| Author |
Message
|
| TyBex |
 Posted: Wed Nov 11, 2009 7:24 am Post subject: Queue Manager Security and MQ Explorer |
 |
|
Newbie
Joined: 17 Aug 2009
Posts: 5
|
I inherited our MQ Environment and I am working on a way to properly secure MQ Series.
MQ Series Verion: 6.0.2.8
AIX: 5 (latest release)
Currently our developers are part of the mqm group in Dev , PreProd and Production. Which allows them to use WebSphere MQ Explorer and view and perform all the functions that Explorer has to offer. This is not a good situation, for Pre Production and Production because they should only have view access for the Queue Managers.
I am wondering what is the best method to give the users only view access to my production and pre-production queue managers and all object in them. I only want them to have DISPLAY access. I have been reading a bit about OAM, but I am faily new to MQ.
Would I create a new group called mqmview and add the developers into that group instead of the mqm group. Then use OAM for all the objects, or is there a way to set DISPLAY level of access for a group at the Queue Manager Level?
Any documentation that explains the security process in detail would also be appreciated?
Thanks in advance. |
|
| Back to top |
|
 |
| shashivarungupta |
| Posted: Wed Nov 11, 2009 7:41 am Post subject: Re: Queue Manager Security and MQ Explorer |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| TyBex wrote: |
Currently our developers are part of the mqm group in Dev , PreProd and Production. Which allows them to use WebSphere MQ Explorer and view and perform all the functions that Explorer has to offer. This is not a good situation, for Pre Production and Production because they should only have view access for the Queue Managers. |
Agree !!
| TyBex wrote: |
I am wondering what is the best method to give the users only view access to my production and pre-production queue managers and all object in them. I only want them to have DISPLAY access. I have been reading a bit about OAM, but I am faily new to MQ.
|
Going good. Read about MQ Security and OAM, would get lots of info. abt security and its benefits and implementation steps.
| TyBex wrote: |
Would I create a new group called mqmview and add the developers into that group instead of the mqm group. Then use OAM for all the objects, or is there a way to set DISPLAY level of access for a group at the Queue Manager Level?
|
To secure the MQ env, the application teams and their ids should not be the part of mqm group atall. else you are giving them all the ways to enter into your system.
You can secure MQ Explorer being accessed by them, by removing the system defined sever conn channels and allocating them the appl. specific server conn channel and with security exit set on that.
| TyBex wrote: |
Any documentation that explains the security process in detail would also be appreciated? |
Apart from IBM manuals, Look at the Capitalware site., you would get oodles of help.
You can even hit current forum for such questions and their answers. And key points by Roger Lacroix.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 11, 2009 7:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
There's also some discussion here (and an IBM paper on their site IIRC) on making MQExplorer read only. This is in addition to the very valid comments in the previous post, which have also been discussed in the forum for your assistance.
As my associate points out, the search facility is your friend though you are making really very good progress for someone new to the software.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 11, 2009 1:06 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 11, 2009 1:21 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
As you're doing so well - and my master does not give praise lightly (he's mellowing; must be an age thing  ) - here's the link:
|
Credit where credit's due. Also it's easier to get you youngsters to do the searching these days.... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| friedl.otto |
| Posted: Thu Nov 12, 2009 9:26 am Post subject: |
|
|
Centurion
Joined: 06 Jul 2007
Posts: 116
|
You may also want to take a look at some of my earlier posts ... almost verbatim what you're asking. 
_________________
Here's an idea - don't destroy semaphores unless you're certain of what you're doing!  -- Vitor |
|
| Back to top |
|
|
| TyBex |
| Posted: Mon Nov 16, 2009 12:38 pm Post subject: |
|
|
Newbie
Joined: 17 Aug 2009
Posts: 5
|
Vitor: Please don't post a useless comment such as use search... I already attempted the search, but when youngsters such as myself (15 years in IT ) are new to a product, sometimes they do not know all the terms to search for.. Please do not confuse a valid question with Laziness... 
friedl.otto : thanks I will read your posts..
Last edited by TyBex on Mon Nov 16, 2009 12:57 pm; edited 3 times in total |
|
| Back to top |
|
|
| TyBex |
| Posted: Mon Nov 16, 2009 12:49 pm Post subject: |
|
|
Newbie
Joined: 17 Aug 2009
Posts: 5
|
The Weird thing that I am tring to figure out...
- I am not part of the mqm group on AIX.
- There are no Domain Groups for mqm on the Windows side.
- I check dspmqaut -m <qmgrname> -t qmgr -p <myuserid>
Entity <myuserid> has the following authorizations for object <qmgrname>:
MQ explorer is on Windows
QMGR is on AIX
How is it that I can access the QMGR though MQExplorer and ADMIN the QMGR, QUEUES and CHANNELS??
I am a bit baffeled on how I have full access without being part of the mqm group... |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Nov 16, 2009 1:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| TyBex wrote: |
| Vitor: Please don't post a useless comment such as use search... I already attempted the search |
You'd be amazed how many posters don't seem to notice the search facilty, or indeed know what Google is.
| TyBex wrote: |
| , but when youngsters such as myself (15 years in IT ) are new to a product, sometimes they do not know all the terms to search for.. Please do not confuse a valid question with Laziness... |
But on the back of the helpful comments by shashivarungupta you had a number of places to start. As a new poster you might have been unaware that this board doesn't archive old posts but retains them as a knowledge base for the benefit of all.
The "youngsters" comment is part of an ongoing joke between myself and exerk. As I said before, I thought you'd done very well with a new product in a short period of time.
| TyBex wrote: |
| friedl.otto : thanks I will read your posts.. |
Certainly a search of the forum with your original title turns up these posts.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Nov 16, 2009 1:17 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
There is a User ID on the MCAUSER of the SVRCONN channel used by MQ Explorer to access the QM that does have the required rights and which is overriding your ID.
Vitor's comment was valid. We don't know if you searched or not. But now you know that there is something out there and more searching can help rather than you assuming / wondering if there really is nothing worth searching for.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Nov 16, 2009 1:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| TyBex wrote: |
| I am a bit baffeled on how I have full access without being part of the mqm group... |
It's possible (as described in the documentation) to provide alternative credentials to the queue manager. As a simple example, you can add mqm as the MCAUser of a channel.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Nov 16, 2009 2:34 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| Vitor wrote: |
| It's possible (as described in the documentation) to provide alternative credentials to the queue manager. As a simple example, you can add mqm as the MCAUser of a channel. |
That simple example gives anonymous MQ administrator access to everyone on the network. Nice one!
_________________
Glenn |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Nov 16, 2009 2:40 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gbaddeley wrote: |
| Vitor wrote: |
| It's possible (as described in the documentation) to provide alternative credentials to the queue manager. As a simple example, you can add mqm as the MCAUser of a channel. |
That simple example gives anonymous MQ administrator access to everyone on the network. Nice one! |
Only if it's in the default channel, but yes it does and I never said it didn't. Certainly my conscience is clear that I've not given away some big secret.
You might also be surprised how many times I've seen it done. Even on specifically defined APPL.FINIANCE.SVRCONN channels & I've never heard a coherent explaination of why an application that only wants to put a message needs mqm access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| TyBex |
| Posted: Mon Nov 16, 2009 4:29 pm Post subject: |
|
|
Newbie
Joined: 17 Aug 2009
Posts: 5
|
Thanks for the info so far..
I hope you did not take offence to my comments I was just throwing back some sarchasm..
I will be working my way though this as well as about 80 more items on my todo before December 15th list.... I have already learned so much with MQ and I have alot more to go... Well off to home and then back at it tomorrow.. You all have been great.. !  |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Nov 16, 2009 6:04 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I checked my Norton Anti-Sarcasm log, and no sarcasm detected.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
