| Author |
Message
|
| nelson |
 Posted: Tue Feb 18, 2014 6:48 am Post subject: Windows domain users authentication in UNIX MQ server |
 |
|
Partisan
Joined: 02 Oct 2012
Posts: 313
|
Hi All,
I'm not sure if this is a basic question, but I was not able to find a related topic in the Infocenter.
Working on MQ 7.1 on AIX, a client from Windows needs to connect to the MQ Server using a domain user, does MQ Server on AIX resolves properly the user ID from the domain@user pair? I have read this article but seems to apply only in the Windows platform... Am I wrong?
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.amqtac.doc%2Fwq10840_.htm
Does any of you please help me to find the documentation of this punctual authorization scenario?
Any help is very appreciated.
Kind regards.
Last edited by nelson on Tue Feb 18, 2014 6:58 am; edited 1 time in total |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Feb 18, 2014 6:52 am Post subject: Re: Windows domain users authentication in UNIX MQ server |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nelson wrote: |
| does MQ Server on AIX resolves properly the user ID from the domain@user pair? |
AIX (which is what the WMQ server is using to control it's ids) doesn't speak Windows. That's not a WMQ thing, it's an AIX (and indeed a Unix) thing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nelson |
| Posted: Tue Feb 18, 2014 6:57 am Post subject: Re: Windows domain users authentication in UNIX MQ server |
|
|
Partisan
Joined: 02 Oct 2012
Posts: 313
|
| Vitor wrote: |
| nelson wrote: |
| does MQ Server on AIX resolves properly the user ID from the domain@user pair? |
AIX (which is what the WMQ server is using to control it's ids) doesn't speak Windows. That's not a WMQ thing, it's an AIX (and indeed a Unix) thing. |
Ok... So, in the Windows side I must use local users?
Vitor, Thanks for your quick response. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 18, 2014 7:05 am Post subject: Re: Windows domain users authentication in UNIX MQ server |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nelson wrote: |
| Ok... So, in the Windows side I must use local users? |
No on the Windows side you must use AIX users! 
Seriously, you can't use the domain@ type and you need to understand that the user id will be validated on the AIX side.
A typical way of dealing with this is to set the MCAUser in the channel. This not only solves the Windows id problem, but allows you to control access via that channel.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nelson |
| Posted: Tue Feb 18, 2014 7:43 am Post subject: Re: Windows domain users authentication in UNIX MQ server |
|
|
Partisan
Joined: 02 Oct 2012
Posts: 313
|
| Vitor wrote: |
| nelson wrote: |
| Ok... So, in the Windows side I must use local users? |
No on the Windows side you must use AIX users!
Seriously, you can't use the domain@ type and you need to understand that the user id will be validated on the AIX side.
A typical way of dealing with this is to set the MCAUser in the channel. This not only solves the Windows id problem, but allows you to control access via that channel. |
Thanks Vitor,
Let me try to understand. What we usually do is to create a local user that matches with the AIX user that has the proper wrights to do the MQ stuff that we want. Does this mean using AIX users?
Another question... specifying the MCAUser in the channel overwrites the OS user (domain or not domain user) which is doing the request to the MQ Server?
Thanks a lot for your help! |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 18, 2014 7:59 am Post subject: Re: Windows domain users authentication in UNIX MQ server |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nelson wrote: |
| Let me try to understand. What we usually do is to create a local user that matches with the AIX user that has the proper wrights to do the MQ stuff that we want. Does this mean using AIX users? |
Remember that on AIX WMQ security is at the group level not the id level. So that the Windows id coming down the channel is matched to the AIX user, and it's the authority of that group that is used. Typically people use an MCAUser so they don't have to go through the trouble of setting up each Windows id on their Unix box.
| nelson wrote: |
| Another question... specifying the MCAUser in the channel overwrites the OS user (domain or not domain user) which is doing the request to the MQ Server? |
Yes.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 18, 2014 9:05 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Windows domain security does not extend to (encompass, embrace) AIX or iSeries or z/OS.
Each platform o/s has its own requirements and limitations as to the format and content of usernames and passwords.
Therefore, your (clients) Windows username must be defined to the AIX o/s, and appropriate authorizations granted to the group that the username is a member of. Sounds kinda clunky, doesn't it?
An alternative would be to implement a Kerberos-type system-wide security system.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Feb 18, 2014 9:42 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
A quick search of this site would have brought up several discussions where we will tell you:
- The process at the client end of the connection can present any ID they want (like mqm)
- Unless you are using SSL or security exits to authenticate the identity of the process at the other end, you have no meaningful security
- Consider SSL and using SSLPEER or CHLAUTH to filter/map certificates to a known ID at the MQ Server
As an example, use MQ Explorer to make a client connection to the AIX Qmgr. Now, right click on the Qmgr and select "Connection Details->properties..." Then on the left select "Userid". Then type mqm for the ID and push the OK button. Next time you connect, you will be mqm unless somebody over rode MCAUSER on the channel or CHLAUTH rules are in effect and don't allow this connection (which is the default behavior at WMQ 7.1 and up). |
|
| Back to top |
|
|
|
|
