| Author |
Message
|
| asterix20 |
 Posted: Fri Mar 04, 2011 11:19 pm Post subject: Disable the default MQ channels |
 |
|
Newbie
Joined: 04 Mar 2011
Posts: 6
|
Good day!
Our internal control requires that default mq channels must be disabled
>> A number of default MQ channels had not been disabled to prevent accidental and malicious use.
>> Review and disable the default MQ channels.
As I'm new with MQ, I searched - how possible to disable channels. How I understand, there is no enable/disable attribute for it.
For application connections we have separate SVRCONN channels.
I found only solution with:
- CHAD(DISABLE) parameter on queue manager. But as I understand this is only prevent auto-definition connection channels.
- set MCAUSER for default channels. But for that I need create specified user in system, am I right?
May be I missed something?  |
|
| Back to top |
|
 |
| fatherjack |
| Posted: Sat Mar 05, 2011 1:29 am Post subject: Re: Disable the default MQ channels |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| asterix20 wrote: |
| - set MCAUSER for default channels. But for that I need create specified user in system, am I right? |
Just set the MCAUSER to a non-existent user e.g. 'nobody'.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Mar 05, 2011 3:40 am Post subject: Re: Disable the default MQ channels |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fatherjack wrote: |
| asterix20 wrote: |
| - set MCAUSER for default channels. But for that I need create specified user in system, am I right? |
Just set the MCAUSER to a non-existent user e.g. 'nobody'. |
I would add to that with make it a user that cannot exist on the OS, i.e. a string of illegal characters or a length that exceeds the allowed etc., just in case someone thinks it a good idea to create that user (seen it done). Also you can set MAXMSGL to 1 and TRPTYPE to something not used on your system.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sat Mar 05, 2011 4:58 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
mcauser('nobody') is the defacto industry standard for disabling all the well-known 'inbound' channels. eg.
| Code: |
ALTER CHANNEL('SYSTEM.AUTO.RECEIVER') CHLTYPE(RCVR) +
MCAUSER('nobody') MAXMSGL(0)
ALTER CHANNEL('SYSTEM.DEF.CLUSRCVR') CHLTYPE(CLUSRCVR) +
MCAUSER('nobody') MAXMSGL(0)
ALTER CHANNEL('SYSTEM.DEF.RECEIVER') CHLTYPE(RCVR) +
MCAUSER('nobody') MAXMSGL(0)
ALTER CHANNEL('SYSTEM.DEF.SERVER') CHLTYPE(SVR) +
MCAUSER('nobody') MAXMSGL(0)
ALTER CHANNEL('SYSTEM.DEF.SVRCONN') CHLTYPE(SVRCONN) +
MCAUSER('nobody') MAXMSGL(0)
ALTER CHANNEL('SYSTEM.AUTO.SVRCONN') CHLTYPE(SVRCONN) +
MCAUSER('nobody') MAXMSGL(0) |
You may have also defined CHANNEL('SYSTEM.ADMIN.SVRCONN') CHLTYPE(SVRCONN), watch out for this one.
_________________
Glenn |
|
| Back to top |
|
|
| cicsprog |
| Posted: Tue Mar 08, 2011 3:08 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 347
|
| Maybe I'm missing something - DELETE THEM???? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Mar 08, 2011 4:28 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
NO, NO. Do not delete SYSTEM.anything. These are templates for creation of other objects.
What is the problem now? Why do you want to delete them?
The next time you create a new channel, it will have the MCAUSER('nobody').
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| cicsprog |
| Posted: Tue Mar 08, 2011 4:55 pm Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 347
|
| Sorry Bruce...don't agree for any SYSTEM.DEF.*. They are easily recreateable. Not sure why I would ever recreate them however. If they want to secure and have no one use them, then remove them. |
|
| Back to top |
|
|
| asterix20 |
| Posted: Tue Mar 08, 2011 8:57 pm Post subject: |
|
|
Newbie
Joined: 04 Mar 2011
Posts: 6
|
Thanks for your answers.
With setting MACUSER I worried about same user in system, like exerk described.
As I understand with 'nobody' I need create same user on OS, with minimal privileges (so none could connect under it).
gbaddeley, thanks! I almost missed channels SYSTEM.AUTO.* 
cicsprog, as bruce said we use default channels as templates to create other objects. That's why I need disable or restrict access to them (well as I understand). |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 08, 2011 9:57 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| asterix20 wrote: |
As I understand with 'nobody' I need create same user on OS, with minimal privileges (so none could connect under it).
|
No need. If the user nobody exists neither in the system, nor in your LDAP it works just as well. Don't assign any privileges, or if you have to, make sure you remove them all. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| asterix20 |
| Posted: Wed Mar 09, 2011 12:05 am Post subject: |
|
|
Newbie
Joined: 04 Mar 2011
Posts: 6
|
ok, I got it
Thanks a lot for help. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Mar 09, 2011 2:15 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| bruce2359 wrote: |
NO, NO. Do not delete SYSTEM.anything. These are templates for creation of other objects.
What is the problem now? Why do you want to delete them?
The next time you create a new channel, it will have the MCAUSER('nobody'). |
Agree. Do not delete them. Be sure to remember to set MCAUSER('xxxxxxxxx') MAXMSGL(nnnnnnn) whenever you define a new channel of these types.
_________________
Glenn |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Mar 10, 2011 1:41 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| You can change the system default objects to have the desired attributes for the new objects. |
|
| Back to top |
|
|
|
|
