pm Post subject: Is that a sentence? |
|
|
Disciple
Joined: 05 Jul 2004
Posts: 199
Location: Detroit, MI
|
Sorry, but that's pretty terse. A few more words might help 
_________________
Careful with that VAX Eugene |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Nov 13, 2007 8:18 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Terse - short in both words and any security for that channel. Setting a UserId in the MCAUSER field means any and all connections would be running under that UserId. Hence, a free for all.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 14, 2007 1:39 am Post subject: Re: Is that a sentence? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| klamerus wrote: |
| Sorry, but that's pretty terse. A few more words might help |
Use the MCAUser parameter to supply the credentials to the target domain.
Which, as Roger correctly points out, allows anyone to access the target domain queue manager with the authorities given to the id in MCAUser. So make sure it's locked down.
Or do a search in the forum for the many discussions on client security, and security in general, for further information.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 14, 2007 2:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
Hi,
Terse - short in both words and any security for that channel. Setting a UserId in the MCAUSER field means any and all connections would be running under that UserId. Hence, a free for all.
Regards,
Roger Lacroix
Capitalware Inc. |
Roger, I thought that would only happen if you had it also as a default channel to the target qm. To be a free for all others would have to know the Xmitq when it is not part of a default path... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 14, 2007 2:36 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| To be a free for all others would have to know the Xmitq when it is not part of a default path... |
When did client connections start using xmitqs? Have I missed a tech note? Or has someone spiked my coffee with ProPlus? Again? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 14, 2007 2:49 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Missed the fact that he was talking about a client conn. I thought he was going for qmgr to qmgr conn across domains... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 14, 2007 2:53 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
But on the plus side, this means my coffee is chemically safe! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
