| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Can broker use non-interactive IDs to connect to databases |
« View previous topic :: View next topic » |
| Author |
Message
|
| sclarke |
 Posted: Thu Oct 08, 2009 7:01 am Post subject: Can broker use non-interactive IDs to connect to databases |
 |
|
Apprentice
Joined: 05 Jan 2002
Posts: 39
|
We are trying to shutdown the ability to login to AIX using the IDs which the broker uses to access external databases and it's own db2 database. The aix administrator disabled the ability of the id to login and the ability to remotely login as that id - making it a non-interactive ID The broker now gets db2 return code SQL30082N with rc=19 which means "The userid has been disabled, or the userid has been restricted from accessing the operating environment at this time"
I am not a db2 administrator or an aix admin and my administrators have not experienced this before (and they are looking into this as well) but thought I would ask this forum if anyone knows the answer.
What I know or at least wht the DBA told me:
AUTHENTICATION is performed outside of DB2. It is performed by a security facility outside of the DB2 dbms (such as the AIX OS). If UNIX is set up to use it's default security plug-in (which I think is what we use) the user id provided is converted to upper case and must match a db2 authid. DB2 then works with the security facility to authenticate users. If the security system says the login id is successful - then db2 allows use of local commands to access local data and it allows use of remote connections defined in the database - when the server trusts the client authorization.
AUTHORIZATION is performed by DB2. When a authenticated user tries to access data DB2 verifies that the user (and any groups the user is in) has permission on the DB2 object(s).
Does anyone know if authentication can be done using a non-interactive ID?
I also have the same question about accessing remote oracle. My oracle dba said that the ID MUST be interactive
Thanks in advance for your help. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Oct 08, 2009 8:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
For security purposes it is OK to disable remote login to the box with service ids. However the people responsible for the applications using those service Ids should still be able to login locally to that service id, even if it is as coarse as using sudo su - serviceid.... And yes this is supposed to leave an audit trace with your userid and that you switched to the serviceid....
Completely restricting the serviceId is not a good idea as you may need to interact with the running application using this service id. (In other words this stuff is not a daemon that you don't need to touch anymore once started...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqmatt |
| Posted: Fri Oct 09, 2009 4:35 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
You might be interested to know that V7 no longer has serviceids on non-Windows platforms, although mqsisetdbparms is still used to configure data sources (and any defaults). Authentication of these userids and passwords when accessing these data sources will continue to be done outside of broker.
On Windows platforms the serviceid remains, although you can now use the Windows LocalSystem account, which has no login or password. This is what we intend the DCW to use, so it will no longer prompt you for a password.
(And apologies for another v7 pitch  ) |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
