| Author |
Message
|
| Rani.chitti |
 Posted: Fri Jul 31, 2009 12:22 pm Post subject: Security and MQ 2009 Error |
 |
|
Newbie
Joined: 31 Jul 2009
Posts: 8
|
Hi,
I am new to MQ.Before posting this i went across few searches in the forum and tried my best but with no luck.I had configured Queue Manager,Queue,channel and listener.But i did not define anything about security during this definition.When i make a connection to MQ on my local,i get a successful connection.
Now,i wanted to set security,so that the QMGR can be accessed only by that username and pswd.So, i did the follwoing
Before altering the channel i did check the MCAUSER and it was MCAUSER()
| Quote: |
| alter channel(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(ADMIN) SSLCAUTH( REQUIRED) //Did not know how to pass pswd |
So,i set my System.property username to "ADMIN".When i call my App i get the exception
| Quote: |
Root exception is com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2035
MQJE036: Queue manager rejected connection attempt] |
And i wanted to make MCAUSER to "",so that it will atleast work with my usename but the alter command does not work with spaces.
Can anyone help me out. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Jul 31, 2009 12:33 pm Post subject: Re: Security and MQ 2009 Error |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Rani.chitti wrote: |
| Can anyone help me out. |
Read the Client and the Security manuals for detailed information. But these points may help:
- Don't use SYSTEM objects for applications. It's ok to be testing like this, but best practice is to define & use your own objects
- You've got a 2035 because the MCAUSER isn't authorised with the queue manager. Set the relevant securities and it'll be fine.
- WMQ uses the base OS to authorise it's users. So you don't pass passwords to the queue manager.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Rani.chitti |
| Posted: Fri Jul 31, 2009 12:58 pm Post subject: |
|
|
Newbie
Joined: 31 Jul 2009
Posts: 8
|
| Quote: |
| - You've got a 2035 because the MCAUSER isn't authorised with the queue manager. Set the relevant securities and it'll be fine. |
- I know the cause for this exception but I am not sure how to set these,can you provide me with more details. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 31, 2009 1:03 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Rani.chitti wrote: |
| - I know the cause for this exception but I am not sure how to set these,can you provide me with more details. |
I've pointed you at the Secuirty manual, you're clearly familiar with the System Admin manual (or you wouldn't have got this far). In the midst of all that finding how to set mq authorities shouldn't be tricky..... 
You'll find a link to the Info Centre at the top of this page if you've no other access to this documentation. You'll also find a number of discussions round 2035 errors in this forum, plus discussions on the pros & cons of using MCAUser.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 03, 2009 3:35 am Post subject: Re: Security and MQ 2009 Error |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Rani.chitti wrote: |
| i wanted to set security,so that the QMGR can be accessed only by that username and pswd. |
| Rani.chitti wrote: |
| i did check the MCAUSER and it was MCAUSER() |
That's not what MCAUSER does.
There's absolutely no relationship between what your app supplies to the MQCONN and the value that is in MCAUSER.
Only one of those values is used for authorization, and neither of them are used for authentication. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 03, 2009 5:30 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Whether an application program executed by a particular userid (or group) can MQCONNect to a qmgr is determined by the +connect setmqaut authority.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Rani.chitti |
| Posted: Mon Aug 03, 2009 9:45 am Post subject: |
|
|
Newbie
Joined: 31 Jul 2009
Posts: 8
|
Thanks for your replies.
I ran the setmqauth command to grant access to all.And now i don't see any security exception.But i am interested in implementing SSL.
I will get back to you guys for any other information
Thanks |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 03, 2009 11:01 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| command to grant access to all |
Did you grant +connect to ALL?
I thought your original post was to grant mqconnect by userid. Did you grant +connect to ALL?
Do understant that SSL is involved with message channels between queue managers, not users and applications?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Aug 03, 2009 3:42 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| bruce2359 wrote: |
| Quote: |
| command to grant access to all |
Did you grant +connect to ALL?
I thought your original post was to grant mqconnect by userid. Did you grant +connect to ALL?
Do understant that SSL is involved with message channels between queue managers, not users and applications? |
SSL can also be used for MQ Client connections to a Queue Manager. In that context, it can be seen as SSL for an application (to a Queue Manager).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 04, 2009 5:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Yes, but: grant +connect to ALL plus SSL on an MQ Client SVRCONN channel = near zero effective security.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 04, 2009 5:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| bruce2359 wrote: |
| Yes, but: grant +connect to ALL plus SSL on an MQ Client SVRCONN channel = near zero effective security. |
Not with the correctly thought out SSLPEER value. Then it can == "exactly and only as secure as your client certificate". |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Aug 04, 2009 5:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
My point was that securing only a SVRCONN channel, while allowing all local applications to MQCONNect, leaves a huge exposure. I didn't intend to state that SSL would not secure this channel.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
