| Author |
Message
|
| fjb_saper |
 Posted: Fri Sep 14, 2012 8:18 pm Post subject: Re: v7.1 |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| George Carey wrote: |
Yes, 7.1 has much better security features.
Can one in v7.1 block all incoming IPs excepting some ?
Kind of like the setmqaut syntax "-all +inq +connect" for authorizations.
I read in the doco that one can only block a list of IPs.
TIA |
Read the docu again. You can also authorize only selected IPs.
_________________
MQ & Broker admin |
|
| Back to top |
|
 |
| George Carey |
| Posted: Fri Sep 14, 2012 9:25 pm Post subject: really |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Oh, really that is effectively what I am looking for then!
No wild cards * are usable with IP selection if I recall? So are IPs denied by default unless authorized ?
I will have to read again when I can.
But to be clear, you are saying that all IPs can effectively be blocked except for the ones you wish to allow ... Yes ?
I will take your word for it if so and just read up on how to set it up.
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Sep 16, 2012 8:50 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| The other side of the thing is, if you read about how to set it up, you may not have to take anyone's word for anything. |
|
| Back to top |
|
|
| George Carey |
| Posted: Sun Sep 16, 2012 9:58 am Post subject: read it up |
|
|
Knight
Joined: 29 Jan 2007
Posts: 500
Location: DC
|
Read it up ... didn't see that interpretation.
Just looking to save time if possible ...
I could save the time to reread to better understand, if I know(as stated ) it works, I can just try implementing, maybe time can be saved. A better understanding/interpretation can come later.
If you know an answer and have time to respond ... respond.
If not say you don't or don't respond!
That's the paradigm here isn't it?
_________________
"Truth is ... grasping the virtually unconditioned",
Bernard F. Lonergan S.J.
(from book titled "Insight" subtitled "A Study of Human Understanding") |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Sep 16, 2012 11:02 am Post subject: Re: read it up |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| George Carey wrote: |
Read it up ... didn't see that interpretation.
Just looking to save time if possible ...
I could save the time to reread to better understand, if I know(as stated ) it works, I can just try implementing, maybe time can be saved. A better understanding/interpretation can come later.
If you know an answer and have time to respond ... respond.
If not say you don't or don't respond!
That's the paradigm here isn't it? |
my interpretation there was set a non authorized mcauser on the channel.
Use authority records to map the right mcauser depending on IP. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Sep 16, 2012 11:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Probably a good link to review is this: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r1/topic/com.ibm.mq.doc/zs14190_.htm
It lays out the various kinds of scenarios you can use channel authentication records under, gives you links to specific topics on each and then talks about the interaction between rules.
By default queue managers at 7.1 and later come with channel authentication records that specifically deny access to any user that is mqm or MUSR_MQADMIN by name or a member of the mqm group.
You can use different kinds of channel authentication records, in different combinations, to lay out conditions like "all users from this range of IP addresses are mapped to this specific mcauser". You then grant or deny whatever privileges to that mcauser is appropriate. This allows you to do things like say "all client connections are not allowed to act as MQ admins, unless they come from this specific set of IP addresses on this specific channel". |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Sep 16, 2012 11:14 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Problem is that the generic *MQADMIN interdiction is not applied first but last.
This means that even if you do have a positive mapping to mqm it gets overridden by the generic interdiction. I believe there is an RFE to apply that first...
Best bet for admin is to have an admin qmgr with all channels ssl secured that will then allow mqm to the administered qmgr.... i.e. go through a 3rd party with ssl.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
