| Author |
Message
|
| chandu.yalamanchili |
 Posted: Tue Sep 22, 2009 6:44 am Post subject: User id and Password on Queue Manager |
 |
|
Apprentice
Joined: 29 Jun 2007
Posts: 29
|
Hi All,
IS there any way that we can set userid and password for the users connecting to Queue Manager. I tried setting this up on connection factory but the java apps could able to connect even with the wrong password or with password leaving blank. I also tried adding users to /etc/group and set them password but still they can able to connect with wrong password.Please leave some light on this. |
|
| Back to top |
|
 |
| WMBDEV1 |
| Posted: Tue Sep 22, 2009 6:51 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
Out of the box, MQ does not authenticate users but provides authorisation only
You will need an exit or an offering from a third party supplier to get the behaviour that you want.
CapitalWare has one such offering.....
http://www.capitalware.biz/mqausx_overview.html
Roger may be along shortly to offer more info. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 22, 2009 6:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Search the site as this has been gone over many times before. Also, pay a visit to the Capitalware site for information regarding commercial, industrial strength exits, or look at BlockIP2 for a non-commercial exit...
...and no, I don't get commission or click-through's for Capitalware 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| chandu.yalamanchili |
| Posted: Tue Sep 22, 2009 7:06 am Post subject: |
|
|
Apprentice
Joined: 29 Jun 2007
Posts: 29
|
| Thanks for the Quick reply. Is there any other solution other than using Capitalware product |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Sep 22, 2009 7:10 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Write your own exit, or search for commercial MQ Security Exits from other companies besides Capitalware.
We happily use Capitalware.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 22, 2009 7:25 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| exerk wrote: |
| ...or look at BlockIP2 for a non-commercial exit... |
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| chandu.yalamanchili |
| Posted: Tue Sep 22, 2009 7:39 am Post subject: |
|
|
Apprentice
Joined: 29 Jun 2007
Posts: 29
|
| Thanks for your replies. Looks like BLockIP2 helps me a little bit. How can we write our own security exits? need some light on this one too.... |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 22, 2009 7:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
It's a personal viewpoint, but I don't like 'home grown' exits (I'm suffering the fall-out from one now) because people move on, things change (64-bit queue managers anybody?) and maintenance becomes a real burden because people only get to work on it part-time.
A commercial exit, by definition, has to be rock-solid, supported, and the provider is usually ahead of the drag curve when it comes to providing multi-platform versions, and new versions ahead of customer migrations to later WMQ versions.
Just my tuppenny worth...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 22, 2009 9:07 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| chandu.yalamanchili wrote: |
| How can we write our own security exits? need some light on this one too.... |
The requirements for exits are in the product documentation.
Note that exits are considered an advanced topic and are not for the faint hearted; hence the market in commercially supported ones. Because exits run as part of the queue manager, a poorly written one will adversely affect queue manager performance and a badly written one will bring the queue manager down.
There are a number of posts in here that discuss writing exits.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Sep 22, 2009 9:49 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Sorta like "If you have to ask how much you can't afford it." the same goes with exits. If you have to ask how do I write one, you shouldn't! The other benefit of commercial exits is a huge base of customers all testing it. With your own exit is just your own test case which may not be adequate.
I like the story about the guy showing off his new exit. "Been running in Production for 2 months now!" he proudly proclaimed, rocking back and forth on his heels, thumbs hooked on his suspenders. "Nice job. What encryption method are you applying to the ID and password? " we ask. "Uh, encryption method?" comes the reply. Snap! 
There are a lot of things to consider when writing a security exit.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| chandu.yalamanchili |
| Posted: Wed Sep 23, 2009 1:42 pm Post subject: |
|
|
Apprentice
Joined: 29 Jun 2007
Posts: 29
|
|
| Back to top |
|
|
| rmah |
| Posted: Wed Sep 23, 2009 4:16 pm Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| chandu.yalamanchili wrote: |
| Thanks for your Inputs |
You can also use contact admin to restrict connections to MQ. However, you'll need the infrastructure to support it. ie a contact admin workgroup server, CEP server and Domain server.
Users would connect to the workgroup server and see a list of queue managers. You can then restrict which queue managers and objects they see by putting them in groups.
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux
Last edited by rmah on Thu Sep 24, 2009 8:45 am; edited 1 time in total |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 24, 2009 4:22 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| rmah wrote: |
| You can also use contact admin to authenticate your connections to MQ. |
I would be pleased, but surprised, to learn that contact admin will act as a proxy authentication point for MQCONN. |
|
| Back to top |
|
|
| rmah |
| Posted: Thu Sep 24, 2009 8:38 am Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| mqjeff wrote: |
| rmah wrote: |
| You can also use contact admin to authenticate your connections to MQ. |
I would be pleased, but surprised, to learn that contact admin will act as a proxy authentication point for MQCONN. |
Sorry, bad choice of words - restrict instead of authenticate.
I use M6 contact admin Workgroup Server and M6 AP-WMQ to restrict and limit user access to queue managers.
contact admin doesn't authenticate for MQCONN - it uses a permits.ini file, in which you configure access by putting usernames in groups, and editing group permissions.
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 24, 2009 9:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
My point is that as far as I know, contact admin only provides authentication and authorization to it's management tools and the functions within that for access queue managers, and does not provide any authentication or authorization for random MQ applications to talk to your queue managers.
So while it is useful to know that contact admin does provide a robust reliable set of authentication and authorization tools for it's management tools, using them in no way does anything to secure your queue manager. |
|
| Back to top |
|
|
|
|
