| Author |
Message
|
| TBS |
 Posted: Fri Sep 26, 2008 6:02 am Post subject: MQ scecurity om Z/os and Windows |
 |
|
Centurion
Joined: 29 Jan 2007
Posts: 143
Location: Hillerød / Denmark
|
Hi !
Correct Me If I'm Wrong..
If I use SYSTEM.DEFAULT.MODEL QUEUE in a open queue and have specified TEST.* as a queue name, then the user who do the open have to have premision to queue mqmanager.TEST.* ( in racf) on Z/OS , but do not need to have permission to TEST. on windows ..
How do you then prevent the users to specify SYSTEM* as a queue name prefix ? |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Fri Sep 26, 2008 7:08 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
Check the z/OS system adninistration guide "Chapter 13. Profiles used to control access to WebSphere MQ resources" there is a section "Considerations for model queues"... it reads the user must have access to the model queue itself and the queuename it resolves to.
so in your case - it depends on which profiles you defined in RACF. if you define UPDATE for SYSTEM.DEFAULT.MODEL.QUEUE and there is no SYSTEM.* profile or no proper access to that profile, no resolving SYSTEM.* name should be allowed.
maybe it is a better idea to disallow the access to the SYSTEM.DEFAULT.MODEL.QUEUE and create a "TEST.DEFAULT.MODEL.QUEUE" with proper security to be used for all "TEST.*" - Queues.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| TBS |
| Posted: Fri Sep 26, 2008 7:47 am Post subject: |
|
|
Centurion
Joined: 29 Jan 2007
Posts: 143
Location: Hillerød / Denmark
|
Correct ! But my point is that this is not correct on Windows.
On window you do not need to specify permission for TEST.* |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Sat Sep 27, 2008 8:26 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| TBS wrote: |
Correct ! But my point is that this is not correct on Windows.
On window you do not need to specify permission for TEST.* |
Yes you do.
How is the application connecting to the Windows QMgr? Is it connecting with a blank UserId or is MUSR_MQADMIN set in the MCAUSER field of the channel?
Remember, a default install of MQ has weak security on all platforms (including z/OS).
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| TBS |
| Posted: Mon Sep 29, 2008 12:56 am Post subject: |
|
|
Centurion
Joined: 29 Jan 2007
Posts: 143
Location: Hillerød / Denmark
|
I connect to the MQ manager with MO71 support pack(MQMON).
If I specify SYSTEM.* as a Reply Prefix and then i get a temporary Dynamic queue with name SYSTEM....... and have all access to that queue.
My senarie:
Create a lokal user "MQMON" and put it in a Local group "TEST_GROUP"
Create a mqmanager
Create a QMODEL TEST.MODEL
Create a server channel TEST.CLIENT with MCA user MQMON
Setmqaut -m "mqmanager" -t qmgr -g TEST_GROUP +connect +inq +dsp
Setmqaut -m mqmanager-t queue -n TEST.MODEL -g TEST_GROUP -allmqi +put +dsp +inq
setmqaut -m %1 -t queue -n SYSTEM.ADMIN.COMMAND.QUEUE -g TEST_GROUP -allmqi +put +dsp
Change MO71/MQMON with test model and test channel and change Reply Prefix på SYSTEM.* |
|
| Back to top |
|
|
|
|
