| Author |
Message
|
| jarun111 |
 Posted: Thu Oct 01, 2009 2:07 pm Post subject: MQ security related queries |
 |
|
Acolyte
Joined: 19 Apr 2004
Posts: 70
|
Hi,
I have some queries regarding authorization/acccess set-up for MQ.
Below are my setting
Have a QM running on hostA
Have a client running on hostB
QM has a SVRCONN channel with no MCAUSER specified and I am trying to connect to a queue "QUEUE1" with no authorization specified (other than for "mqm" funcitnal ID)
JMS Client on hostA runs under it's functioal ID "mwm" and does not have any user ID/Passwd set while creating connection.
When I try sending message to the queue "QUEUE1", everything goes fine without any 2035 exception.
My requirement is
1> Client should not be able to connect to the QM until it runs under a permissionoed functional ID.
2> Client should not be able to connect to the queue until it runs under a permissionoed functional ID.
Am I missing something here? Please help with your inputs.
Thanks |
|
| Back to top |
|
 |
| jeevan |
| Posted: Thu Oct 01, 2009 2:22 pm Post subject: Re: MQ security related queries |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| jarun111 wrote: |
Hi,
I have some queries regarding authorization/acccess set-up for MQ.
Below are my setting
Have a QM running on hostA
Have a client running on hostB
QM has a SVRCONN channel with no MCAUSER specified and I am trying to connect to a queue "QUEUE1" with no authorization specified (other than for "mqm" funcitnal ID)
JMS Client on hostA runs under it's functioal ID "mwm" and does not have any user ID/Passwd set while creating connection.
When I try sending message to the queue "QUEUE1", everything goes fine without any 2035 exception.
My requirement is
1> Client should not be able to connect to the QM until it runs under a permissionoed functional ID.
2> Client should not be able to connect to the queue until it runs under a permissionoed functional ID.
Am I missing something here? Please help with your inputs.
Thanks |
You need to authorise the user your jms app is running under to connect, and inq for queue manager and get/put/brose/inq for queue(s). |
|
| Back to top |
|
|
| jarun111 |
| Posted: Thu Oct 01, 2009 2:30 pm Post subject: |
|
|
Acolyte
Joined: 19 Apr 2004
Posts: 70
|
| Issue here is I did not authorized it but I am still able to connect. As mentioned earlier there is no user specified in mcauser. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 01, 2009 3:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jarun111 wrote: |
| Issue here is I did not authorized it but I am still able to connect. As mentioned earlier there is no user specified in mcauser. |
Known problem for java/JMS connections. (search the forum)
To secure you need to set an mcauser and best add SSL on top of the mcauser. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Thu Oct 01, 2009 3:42 pm Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
Yes..its a known problem for the java based applications...
For java based apps. mqm is the user id being referred when you are not explicitly specifying any.
To secure the MQ objects from being accessed by any of the applications then you got to set OAM for that application ID (perhaps that application ID is already defined on the MQ server where Security Handshake would be done).
Go through the MQ Security Manual by IBM and curb the application(s) to access the MQ objects without your knowledge.
SSL enabled channels can also deny the applications to access the MQ QMgrs if they are not having valid certs.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Oct 01, 2009 4:02 pm Post subject: Re: MQ security related queries |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| jarun111 wrote: |
Hi,
I have some queries regarding authorization/acccess set-up for MQ.
Below are my setting
Have a QM running on hostA
Have a client running on hostB
QM has a SVRCONN channel with no MCAUSER specified and I am trying to connect to a queue "QUEUE1" with no authorization specified (other than for "mqm" funcitnal ID)
JMS Client on hostA runs under it's functioal ID "mwm" and does not have any user ID/Passwd set while creating connection.
When I try sending message to the queue "QUEUE1", everything goes fine without any 2035 exception.
My requirement is
1> Client should not be able to connect to the QM until it runs under a permissionoed functional ID.
2> Client should not be able to connect to the queue until it runs under a permissionoed functional ID.
Am I missing something here? Please help with your inputs.
Thanks |
Sorry. I misread your post.
I had the same situation.
http://www.mqseries.net/phpBB2/viewtopic.php?t=50429&sid=b54ed2e8686a40e5bed7434071a370ce
http://www.ibm.com/developerworks/websphere/techjournal/0711_col_wyatt/0711_col_wyatt.html |
|
| Back to top |
|
|
|
|
