| Author |
Message
|
| gokulam |
 Posted: Wed Apr 23, 2008 1:01 pm Post subject: MQ Security - setmqaut |
 |
|
Newbie
Joined: 17 Apr 2008
Posts: 9
|
We are trying to set up security in our MQ enviroment. We are running MQ V6.0.2.3 in SUN Solaris. The user is connecting to the Queue Manager using MQ Visual Browser. There is a SVRCONN channel defined for this user to connect to the Queue Manager with MCAUSER as their group id. Following are the authorities set for the userid for the queue.
dspmqaut -m MQAAA -n XXX.YYY -t q -g abcd
Entity abcd has the following authorizations for object XXX.YYY:
get
browse
put
inq
set
When the user connect to the queue manager without putting any userid in the MQ Visual browser tool, user is able to connect and also get the messages from the queue. But when the user try to list all queues he gets 2035 error. I thought the user will not be able to get the messages from the queue as the userid is coming as blank and the channel has got MCAUSER as users group id. What else we have to do to stop others to access this queue? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Apr 23, 2008 1:27 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
MCAUSER replaces whatever ID is passed in.
So if the userid is passed in as blank, but MCAUSER sets it to abcd... then anyone who can connect to the channel becomes abcd.
This is what you've configured, and the MQVisualEdit is able to get messages because of that.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| gokulam |
| Posted: Wed Apr 23, 2008 3:23 pm Post subject: |
|
|
Newbie
Joined: 17 Apr 2008
Posts: 9
|
| When the user used different userid xyz still he is able to connect to the queue manager and get the messages from the queue. In this case he should have received 2035 as the userid in MCAUSER is different than the userid being used by the user. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 23, 2008 3:37 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| gokulam wrote: |
| When the user used different userid xyz still he is able to connect to the queue manager and get the messages from the queue. In this case he should have received 2035 as the userid in MCAUSER is different than the userid being used by the user. |
That really depends. Read the other posts from today on security.
You should NEVER do security on a user (principal) basis but always on a group basis.
In Unix if you grant security to user xyz you just granted security to it's primary group.
This way you could have a system that wide open to every user on the box as they all share the same primary group (gnrl_user) ?
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Apr 23, 2008 3:41 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| gokulam wrote: |
| When the user used different userid xyz still he is able to connect to the queue manager and get the messages from the queue. In this case he should have received 2035 as the userid in MCAUSER is different than the userid being used by the user. |
I repeat.
The userid in MCAUSER replaces the userid being used by the user.
!
REPLACES.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Apr 23, 2008 3:50 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Apr 24, 2008 8:55 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jefflowrey wrote: |
I repeat.
The userid in MCAUSER replaces the userid being used by the user.
!
REPLACES. |
Thanks for pointing out the obvious... I did not read the posters full answer... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mdncan |
| Posted: Fri Apr 25, 2008 4:48 am Post subject: |
|
|
Acolyte
Joined: 11 May 2005
Posts: 59
Location: US
|
When you try to connect to the Queue Manager with either MQ Visual Browse or MQJExplorer under the covers they connect as 'mqm', the tools bypass the MCA USER id Setting. Recentely I have tested this on Solaris and confirmed both MQ Visual Browse and MQJ work.
If you really want to restrict the user disable (Enable SSL on these channels) Svr Conn Channels SYSTEM.ADMIN.SVRCONN, SYSTEM.AUTO.SVRCONN, SYSTEM.DEF.SVRCONN.
Create Non-default Svr Conn and try to connect with MQExplorer instead of MQVisual Browse.
Good Luck!!!
_________________
IBM Certified System Administrator- WebSphere Application Server, Network Deployment, V6.0
IBM Certified System Administrator - WebSphere MQ V6.0 |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Apr 25, 2008 8:16 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mdncan wrote: |
| When you try to connect to the Queue Manager with either MQ Visual Browse or MQJExplorer under the covers they connect as 'mqm', the tools bypass the MCA USER id Setting. |
You are saying that if the SVRCONN channel has "BOGUS_ID" in the MCAUSER field you cna still connect via one of these 2 tools? Really?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Apr 25, 2008 9:09 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| PeterPotkay wrote: |
| mdncan wrote: |
| When you try to connect to the Queue Manager with either MQ Visual Browse or MQJExplorer under the covers they connect as 'mqm', the tools bypass the MCA USER id Setting. |
You are saying that if the SVRCONN channel has "BOGUS_ID" in the MCAUSER field you cna still connect via one of these 2 tools? Really? |
There's a bug fix in 6.0.2.3 in this area. But it's almost certainly not involved here, and I'm pretty sure that mdncan is mistaken and MCAUSER is not actually set.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Apr 25, 2008 10:20 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Apr 25, 2008 10:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Yes.. that's why I said a "bug fix" in this area... I just forgot that it was fixed in 6.0.2.2, instead of 6.0.2.3.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sat Apr 26, 2008 11:38 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hello mdncan,
| mdncan wrote: |
| When you try to connect to the Queue Manager with either MQ Visual Browse or MQJExplorer under the covers they connect as 'mqm', the tools bypass the MCA USER id Setting. Recentely I have tested this on Solaris and confirmed both MQ Visual Browse and MQJ work. |
This is totally incorrect and misleading for novice users.
First read my posting here (Sept 24, 2004) that describes which UserId the queue manager's MCA uses, if any, for a client channel :
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
MQJExplorer does not set a UserId nor does it have the ability for the user to set a UserId.
For MQ Visual Browse or MQ Visual Edit, you can set a UserId on the Queue Manager Access Profile window. Obviously, you did not set a UserId during your testing, hence, the results you saw were exactly as described in my other posting from 2004.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sat Apr 26, 2008 11:46 am Post subject: Re: MQ Security - setmqaut |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hello gokulam,
| gokulam wrote: |
| When the user connect to the queue manager without putting any userid in the MQ Visual browser tool, user is able to connect and also get the messages from the queue. But when the user try to list all queues he gets 2035 error. I thought the user will not be able to get the messages from the queue as the userid is coming as blank and the channel has got MCAUSER as users group id. What else we have to do to stop others to access this queue? |
Please read the suggestions in the following posting, as it has a solution to your problem.
http://www.mqseries.net/phpBB2/viewtopic.php?t=16579&start=15
For support questions related to Capitalware products, you can send us an email (support AT capitalware.biz) or open a Help Desk ticket at:
http://www.capitalware.biz/phpst/index.php
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mdncan |
| Posted: Tue Apr 29, 2008 9:25 am Post subject: |
|
|
Acolyte
Joined: 11 May 2005
Posts: 59
Location: US
|
Let me clarify what I meant:
You can connect to Queue manager with both tools when you don't have any id set for MCAUSER and browse/get/put messages even though I have set "-put -get -browse" with OAM on the queue, both the tools allow these actions. It's true that the tools are connecting with id of Listener process which in my case is mqm, thereby you have full access. |
|
| Back to top |
|
|
|
|
