| Author |
Message
|
| mward |
 Posted: Fri Apr 16, 2010 1:45 pm Post subject: How to secure WMB V7 on MF from Windows Toolkit |
 |
|
Newbie
Joined: 24 Jun 2007
Posts: 6
|
| Hello all, we are planning to move to z/os V1.11 and V7.01 of MQ with V7 of WMB. I started setting up the brokers and ToolKit. It seems very easy to connect to the Brokers using the toolkit. Can someone guide me a little and maybe explain how to keep those developers using the toolkit from connecting to production brokers? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Apr 16, 2010 2:35 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Step 1: Block the MQ listener port from access from IPs outside of the production network
Step 2: Configure SSL on every single SVRCONN configured on the production queue managers
Step 3: Configure an MCAUSER on all SVRCONNs to scope each SVRCONN to a specific role
Step 4: configure SSLPEER on all SVRCONNs to control which certificates can connect to which SVRCONN
Step 5: issue the appropriate setmqauts to assign the appropriate security authorizations to the MCAUSERS that you have now used SSL to authenticate.
Step 6: Repeat step 2 - 5 for all other incoming channels to the production qmgrs. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Apr 16, 2010 3:28 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I guess I said "setmqaut" which doesn't apply on zOS.
The equivalent is the RACF permissions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 16, 2010 3:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Also please don't double post; it's considered rude. If you feel this was posted in the wrong section ask a moderator to move it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 16, 2010 3:39 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
Step 1: Block the MQ listener port from access from IPs outside of the production network
Step 2: Configure SSL on every single SVRCONN configured on the production queue managers
Step 3: Configure an MCAUSER on all SVRCONNs to scope each SVRCONN to a specific role
Step 4: configure SSLPEER on all SVRCONNs to control which certificates can connect to which SVRCONN
Step 5: issue the appropriate setmqauts to assign the appropriate security authorizations to the MCAUSERS that you have now used SSL to authenticate.
Step 6: Repeat step 2 - 5 for all other incoming channels to the production qmgrs. |
Also ensure the ACL for the production brokers is set up properly.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Apr 17, 2010 5:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| Also ensure the ACL for the production brokers is set up properly. |
No ACLs in broker v7, unless you mean RACF ACLS for MQ.
it's all done based on MQ permissions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Sat Apr 17, 2010 5:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| No ACLs in broker v7 |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Apr 17, 2010 7:05 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| Vitor |
| Posted: Sat Apr 17, 2010 7:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Apr 17, 2010 2:01 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
oooops.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqmatt |
| Posted: Mon Apr 19, 2010 12:52 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
| Vitor wrote: |
| mqjeff wrote: |
| No ACLs in broker v7 |
|
You can enable broker security though (mqsichangebroker BROKER -s active).
This will allow you to configure who can read, write and execute on your broker and execution groups, by means of permissions on the SYSTEM.BROKER.AUTH and SYSTEM.BROKER.AUTH.<EGNAME> queues. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Apr 19, 2010 2:27 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| mqmatt wrote: |
| Vitor wrote: |
| mqjeff wrote: |
| No ACLs in broker v7 |
|
You can enable broker security though (mqsichangebroker BROKER -s active).
This will allow you to configure who can read, write and execute on your broker and execution groups, by means of permissions on the SYSTEM.BROKER.AUTH and SYSTEM.BROKER.AUTH.<EGNAME> queues. |
That *is* why I said
| mqjeff wrote: |
| it's all done based on MQ permissions. |
|
|
| Back to top |
|
|
|
|
