| Author |
Message
|
| rammer |
 Posted: Thu Apr 04, 2013 3:54 am Post subject: MQ / Message Broker Security |
 |
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Hi All,
I have finally got my hands on a Dev Server to start looking at security around MQ and in particular at the moment around Message Broker and tightening access from developers.
Environment
AIX
MQ 7.0.1.9
MB 6.1
(The above will all eventually be upgraded to 8.0.0.1 MB and 7.5 MQ but not for a while)
Reading the MB manual it talks about two different options for hooking up MB into MQ
1) allow MB ID to be part of mqm group or
2) do not allow mb id to be part of mqm group and define objects manually and add relevant permissions.
My preference would be option 2 (I believe)
The environment I have to play with was set up as option 1 and of course when I remove the id from mqm mb is not able to access all objects etc.
Ive seen in the knoweldge centre a few pages on access to system queues etc but there does not seem to be a lot of detail in them (I well may have fully missed it though)
Just after the thoughts of my peers. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Apr 04, 2013 6:37 am Post subject: Re: MQ / Message Broker Security |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| Just after the thoughts of my peers. |
My 2 cents:
Option 1 is a perfectly reasonable way to go. You should not allow developers (or anyone outside the admin area) access to the MB id any more than you allow access to the mqm id. The 2 products are quite tightly coupled and it's much easier to to administer WMB (creating execution groups and so forth) with mqm access. It's a procedural issue to ensure that anyone in the WMB administration area does not create non-WMB WMQ objects using the mqm authority granted, assuming the administration of the 2 products is performed by 2 separate administration areas, which is something I would consider a non-optimum idea.
Following this route, WMB developers should be granted specific authorities to use WMB in the same way they're granted specific authoritites to connect to a queue manager and use specific queues.
Other opinions may be equally or more valid.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rammer |
| Posted: Thu Apr 04, 2013 6:53 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Thanks for response Vitor
In terms of accessing queues etc they have read access which is good enough for there needs when accessed via rfhutil with relevant permissions set in MQ.
However this can obviously be got around simply by them logging onto the server using the MB Application Account and then using runmqsc due to the application account being within mqm group.
What I am looking at doing for a new environment or even playing on this test one is removing the account from mqm group and setting relevant permissions to mq for the app account.
But my main driver is that a new environment will be built so I have a better chance of starting fresh on there in which case I would look at not allowing MB application account into mqm. On creation of the broker the manual indicated that I will need to create objects, set certain permsisions manually for the creation and interaction of MB .
This is the bit I dont seem to be able to find a clear descritption of in the info centre, is if I do go the manual route exactly what system queues I need with permissions etc etc.
Ramble over. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Apr 04, 2013 7:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| However this can obviously be got around simply by them logging onto the server using the MB Application Account and then using runmqsc due to the application account being within mqm group. |
| Vitor wrote: |
| You should not allow developers (or anyone outside the admin area) access to the MB id any more than you allow access to the mqm id. |
If you're not going to read what's being posted why are you bothering?
 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| rammer |
| Posted: Thu Apr 04, 2013 8:26 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| Vitor wrote: |
| rammer wrote: |
| However this can obviously be got around simply by them logging onto the server using the MB Application Account and then using runmqsc due to the application account being within mqm group. |
| Vitor wrote: |
| You should not allow developers (or anyone outside the admin area) access to the MB id any more than you allow access to the mqm id. |
If you're not going to read what's being posted why are you bothering?
|
Im afraid I do not control the ID for *current* environments. MB Team have contorl over the ID as they use it for logging on with and I have no authority to change this. I am hoping new environments we will have more control hence why I have started looking at options. |
|
| Back to top |
|
|
|
|
