| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ security for jms client connection |
« View previous topic :: View next topic » |
| Author |
Message
|
| sunny_30 |
 Posted: Mon Jan 24, 2011 5:27 pm Post subject: MQ security for jms client connection |
 |
|
Master
Joined: 03 Oct 2005
Posts: 258
|
HI All
I have a few questions related to mq security for jms client connections
I tried going through manuals but its not clear to me.
note, in my scenario, svrconn channel mcausr is set to non-adm user. Using OAM to define access for this user on the mq-server
1) is +setall required to be set on queue/ qm for jms applications to add rfh2 header to the message OR is put access just enough?
2) if i set +allmqi access to queues & setall to qm, this seem to be inclusive of setid for queues & altusr to qm. Does this mean a client can still connect as admin alternating user? or will mcausr always override it & there should be no threat ?
3) if setid is disabled for queues, would the client jms app fail because by default it tries to set the mqmd.user to uid owning the process & it cannot set it?
please help
appreciate in advance
thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Jan 24, 2011 8:48 pm Post subject: Re: MQ security for jms client connection |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sunny_30 wrote: |
HI All
I have a few questions related to mq security for jms client connections
I tried going through manuals but its not clear to me.
note, in my scenario, svrconn channel mcausr is set to non-adm user. Using OAM to define access for this user on the mq-server
1) is +setall required to be set on queue/ qm for jms applications to add rfh2 header to the message OR is put access just enough? |
No but +inq is needed for JMS
| sunny_30 wrote: |
| 2) if i set +allmqi access to queues & setall to qm, this seem to be inclusive of setid for queues & altusr to qm. Does this mean a client can still connect as admin alternating user? or will mcausr always override it & there should be no threat ? |
If you are looking for a security advice you need the mcauser and an SSL certificate with SSLPEER set. And this for all SVRCONN channels in your MQ network.
| sunny_30 wrote: |
3) if setid is disabled for queues, would the client jms app fail because by default it tries to set the mqmd.user to uid owning the process & it cannot set it?
please help
appreciate in advance
thanks |
No the mcauser will override the userid or lack thereof. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sunny_30 |
| Posted: Mon Jan 24, 2011 10:07 pm Post subject: |
|
|
Master
Joined: 03 Oct 2005
Posts: 258
|
Hi saper,
Thank you!
It looks like its not going to add any risks even if I have +allmqi or +setall set to qmgr and queues as long as I have mcausr set to a non-admin id, have ssl defined on svrconn for mqi connections
In general, as a best practice, are +setall / +passall required to be set on queues / dlq/ xmitqs that are accessed by jms client ? in my scenario jms app is sap-pi processing rfh2.
what are the pitfalls if i just go with->
| Quote: |
setmqaut -m $m -t qmgr -g "$g" -all +connect +dsp +inq
setmqaut -m $m -t queue -g "$g" -n '**' -all +inq +browse +dsp +get +put
setmqaut -m $m -t queue -g "$g" -n 'SYSTEM.**' -all +inq +browse +dsp
setmqaut -m $m -t queue -g "$g" -n 'SYSTEM.DEFAULT.MODEL.QUEUE' -all +dsp +clr +allmqi
setmqaut -m $m -t queue -g "$g" -n 'SYSTEM.ADMIN.COMMAND.QUEUE' -all +inq +put +dsp
#DLQ
setmqaut -m $m -t queue -g "$g" -n '**.DLQ' -all +inq +browse +dsp +put
#xmitq
setmqaut -m $m -t queue -g "$g" -n "$x" -all +inq +browse +dsp +put |
These are the authorizations i have set on the queues, nothing to set or pass mqmd context. Im looking at typical MQI settings. Having a bit problem understanding what context settings really mean to a jms app. Dont want to over-authorize, intention is to just limit to what it requires.
please let me know
thanks again
Last edited by sunny_30 on Mon Jan 24, 2011 11:01 pm; edited 1 time in total |
|
| Back to top |
|
|
| skoobee |
| Posted: Mon Jan 24, 2011 10:58 pm Post subject: |
|
|
Acolyte
Joined: 26 Nov 2010
Posts: 52
|
| Quote: |
Dont want to over-authorize, intention is to just limit to what it requires.
|
If you start with very little authority and enable auth events, then perform tests of your required operations, the auth event msgs will contain the auth required. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
