| Author |
Message
|
| J.D |
 Posted: Thu Jan 28, 2010 11:20 am Post subject: Password Change |
 |
|
Voyager
Joined: 18 Dec 2009
Posts: 92
Location: United States
|
Hi All,
Will there be any impact on Queue Manager when we change the "mqm" password? As a part of PCI requirement, passwords has to be changed every six months.
Thanks |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jan 28, 2010 11:36 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
If you've got requirements that strict, you shouldn't be allowing the direct use of the mqm user anyway - you should be using sudo su.
Surprised this hasn't come up before in your process.
Also 6 months is an unusually long term in a secure environment. Normally passwords in that sort of case are restricted to 60-90 days. And as I say, direct access to generic ids is forbidden.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| J.D |
| Posted: Thu Jan 28, 2010 12:58 pm Post subject: |
|
|
Voyager
Joined: 18 Dec 2009
Posts: 92
Location: United States
|
| We have been using sudo to login as mqm user. Will this password change gonna impact applications connecting to MQ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 28, 2010 1:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| J.D wrote: |
| Will this password change gonna impact applications connecting to MQ? |
1) No applications should be connecting to a queue manager as mqm. It's a major security breach as it allows the application administrative authority.
2) No application connecting to the queue manager specifies a password no matter what id it's using. WMQ doesn't do that kind of checking.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| J.D |
| Posted: Thu Jan 28, 2010 1:34 pm Post subject: |
|
|
Voyager
Joined: 18 Dec 2009
Posts: 92
Location: United States
|
No application connects to MQ using mqm. I was asked by my manager to know whether any outage required for password change.
Thank You, Vitor!!! |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jan 28, 2010 1:48 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| any outage required for password change. |
usernames/passwords are managed by the o/s security component - OAM on midrange platforms, RACF or equivalent on mainframe.
If this is a question, then, NO. Since WMQ doesn't do any password checking, there will not be an WMQ outage.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Last edited by bruce2359 on Thu Jan 28, 2010 2:41 pm; edited 1 time in total |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 28, 2010 1:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| J.D wrote: |
| No application connects to MQ using mqm. |
Not what I said. I said that no application should connect to WMQ as mqm. It doesn't mean they're not doing so.
| J.D wrote: |
| I was asked by my manager to know whether any outage required for password change. |
This is true. If however an application is using mqm to connect your manager will be having a conversation with whoever's implementing PCI that will make organising an outage seem like a picnic.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jan 29, 2010 4:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
And, really.
Changing the mqm password on a regular basis is almost the *last* item on the list of "things to do to secure MQ to meet PCI".
It's even below the item that says "apply fix packs rigorously, routinely, and with great justice". |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 29, 2010 5:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
And, really.
Changing the mqm password on a regular basis is almost the *last* item on the list of "things to do to secure MQ to meet PCI".
It's even below the item that says "apply fix packs rigorously, routinely, and with great justice". |
Agreed: It pretty much ranks with being given root to su to mqm because 'they' don't want you knowing the mqm password... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jan 29, 2010 5:39 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
If anyone can log onto the server with an ID, mqm or otherwise, than it makes sense to change the password regularly.
On the other hand, if you set it up correctly and restrict access to mqm via a sudo session for a particular subset of personal IDs, then:
You are logging what anyone is going via mqm, and you know who did what.
You restrict who can switch to mqm.
No one needs know what the mqm password is, so there is no need to waste time every 60-90 days changing it.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Jan 29, 2010 6:38 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| bruce2359 wrote: |
| usernames/passwords are managed by the o/s security component - |
Agree.
A password challenge should be required in order to get a login on a normally-setup *ix OS. The OS should also provide some sort of logging of who attempted logins and when, and from what IP address.
| Quote: |
| - OAM on midrange platforms |
In context, this is not correct. The OAM is MQ's out-of-the-box "authorization service". The OAM does no checking of passwords.
However you can write a new "authorization service" that does do checking of passwords, and use it in place of the OAM. Search for MQZ_AUTHENTICATE_USER.
As to the OP's question, he did not specify how applications are started, so it is not possible to say whether a password change will affect those applications. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jan 29, 2010 6:49 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
...sounds like the Ghost of Sorbanes-Oxley has returned. And bless 3M for developing a solution for passwords-that-change-too-frequently to be good security. (That would be yellow-stickies.)
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mevans518 |
| Posted: Fri Jan 29, 2010 1:21 pm Post subject: Changing Passwords for PCI Compliance every 6 months? |
|
|
Newbie
Joined: 29 Jan 2010
Posts: 3
|
| Hmmm.... That's a new one. We are on the PCI security council and I have not heard that. May I inquire if that is a self imposed requirement by your firm? There is no where in the 252 requirements of PCI that I am aware of that you have to change passwords on your systems every 6 months. Perhaps you are thinking of SSL key management... However that is yearly, not every 6 months. |
|
| Back to top |
|
|
| J.D |
| Posted: Tue Feb 02, 2010 3:53 pm Post subject: Re: Changing Passwords for PCI Compliance every 6 months? |
|
|
Voyager
Joined: 18 Dec 2009
Posts: 92
Location: United States
|
| mevans518 wrote: |
| Hmmm.... That's a new one. We are on the PCI security council and I have not heard that. May I inquire if that is a self imposed requirement by your firm? There is no where in the 252 requirements of PCI that I am aware of that you have to change passwords on your systems every 6 months. Perhaps you are thinking of SSL key management... However that is yearly, not every 6 months. |
Sorry for giving wrong information.....Password change is our company new policy...it's not in the PCI requirement. |
|
| Back to top |
|
|
| zonko |
| Posted: Tue Feb 02, 2010 10:59 pm Post subject: |
|
|
Voyager
Joined: 04 Nov 2009
Posts: 78
|
| Quote: |
| Password change is our company new policy |
Imposed no doubt by management who have no technical knowledge, but have the urge to appear in control by giving arbitrary and useless technical orders.
Dilbert, anyone? |
|
| Back to top |
|
|
|
|
