| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| OAM and cluster queues, permissions on ALIASQ or S.C.X.Q |
« View previous topic :: View next topic » |
| Author |
Message
|
| flaufer |
 Posted: Tue Mar 20, 2012 5:30 am Post subject: OAM and cluster queues, permissions on ALIASQ or S.C.X.Q |
 |
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
Folks,
I know that to put security for a putting application on a (remote) cluster queue, you either put an alias queue on the sending queue manager (the QM on which the app runs that wants to put into this particular queue) and grant privileges to this particular alias Q or you grant it to the SYSTEM.CLUSTER.TRANSMIT.QUEUE instead.
However, if you grant it to the S.C.X.Q, you somewhat open the whole cluster to the application and would theoretically enable it to send to any cluster queue in the whole cluster, right?
Question:
1. this does include the SYSTEM.CLUSTER.COMMAND.QUEUE on any remote queuemanager within the same cluster, correct? (Imho must be, because how else would cluster commands be transferred)
2. this does include only shared local queues on any remote queuemanager within the same cluster, correct? Non-shared queues cannot be put to?
3. what about destinations in far remote clusters which have one queuemanager that is part of my own cluster and also part of the remote cluster? Can hopping be (mis-)used?
Cheers,
Felix |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Mar 20, 2012 5:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Yes,from a security perspective, granting any application direct permissions to the cluster's transmission queue should be viewed as immediately granting full administrative access to all queue managers that are connected to all queue managers in the full cluster.
So, yes, this does expose multi-hopping abuses.
This is why you should always set an MCAUSER on the Cluster Receiver channels on every queue manager in the cluster, to prevent another machine from sending a message tagged as mqm. |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 20, 2012 5:49 am Post subject: way cool! |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| mqjeff wrote: |
| This is why you should always set an MCAUSER on the Cluster Receiver channels on every queue manager in the cluster, to prevent another machine from sending a message tagged as mqm. |
This is a way cool idea... :-) and solved all the pain in my brain within a second!
Many thanks,
Felix |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 20, 2012 6:00 am Post subject: |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| mqjeff wrote: |
| This is why you should always set an MCAUSER on the Cluster Receiver channels on every queue manager in the cluster, to prevent another machine from sending a message tagged as mqm. |
But then, how will repository-updates be propagated within the cluster if the mcauser has not the proper privileges to put to the cluster command queue?
Felix |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Mar 20, 2012 8:28 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You can tag the MCAUSER of a Cluster Reciever channel with an ID that does not have access to the SYSTEM.ADMIN.COMMAND.QUEUE.
You cannot restrict access to the SYSTEM.CLUSTER.COMMAND.QUEUE if you expect the cluster to function.
Which means you need to protect the channels on the Full Repositories from an unauthorized Queue Manager connecting and adding itself to the cluster. Hello SSL or Security Exits. Or in MQ 7.1, you could also do IP filtering if you trust the source IP as being legit.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Gemz |
| Posted: Fri Nov 16, 2012 5:42 am Post subject: |
|
|
Centurion
Joined: 14 Jan 2008
Posts: 124
|
Hi,
I am bit confused in setting up security for Cluster Queues.
Lets say, We have qmgrs named QMGR1 and QMGR2 in a cluster named CLUS.
QMGR1 has 2 cluster queues Q1 and Q2.
Application APP2(running under user usr2) is connected to qmgr QMGR2.
I want to
1. Allow APP2 to put message on queue Q1 (Cluster Queue in QMGR1)
2. Restrict APP2 to put message on queue Q2 (Cluster Queue in QMGR1)
Do I need to set the authority at Queue level? i.e., setmqaut for user usr2 on Q1 and Q2 in QMGR1.
_________________
GemZ
"An expert is one who knows more and more about less and less until he knows absolutely everything about nothing...." |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Nov 16, 2012 6:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Gemz wrote: |
Hi,
I am bit confused in setting up security for Cluster Queues.
Lets say, We have qmgrs named QMGR1 and QMGR2 in a cluster named CLUS.
QMGR1 has 2 cluster queues Q1 and Q2.
Application APP2(running under user usr2) is connected to qmgr QMGR2.
I want to
1. Allow APP2 to put message on queue Q1 (Cluster Queue in QMGR1)
2. Restrict APP2 to put message on queue Q2 (Cluster Queue in QMGR1)
Do I need to set the authority at Queue level? i.e., setmqaut for user usr2 on Q1 and Q2 in QMGR1. |
If you're using the appropriate version of WMQ, THIS will help answer your query.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
