ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ Security

Post new topic  Reply to topic
 MQ Security « View previous topic :: View next topic » 
Author Message
rammer
PostPosted: Sat Feb 09, 2013 11:13 am    Post subject: MQ Security Reply with quote

Partisan

Joined: 02 May 2002
Posts: 359
Location: England

Hi All.

I am not looking at the moment for anything to extensive I would rather phase some security in so looking at what peole are using from the perspective of not having to purchase in external tools etc.

All servers are AIX
MQ Clustering in use

Current position
System Channels that are not used have mcauser set to DONOTUSE
System accounts have been created and applied to relevant channels that applications use with relevant permissions set at queue manager / queue level
MQ Explorer / RFHUTIL system account has been set up and applied to "admin" channels / queues to allow users to connect and browse but not delete / put etc
Servers are all behind firewalls with no incoming connections at the moment from external clients
mqm group only has mqm in it so individual user accounts

I realise the above is just a start, I am interested on what people have done to add security to clusters etc, we do have one customer that we support that uses SSL and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster.

The version of mq currently on is 7.0.1.x

As mentioned I realise the above is a small start with more to be done if the customer pushes for it. They have not so far and have lived with it for 12+ years in the above scenario (just because they have lived with it does not make it correct) I am just interested on what others may do to lock it down a little more.

Thank you in advance for any constructive comments.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sat Feb 09, 2013 12:39 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.

Let's start with the security controls you do you have in place.

What about your internal clients?

Do you require that users sign on with username and password?

Do you have role-based (group) rules to limit which groups can access which application programs? Or, can anyone run any application program?

Can someone sign on with username DONOTUSE?

Do you have rules that prevent DONOTUSE from running applications?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sun Feb 10, 2013 3:16 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

Some people force their apps in an MQ cluster to always use Alias queues, to avoid having to give apps authority to put the SYSTEM.CLUSTER.TRANSMIT.QUEUE (SCTQ). If the app has access to the SCTQ, it can send to any other queue on any other QM in the cluster - assuming the CLUSRCVR channels on the other QMs allow it which they usually do. But it is difficult if not impossible to follow thru with this 100% if you have apps that need to reply to the Reply To Queue and Reply To QM, particularly if those queues are dynamic queues with names you can't possibly predict.

The MCAUSER on the CLUSRCVR channels should be running with an ID that does not have access the QM's command queue, to prevent remote admin via another QM in the cluster.

Yes, putting SSL Certs (with SSLPEER in use) and/or using channel exits like MQAUSX from Capitalware is needed if you want to prevent a random yahoo from adding his QM to your cluster.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
rammer
PostPosted: Mon Feb 11, 2013 8:02 am    Post subject: Reply with quote

Partisan

Joined: 02 May 2002
Posts: 359
Location: England

Hi Yes all our Apps use Queue Alias's that are local to the App Queue Manager and resolving to cluster queue on other queue managers. Currently no dynamic queues etc are used
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Tue Feb 12, 2013 6:18 pm    Post subject: Re: MQ Security Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

rammer wrote:
and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster.

Are you saying that you are only using MQAUSX (or MQSSX) for cluster channels? (and not for SVRCONN channels) That's like buying a home security system and only wiring up the front door.

rammer wrote:
System accounts have been created and applied to relevant channels that applications use with relevant permissions set at queue manager / queue level

So what stops Joe Blow user from connecting to the queue manager using that channel? Other than you saying do not connect to the queue manager using that channel?

rammer wrote:
MQ Explorer / RFHUTIL system account has been set up and applied to "admin" channels / queues to allow users to connect and browse but not delete / put etc

Same comment again - what stops Joe Blow user from connecting to the queue manager using that channel?

rammer wrote:
Servers are all behind firewalls with no incoming connections at the moment from external clients

Most rogue users are internal people (company employees) and not external users. I serious doubt Anonymous is interested in your MQ environment. Although, some day Anonymous will discover 99% of all financial companies use MQ and since most are insecure, we will all be in trouble.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
exerk
PostPosted: Wed Feb 13, 2013 1:30 am    Post subject: Re: MQ Security Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

RogerLacroix wrote:
...I serious doubt Anonymous is interested in your MQ environment. Although, some day Anonymous will discover 99% of all financial companies use MQ and since most are insecure, we will all be in trouble...

If they didn't know before, they do now!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
rammer
PostPosted: Wed Feb 13, 2013 2:56 am    Post subject: Re: MQ Security Reply with quote

Partisan

Joined: 02 May 2002
Posts: 359
Location: England

RogerLacroix wrote:
rammer wrote:
and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster.

Are you saying that you are only using MQAUSX (or MQSSX) for cluster channels? (and not for SVRCONN channels) That's like buying a home security system and only wiring up the front door.
No they use it on SVRCONN
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Feb 13, 2013 4:08 am    Post subject: Re: MQ Security Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

rammer wrote:
RogerLacroix wrote:
rammer wrote:
and MQ Exits (purchased exit from Capitalware) to assist in locking down the cluster.

Are you saying that you are only using MQAUSX (or MQSSX) for cluster channels? (and not for SVRCONN channels) That's like buying a home security system and only wiring up the front door.
No they use it on SVRCONN


If you have not applied security to every single channel you have, you have only locked the front door and the garage and left the windows wide open.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Feb 13, 2013 3:18 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

Every incoming channel...
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Feb 13, 2013 3:39 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.

Think of channels like a door. If you securely lock one, but leave a window open, then you do not have security.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ Security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.