| Author |
Message
|
| chris boehnke |
 Posted: Mon Sep 14, 2009 6:03 pm Post subject: Security: Multiple apps deployed on WAS in connecting to MQ |
 |
|
Partisan
Joined: 25 Jul 2006
Posts: 369
|
Hi Guys,
We have WAS 6.1 installed on AIX and it is running under the user id 'was'.
There are multiple client apps deployed on WAS.
MQ 7 is running on a remote server(solaris) and there is a single qmgr defined.
All the 3 apps on WAS are accessing the MQ7 qmgr and its queues. The messages from all the 3 apps are coming with the user id 'was' as the WAS is running under 'was' user id which is default.
On the queue manager, we defined a SVRCONN channel and provided the MCAUSER field with 'was'.
Question:
Is it possible to isolate the 3 apps to use unique userid on WAS sothat we can create 3 SVRCONN channels and provide the respective userid in the MCAUSER field of the channel.
Thanks. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Sep 14, 2009 6:53 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Should be relatively easy. Define 3 different connection factories in JNDI and have each use a different channel. Voila, separation achieved... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Sep 15, 2009 3:26 am Post subject: Re: Security: Multiple apps deployed on WAS in connecting to |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| chris boehnke wrote: |
| The messages from all the 3 apps are coming with the user id 'was' as the WAS is running under 'was' user id which is default. |
Nope, the messages are tagged with the 'was' ID because that is what is on the MCAUSER of the channel. The ID that your app runs as does not have to be the same ID in the MCAUSER. Whatever value is in the MCAUSER will override any ID sent from the client. Every SVRCONN channel in your environment should have the MCAUSER filled in to prevent the client from connecting as an unintended ID, like mqm.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Luke |
| Posted: Tue Sep 15, 2009 3:58 am Post subject: Re: Security: Multiple apps deployed on WAS in connecting to |
|
|
Centurion
Joined: 10 Nov 2008
Posts: 128
Location: UK
|
| PeterPotkay wrote: |
| Every SVRCONN channel in your environment should have the MCAUSER filled in to prevent the client from connecting as an unintended ID, like mqm. |
Peter, do you mean the MCAUSER should be blank? Isn't having it filled in what causes clients to connect as an unintended ID? Or have I misudnerstood?
Thanks |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 15, 2009 4:04 am Post subject: Re: Security: Multiple apps deployed on WAS in connecting to |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Luke wrote: |
| PeterPotkay wrote: |
| Every SVRCONN channel in your environment should have the MCAUSER filled in to prevent the client from connecting as an unintended ID, like mqm. |
Peter, do you mean the MCAUSER should be blank? Isn't having it filled in what causes clients to connect as an unintended ID? Or have I misudnerstood?
Thanks |
It was quite explicit:
| PeterPotkay wrote: |
| ...Whatever value is in the MCAUSER will override any ID sent from the client... |
Consider - someone flowing mqm across a channel that has a blank userid will give what access? Someone flowing mqm across a channel that has a non-blank userid (not mqm, which should never be used as an MCAUSER value) will give what access?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Luke |
| Posted: Tue Sep 15, 2009 4:30 am Post subject: Re: Security: Multiple apps deployed on WAS in connecting to |
|
|
Centurion
Joined: 10 Nov 2008
Posts: 128
Location: UK
|
| exerk wrote: |
| someone flowing mqm across a channel that has a blank userid will give what access? |
mqm.
| exerk wrote: |
| Someone flowing mqm across a channel that has a non-blank userid (not mqm, which should never be used as an MCAUSER value) will give what access? |
whatever the MCAUSER is set to, i.e. not mqm.
I did get that I think, and I see how that can stop someone connecting as mqm in that scenario. But then if the hard-coded mcauser on the channel has significant authorities, doesn't that mean anyone who connects through that channel has the same authorities ... which is why mqm should never be hardcoded as mcauser?
That was my understanding, but I guess I missed something? Are you saying security should be implemented separately and the mcauser id should be set to an id with appropriate authorities for the client that is intended to use that channel? Hence for 3 apps you might want to use 3 SVRCONN channels?
Thanks |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Sep 15, 2009 4:33 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Well, unintended from whose perspective?
If a user tries to connect to my QM as mqm and I have the channel tagged with another ID, yeah, I guees they will connect as an unintended ID. And that's a good thing, for me!
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 15, 2009 4:34 am Post subject: Re: Security: Multiple apps deployed on WAS in connecting to |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Luke wrote: |
| ...Are you saying security should be implemented separately and the mcauser id should be set to an id with appropriate authorities for the client that is intended to use that channel? Hence for 3 apps you might want to use 3 SVRCONN channels?... |
You get the lollipop! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Sep 15, 2009 4:37 am Post subject: Re: Security: Multiple apps deployed on WAS in connecting to |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Luke wrote: |
I did get that I think, and I see how that can stop someone connecting as mqm in that scenario. But then if the hard-coded mcauser on the channel has significant authorities, doesn't that mean anyone who connects through that channel has the same authorities ... which is why mqm should never be hardcoded as mcauser?
|
You code mqm on the channel if you need mqm access, say for an MQ Admin's MO71 or MQ Explorer. And then you apply SSL or a Security Exit to insure only the intended user has that access.
The hard coded MCAUSER insures WHAT they can do.
The SSL / Exit insures WHO can do the WHAT.
Ideally you should do both of these things for every SVRCONN channel. And RCVR, CLUSRCVR, RQSTR.
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Tue Sep 15, 2009 4:39 am; edited 1 time in total |
|
| Back to top |
|
|
| Luke |
| Posted: Tue Sep 15, 2009 4:37 am Post subject: |
|
|
Centurion
Joined: 10 Nov 2008
Posts: 128
Location: UK
|
That's my 1 thing learned for today then ... 
Thanks for the clarification guys |
|
| Back to top |
|
|
|
|
