| Author |
Message
|
| rojaan |
 Posted: Mon Aug 01, 2011 4:47 am Post subject: MQ Explorer and RACF password validation |
 |
|
Newbie
Joined: 01 Aug 2011
Posts: 8
|
I have setup MQ under z/OS and implemented RACF on the MQ subsystem. I have a problem with MQ Explorer. I have removed the MCA user ID from the SVRCONN channel that we specify on the Queue Manager definition and have granted the users of MQ the relevant access to the MQ commands. When I invoke MQ Explorer and specify a valid userid on the queue manager connection (Connection Details>Properties>Userid) but DO NOT specify a password MQ Explorer does not validate the password but still allows the user to inherit the access granted to the userid specified in the connection details.
Any ideas why the password is not being validated when the users signs on? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Aug 01, 2011 5:23 am Post subject: Re: MQ Explorer and RACF password validation |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rojaan wrote: |
| Any ideas why the password is not being validated when the users signs on? |
WMQ authorises users but doesn't authenticate them.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rojaan |
| Posted: Mon Aug 01, 2011 5:31 am Post subject: |
|
|
Newbie
Joined: 01 Aug 2011
Posts: 8
|
| Thank you for the reply. I'm very surprised at this, surely this is a huge security exposure as any MQ Explorer user can enter someone else's RACF id in the connection details and gain access to resources they wouldn't normally have access to. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 01, 2011 5:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You need to consider how many people you actually want using MQ Explorer to connect to your mainframe.
And you need to set up SSL and configure MCAUSER values on all of your svrconns... and all the rest of your channels too. Right now someone can create a qmgr on their desktop, connect it to an existing channel on your mainframe, and do whatever they want. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 01, 2011 5:42 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
What happens if you specify in the Explorer a userid that doesn't exist in RACF?
Why did you set MCAUSER to blank on SYSTEM.ADMIN.SVRCONN?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 01, 2011 5:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rojaan wrote: |
| any MQ Explorer user can enter someone else's RACF id in the connection details and gain access to resources they wouldn't normally have access to. |
Only if your WMQ estate isn't properly secured. This isn't a z/OS or RACF issue, this concept holds true on all platforms. You'll notice when you removed the MCAUser from the channel there wasn't a matching MCAPassword field; this is because the MCAUser isn't authenticated any more than a logged on user is.
WMQ Security is more than just passwords.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 01, 2011 5:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Vitor wrote: |
.
WMQ Security is more than just passwords. |
Passwords are about authentication. WMQ security isn't about passwords at all.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 01, 2011 5:51 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| Vitor wrote: |
.
WMQ Security is more than just passwords. |
Passwords are about authentication. WMQ security isn't about passwords at all. |
Erm, yes, well, ok. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rojaan |
| Posted: Mon Aug 01, 2011 5:57 am Post subject: |
|
|
Newbie
Joined: 01 Aug 2011
Posts: 8
|
If I remove the RACF user from MQ Explorer the user that WMQ attempts to authenticate is not a valid user and as I have protected all resources in WMQ I am unable to do anything.
If you remove the MCAUSER from the SVRCONN channel definition MQ Explorer attempts to use the userid specified in MQ Explorer.
Not quite sure what you mean by WMQ is not about passwords, I am trying to protect MQ resources under z/OS using the RACF interface and for sure RACF is very user verification driven. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 01, 2011 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rojaan wrote: |
| I am trying to protect MQ resources under z/OS using the RACF interface and for sure RACF is very user verification driven. |
Exactly - RACF is all about verifying users. WMQ (as it does on all platforms) relies on that verification. It doesn't perform it's own but assumes RACF has verified the id is who the id purports to be. On that assumption, it authorises the user to perform various tasks against various resources.
Now on z/OS I conceed it does this by doing a RACROUTE against RACF profies but it's simply using the RACF database as a convienient point to hold the information; it's not verifying the user, just obtaining the access available to that user.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rojaan |
| Posted: Mon Aug 01, 2011 6:15 am Post subject: |
|
|
Newbie
Joined: 01 Aug 2011
Posts: 8
|
| Okay thank you. Would using SSL help me to secure MQ explorer to the level I require? |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 01, 2011 6:17 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rojaan wrote: |
| Would using SSL help me to secure MQ explorer to the level I require? |
Yes it would. This is why my most worthy associate mentioned it earlier in this post. It's all part of a well-secured WMQ estate.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 01, 2011 6:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| rojaan wrote: |
| If I remove the RACF user from MQ Explorer the user that WMQ attempts to authenticate is not a valid user and as I have protected all resources in WMQ I am unable to do anything. |
In future posts here, please use WMQ and RACF terminology. Did you receive an error message when you tried to do anything? If so, post the complete error message - from the explorer and chin address space. Include the userid in your posts.
| rojaan wrote: |
| If you remove the MCAUSER from the SVRCONN channel definition MQ Explorer attempts to use the userid specified in MQ Explorer. |
MCAUSER should be set to 'NOBODY' or some other non-authorized name, so no operations will take on the channel (chin) identity.
| rojaan wrote: |
| Not quite sure what you mean by WMQ is not about passwords, I am trying to protect MQ resources under z/OS using the RACF interface and for sure RACF is very user verification driven. |
WMQ merely passes along the userid of the signed-on user to the security component, RACF in this case, to determine if the user is authorized to issue the command.
In the case of a client app, like the explorer, the client app or environment (shell) needs to pass username/password to RACF.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| rojaan |
| Posted: Mon Aug 01, 2011 6:19 am Post subject: |
|
|
Newbie
Joined: 01 Aug 2011
Posts: 8
|
| Okay, I'll look into this then. One small thing... any ideas why MQ Explorer has the option to enter the password when you enter a userid in the connection details? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 01, 2011 6:20 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| rojaan wrote: |
| Okay thank you. Would using SSL help me to secure MQ explorer to the level I require? |
Yes and no.
SSL will secure the connection, but not the authorization of the Explorer to do WMQ commands.
SSL is not about usernames/passwords.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
