| Author |
Message
|
| rickwatsonb |
 Posted: Tue Feb 08, 2011 1:15 pm Post subject: JMS and channel security |
 |
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
We have a JMS application running in WAS on a UNIX server that connects to a UNIX MQ server via client mode on a SVRCONN channel with a MCAUSER(userapp1).
We will have a MQ Explorer read-only type channel available, but the JMS application channel and queues need to be unavailable to MQ Explorer users.
(1) Is it better to use a security exit or SSL to prevent MQ Explorer users from connecting with the MCAUSER(userapp1) channel and getting to the queues?
(2) Are there additional/other ways to prevent MCAUSER(userapp1) channel usage via MQ Explorer?
I have been reading numerous posts on JMS and MQ security, at this point, probably too many posts in one day.
Thanks for your help. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Feb 08, 2011 1:25 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
IMHO you're best off using SSL, or BlockIP2, for what you want. I'd go with SSL because it's likely to be easier to administer.
Other opinions are equally valid and may be more valid.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Fri Feb 25, 2011 12:54 pm Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
Thank you for your reply Vitor.
With regards to the scenario I stated in the first thread, if we have two channels with MCAUSERS:
1) mqapp belonging to mqappgrp for the WAS application (APP.CHANNEL)
2) mqview belonging to mqviewgrp for MQ Explorer read-only usage (VIEW.CHANNEL)
I would like to prevent misuse of the application channel (MCAUSER mqapp) via MQ Explorer (internal in-house users).
I see that I can prevent users from connecting via the mqapp application channel if the application group mqappgrp is not granted setmqaut authority to the SYSTEM.MQEXPLORER.REPLY.MODEL queue.
Also, if display (+dsp) authority is not granted on the queue manager connection for the mqappgrp then connection via MQ Explorer fails.
(For the connection via the application and JMS to the MQ server queue manager via client mode +connect and +inq shall only be used).
Is this an alternative to implementing SSL for the specific purpose of eliminating usage (by internal in-house users) of the application channel via MQ Explorer? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Feb 25, 2011 2:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rickwatsonb wrote: |
| Is this an alternative to implementing SSL for the specific purpose of eliminating usage (by internal in-house users) of the application channel via MQ Explorer? |
This is a slightly different question to the one you initially asked. If what you want is to restrict what can be done over a given channel, then MCAUser & setmqaut will be sufficient.
If you want to restrict which in-house users can use the channels, then you need SSL.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Feb 25, 2011 3:12 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| If you want to restrict which in-house users ... |
And out-house users, too.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Feb 25, 2011 4:46 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| If you want to restrict any users at all in a meaningful context, you either need a very robust security exit that has been strenuously tested under a large number of configurations, or you need SSL. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Feb 25, 2011 7:19 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And when we say you need SSL, we also mean to say that you need to set up your different groups with certificates having different values in the distinguished name so that you can recognize them on their SSL PEER values.
And remember you can set up the certs to have / use multiple OU entries.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Feb 28, 2011 10:42 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hello Rick,
| mqjeff wrote: |
| If you want to restrict any users at all in a meaningful context, you either need a very robust security exit that has been strenuously tested under a large number of configurations, |
If you are going down the security exit path, then please have a look at: MQ Authenticate User Security Exit (MQAUSX).
MQAUSX has been around for almost 6 years and is used by many companies from around the world to secure their MQ environments. MQAUSX is a complete security solution for MQ.
Please let me know if you have any questions or comments.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
