| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Authorities for Java Clients |
« View previous topic :: View next topic » |
| Author |
Message
|
| trotta |
 Posted: Tue Nov 16, 2010 1:57 pm Post subject: MQ Authorities for Java Clients |
 |
|
Newbie
Joined: 02 Nov 2010
Posts: 7
Location: Brazil
|
I have particular clients using MQ Client to send the data to a common inbound queue. Each of these clients use a specific outbound queue to receive the response back from the main system.
Each client has an AIX user which they are allowed to +put messages into the inbound queue ( but cannot get or browse the common inbound queue) and get messages from outbound queue (but cannot put messages there). By doing that, we can guarantee that each client (using SRVCONN) will touch its own outbound queue only.
What I'm wondering is about the Clients running on JAVA. They also use the ARM file and are not using TAB files to read the MQ parameters to get connected to the QManager.
So, talking to the Client owners, they told me that they are not using ANY user (AIX user) in theirs code. So, now I'm confuse about clients running on Java.
Since every client is using a TAB file (getting an userID inside of that file), but these ones running on Java are not using it, how the MCA users are set up for these clients ? How does the authorities can be managed over these JAVA clients ? |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Tue Nov 16, 2010 2:06 pm Post subject: Re: MQ Authorities for Java Clients |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| trotta wrote: |
| ...Since every client is using a TAB file (getting an userID inside of that file), but these ones running on Java are not using it, how the MCA users are set up for these clients ? How does the authorities can be managed over these JAVA clients ? |
The effective UserId that is used for authority checks is determined by the queue manager, not the TAB file. It depends on many factors, and is overridden by the MCAUSER setting on the SVRCONN channel, or a security exit (if you have one), or SSL.
_________________
Glenn |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Nov 16, 2010 2:32 pm Post subject: Re: MQ Authorities for Java Clients |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| trotta wrote: |
| Each client has an AIX user which they are allowed to +put messages into the inbound queue ( but cannot get or browse the common inbound queue) and get messages from outbound queue (but cannot put messages there). By doing that, we can guarantee that each client (using SRVCONN) will touch its own outbound queue only. |
Hi,
Unless you / your company have implemented SSL or an MQ security solution then what you have is no real security other than accidental security. MQ has several big security holes that are easy to exploit.
Those sound like native (C/C++) MQ applications and MQ client library is setting the UserID.
Any native application can circumvent this and exploit the security hole.
| trotta wrote: |
| What I'm wondering is about the Clients running on JAVA. They also use the ARM file and are not using TAB files to read the MQ parameters to get connected to the QManager. |
Java applications have to explicitly set the UserID. Hence, they can select any UserID they want to use or not set any and use a security exploit of becoming the 'mqm' user (or MUSR_MQADMIN for Windows).
I have lots of posts about the security holes in MQ. Do a quick search for more information.
| trotta wrote: |
| Since every client is using a TAB file (getting an userID inside of that file) ... |
The CCDT (aka TAB) file has nothing to do with the setting of the UserID.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| KramJ |
| Posted: Fri Nov 19, 2010 10:05 am Post subject: |
|
|
Voyager
Joined: 09 Jan 2006
Posts: 80
Location: Atlanta
|
| If MCAUSER is blank on the SVRCONN channel and the Java app is not setting the user ID it will connect as mqm. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Nov 19, 2010 10:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| If MCAUSER is blank on the SVRCONN channel and the Java app is not setting the user ID it will connect as mqm. |
A bit more technically: If there is no MCAUSER specified on the SVRCONN channel definition, the channel runs (subsequent MQI calls) with mqm authority.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Nov 19, 2010 2:18 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| bruce2359 wrote: |
| Quote: |
| If MCAUSER is blank on the SVRCONN channel and the Java app is not setting the user ID it will connect as mqm. |
A bit more technically: If there is no MCAUSER specified on the SVRCONN channel definition, the channel runs (subsequent MQI calls) with mqm authority. |
Technically I think the channel in this scenario then runs under the authority of the ID that the listener process is running as, which is almost always mqm (or MUSR_MQADMIN on Windows).
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Nov 19, 2010 4:27 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I stand (sit) corrected)
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
