| Author |
Message
|
| pcelari |
 Posted: Fri Feb 14, 2014 8:32 am Post subject: how to prevent connected partners from viewing qmgr objects? |
 |
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
Hello,
we have a business partner whose qmgr is connected to one of ours via a pair of sender/receiver channels. At one point I found out they were able to view all the objects in our qmgr, which is big security risk.
I then did a test by disabling the SYSTEM.ADMIN.SVRCONN channel, hoping it will plug the hole. But I'm still able to view everything by using another qmgr as intermediate qmgr.
It must be something trivial I'm missing. How can such access be denied?
thanks for any insight.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
 |
| zpat |
| Posted: Fri Feb 14, 2014 8:44 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Use the blockip2 exit to restrict their access on svrconn channels (or CHLAUTH in MQ 7.1 and later).
On a receiver channel, you can also set the mcauser to a id that has enough access to the queues they need to update, but not to other things.
A blank MCA user field on an external receiver channel is a bad idea.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Feb 15, 2014 8:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
That won't stop them from floating a pcf message down your throat.
Easier set an mcauser on the receiver channel and make sure it has put authority to all queues they should have put authority on and add the DLQ but make sure that the SYSTEM.COMMAND.INPUT.QUEUE is not in the lot.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Sat Feb 15, 2014 10:21 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
security is a non-trivial subject, if only one little hole exists you could be exposed. Contact me offline (link below) if you want to explore support in this area.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| pcelari |
| Posted: Fri Mar 07, 2014 2:19 pm Post subject: |
|
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
| fjb_saper wrote: |
That won't stop them from floating a pcf message down your throat.
Easier set an mcauser on the receiver channel and make sure it has put authority to all queues they should have put authority on and add the DLQ but make sure that the SYSTEM.COMMAND.INPUT.QUEUE is not in the lot.
Have fun |
Many thanks for sharing the insight. I should have know this long ago.
I had the misperception that SYSTEM.ADMIN.SVRCONN was all that matters, a bad understanding. Only by looking at the qmgr attribute, did I realized it is actually the SYSTEM.ADMIN.COMMAND.QUEUE queue that must be disallowed to the MCAUSER on the receiver channel.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
|
|
|
