| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| WebSphere MQ user activity monitoring for Windows OS |
« View previous topic :: View next topic » |
| Author |
Message
|
| RogerLacroix |
 Posted: Thu Jan 21, 2010 3:22 pm Post subject: |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| watlerfore wrote: |
| even if it's a WMQ Admin or not |
MQ Security is like 2 sides to a coin. One side you have authentication and on the other side you have authorization.
For authentication, you have 3 choices:
1. Capitalware's MQ Authenticate User Security Exit (MQAUSX)
2. IBM's WebSphere MQ Extended Security Edition V6
3. Primeur's Data Secure for WebSphere MQ
Once you have authentication nailed down, (i.e. who is allowed and not allow to access the queue manager) then you implement authorization by using the setmqaut command. i.e. User 'x' or group 'A' is allowed to browse 'Q1' queue, put to 'Q2' queue, etc...
Bottom line is that without a properly authenticate UserId, authorization is pointless (because an MQ client application can set their UserId to be anything they want!!).
Please let me know if you have any questions or comments.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Thu Jan 21, 2010 5:47 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| watlerfore wrote: |
It's more important to log if a particular user id has browsed a queue, deleted the messages, possibly moving the messages - the report should log this activity even if it's a WMQ Admin or not - we have a need to know who has performed these functions on the server - this is for the PCI requirements to secure the data.
Operating system - Windows 2003
WMQ v.6.0.2
. |
The MQ Admin on a non z/OS Queue Manager is a super user whose rights you cannot take away. There is no way in the product to allow the MQ Admin to do their job yet be able to audit or prevent access to queues. Not even with WMQESE, unless a very recent release of that product has made some changes.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mevans518 |
| Posted: Fri Jan 29, 2010 1:36 pm Post subject: PCI Requirements for authenication |
|
|
Newbie
Joined: 29 Jan 2010
Posts: 3
|
| As eluded to below by some of the other posts... Authenicaton of messages is not provided by WMQ. It only provides for authorization. If you have any data security compliance requirements. (Which in this authors opinion, you all do regardless of PCI, SOX, HIPAA, FISMA, GLB, Basel II, yada, yada...) (think integrity, availability and confidentiality of data = corporate assets) you need a security exit or SSL on WMQ. Otherwise even with administrative hardening you don't have an environment that can be classified as secure. Authenication done correctly is required. Note: done correctly is the operative word here. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
