| Author |
Message
|
| solomon_13000 |
 Posted: Sat Aug 30, 2008 1:25 am Post subject: userid |
 |
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| In regards to userid, do we define the userid on the OS level or on the MQ level?. Im using the UNIX OS and I have no chance of knowing because a seperate team handles the userid creation. But from my understanding we can login to the UNIX OS using this userid and the userid can belong to a mqm group for admin purpose or to the TDE group for file transfer. Also as I was going through some website, there is a command to create userid on UNIX OS and it's called mkuser. There is also a channel attribute and it is known as MCAUSER. This is used to define a userid. Now how does this attribute verify that the userid is valid and belong to which group?. Is there an authorization process that verify the userid against the one define on the UNIX OS to see if it is valid and belongs to a particular group?. Is the authorization process known as MCA?. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Sat Aug 30, 2008 5:39 am Post subject: Re: userid |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| solomon_13000 wrote: |
| There is also a channel attribute and it is known as MCAUSER. This is used to define a userid. |
It is not used to define a User ID. You can put anything in there you want. Hopefully you insert a valid User ID. You can insert a bogus ID if you want to render the channel useless (a good thing to do for the SYSTEM.DEF.SVRCONN channel, for example). Leaving it blank is not a good idea, since in that case you are trusting the incoming connection to be honest on who they are. Since its very easy for anyone to connect as mqm, a blank MCAUSER in effect says "I don't care about MQ security."
An MCAUSER has nothing to do with WHO can connect to your QM. It only deals with WHAT they can do. Its Authorization and not Authentication. For Authentication, use SSL and/or a Security Exit (i.e. Captitalware's MQAUSX). If you are serious about MQ security, you use an MCAUSER >>>and<<< SSL / Exit on every one of your inbound channels (SVRCONN, RCVR, CLUSRCVR, etc). The SSL / Exit determines who can connect, and the MCAUSER determines what they can do once they are connected.
| solomon_13000 wrote: |
| Now how does this attribute verify that the userid is valid and belong to which group? |
It doesn't. You can put anything you want in there. When the channel starts up the OAM will use the value in the MCAUSER field to see if it has the necessary MQ rights to do whatever is being asked of that ID, i.e. connect to the QM with particular options, open a queue with particular options, etc. So at that point that ID needs to be known to the O/S and it needs to have the proper MQ authorities set previously by setmqaut commands, preferably at the group level that that ID belongs to.
| solomon_13000 wrote: |
| Is the authorization process known as MCA? |
No. MCA = Message Channel Agent.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sat Aug 30, 2008 7:26 am Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
So basically on my UNIX OS:
1. mkuser -attr pgrp=tde ukeuft
2. setmqaut -m qmgr -n a.b -t queue -g tde +browse +get +inq +passall +passid +put +set +setall +setid -chg -clr -dlt +dsp
Now the OAM will grab the userid from MCAUSER to check and see if it has the authorization for example to put messages on the queue before messages are being put on the queue?. How does the OAM grab the userid?.
Also when ever I login to my UNIX OS with the userid ukeuft it means I can browser, get, put messages on the queue?.
Does the OAM also grab the userid from the messages to check and see if it has the authorization for example to put messages on the queue before messages are being put on the queue?. |
|
| Back to top |
|
|
| atheek |
| Posted: Sun Aug 31, 2008 2:50 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
There is a channel attribute called PUTAUT which determines which userid is used in the authorization process. If this value is set to DEF, the channel will use the userID specified in MCAUSER if one is defined, else, the user running the MCA process is used. This is the default setting
If PUTAUT is set to CTX, then the userID set in the message is used for authorization.
| Code: |
| Also when ever I login to my UNIX OS with the userid ukeuft it means I can browser, get, put messages on the queue?. |
When you login and try to put,get, browse samples messages , you might be using some programs to do so which will be running under your login userID. Since you have granted the necessary authorization privellages to the queue for the primary group of your login id, you will be able to do the get, put , browse etc... Note in this case you are not using any channels( hoping the programs you use doesn't connect in client mode)and authorization checks are done when the programs you use issues the mq api calls |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sun Aug 31, 2008 3:29 am Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| Quote: |
| else, the user running the MCA process is used |
So this would mean the user who login with their userid will be used for authentication purpose?. Also in both cases whether we use DEF or CTX value in the PUTAUT attribute of the channel, OAM will still grab the userid to check and see if the userid has the permission to connect to the queue manager, put messages on the queue manager and so on?. |
|
| Back to top |
|
|
| atheek |
| Posted: Sun Aug 31, 2008 4:32 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
| solomon_13000 wrote: |
| Quote: |
| else, the user running the MCA process is used |
So this would mean the user who login with their userid will be used for authentication purpose?. |
Well the userID's associated with the MCA depends upon many factors..like whether its a caller MCA ( eg. Sender channel) or responder MCA (eg. receiver channels). In most of the cases, the userid of the MCA will be that of the parent process which started it ( channel initiator, listener etc). The Sender or requester channel process can run under the login user provided it is started by running the runmqchl control command by the user...
I would recommend you to read page 206 of the System admin guide which explains how it is handled...
http://www-01.ibm.com/software/integration/wmq/library/library6x.html
[quote="solomon_13000"]
| Quote: |
| Also in both cases whether we use DEF or CTX value in the PUTAUT attribute of the channel, OAM will still grab the userid to check and see if the userid has the permission to connect to the queue manager, put messages on the queue manager and so on?. |
YES. If OAM is running it will always check that the application ( treat channels also as another application) has the sufficient privelages to access the MQ resources. However, there are ways to disable OAM also. |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sun Aug 31, 2008 6:43 am Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
So basically if I set the MCAUSER('') as blank. But then I set the PUTAUT attribute value as CTX this would mean the channel will be using the message userid for authorization purpose. But if I don't specify the PUTAUT attribute in my channel definition will this mean that the default userid known as mqm will be used by the channel for authorization?. Also as I was reading an article it says that PUTAUT(CTX) is used to force local authorization. In other words the userid must be registered in the local authentication domain. So does it mean for example:
Box1 to Box2 to Box3
For each box I need to register the userid?. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Aug 31, 2008 8:20 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Don't use PUTAUT(CTX). It makes more work for you, it provides a false sense a security. You have to keep track of all the valid IDs defined on other systems and insure they are defined on your systems, and you have absolutely no power to stop the other side from sending messages with fake IDs in the MQMD, like say, I don't know, mqm?!?
Do not use PUTAUT(CTX) (you can't trust the other side to send valid IDs), use SSL or a security exit (you have to control who can connect), and tag the MCAUSER with an ID that you have restricted access for (you have to control what they can do once connected).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Aug 31, 2008 8:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| PeterPotkay wrote: |
| use SSL or a security exit (you have to control who can connect) |
AND a network level firewall to control access to the listener port. |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sun Aug 31, 2008 5:55 pm Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| I think in my working place we are using PUTAUT(CTX). Because if I were to send messages from Box1 to Box2 the userid must be created in Box1 and Box2. Also we use SSL to authentication. Apart from that a firewall is set to control the flow of data in our ports. |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sun Aug 31, 2008 6:12 pm Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| Quote: |
| the userid of the MCA will be that of the parent process which started it (channel initiator, listener etc). |
I was going through the channel definition I saw that the MCAUSER('') is blank. So base on the quote does it mean that the process that started the MCA will add the userid to MCAUSER attribute to be for example MCAUSER('userid')?. Something which is done at runtime. |
|
| Back to top |
|
|
| atheek |
| Posted: Sun Aug 31, 2008 6:51 pm Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
| Treat the channel definitions like a property file which is static and doesn't change dynamically during runtime..its just that MQ will use a value from there if present, else it will search some where else (OS) to get the User ID (eg. user id of the channel process). |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sun Aug 31, 2008 7:11 pm Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| so it all comes down again to the process that started the MCA. |
|
| Back to top |
|
|
| solomon_13000 |
| Posted: Sun Aug 31, 2008 8:30 pm Post subject: |
|
|
Master
Joined: 13 Jun 2008
Posts: 284
|
| If suppose I use PUTAUT(DEF), it would mean that the channel will be using the userid specified in MCAUSER attribute for authorization. Does this mean for each userid I would have to create a new channel?. Is this a disadvantage?. |
|
| Back to top |
|
|
|
|
