| Author |
Message
|
| sijtom0703 |
 Posted: Mon Nov 25, 2013 9:51 pm Post subject: How MCA user id really works while authorizing a client App |
 |
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
I have a question on how the MCA user id we add while creating a WebSphere MQ Server Connection channel actually authorizes a client user id configured in an MQ client Application.
For e.g I have a domain user account servicemq01@domain added as MCA user id for a Server connection channel APP1.SVRCONN.01. I have created a user group mqi_App1@server and added the servicemq01@domain user id into it. The mqi_App1 group is given required authorities to connect to the queue manager. Also the required authorities are added at the queue level for mqi_App1 group.
Now the client Application App1 has a userid clientapp01@domain with which it runs. The client Application is trying to connect to MQ server using channel APP1.SVRCONN.01. My question is does both the clientapp01@domain and servicemq01@domain needs to match for the MQ Server connection channel to work?? |
|
| Back to top |
|
 |
| gs |
| Posted: Tue Nov 26, 2013 1:19 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
The Client application username is disregarded if you specify a MCA user.
Thus, there is no need for a match.
If you leave the MCA user field empty (not recommended) the Client application username is presented by the MQ client to the Queue manager.
It would be wiser to give the MCA user authorizations directly as it gives you more granularity than by authorizing the group. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Nov 26, 2013 3:55 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| MCAUSERs do not authenticate. They replace. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Nov 26, 2013 6:49 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Remember, when the only thing you've specified is MCAUSER, everybody who can connect to the Qmgr on this channel will do so with what this ID was authorized to do. So the firewall in front of this Qmgr is the only thing protecting it (somewhat) and that is by IP address.
What are you trying to achieve from a security point of view? |
|
| Back to top |
|
|
| sijtom0703 |
| Posted: Tue Nov 26, 2013 1:17 pm Post subject: |
|
|
Voyager
Joined: 28 May 2011
Posts: 84
Location: USA
|
| Thanks everyone who made it very clear for me. I was trying to understand whether the client id needs to match if we specify a MCA user in channel. Also I understand anyone can connect to the channel and are authorized to access anything the MCA user is authorized... |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Nov 26, 2013 1:53 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| sijtom0703 wrote: |
| Thanks everyone who made it very clear for me. I was trying to understand whether the client id needs to match if we specify a MCA user in channel. |
No matching takes place. If the MCAUSER attribute is non-blank, then the MCAUSER identity will be used for access-checking. If the MCAUSER attribute is blank, then the logged-on userid from the o/s of the client will be used for access-checking.
| sijtom0703 wrote: |
| Also I understand anyone can connect to the channel and are authorized to access anything the MCA user is authorized... |
Slightly different wording: If the MCAUSER attribute is non-blank, anyone who can connect to the channel will have MCAUSER's access privilege.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Nov 27, 2013 4:32 pm Post subject: Re: How MCA user id really works while authorizing a client |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| sijtom0703 wrote: |
I have a question on how the MCA user id we add while creating a WebSphere MQ Server Connection channel actually authorizes a client user id configured in an MQ client Application.
For e.g I have a domain user account servicemq01@domain added as MCA user id for a Server connection channel APP1.SVRCONN.01. I have created a user group mqi_App1@server and added the servicemq01@domain user id into it. The mqi_App1 group is given required authorities to connect to the queue manager. Also the required authorities are added at the queue level for mqi_App1 group.
Now the client Application App1 has a userid clientapp01@domain with which it runs. The client Application is trying to connect to MQ server using channel APP1.SVRCONN.01. My question is does both the clientapp01@domain and servicemq01@domain needs to match for the MQ Server connection channel to work?? |
No. By putting a UserId in the channel's MCAUSER field, you are overriding the UserId that the application is using. Any and ALL applications that connect on channel 'APP1.SVRCONN.01' will be using UserId 'servicemq01@domain'.
Very trusting of you and NOT very secure.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
