| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Configuring security - MQ and Toolkit |
« View previous topic :: View next topic » |
| Author |
Message
|
| ruimadaleno |
 Posted: Tue Oct 07, 2014 2:01 am Post subject: Configuring security - MQ and Toolkit |
 |
|
Master
Joined: 08 May 2014
Posts: 274
|
Hi all,
this is a noobie question, i've been searching through documentation but i cannot see the big picture here 
We have a handfull of teams developing message flows in toolkit. Every developer of this teams connects remotely to WMB (development environment) to deploy , debug , start , stop message flows.
I want to understand how this remote connection from toolkit to WMB is established and how WMB handles this connections. My goal is to secure WMB , allowing only a set of users to connect remotely to broker, prevent users to start/stop message flow , prevent users to set/unset debug mode in an execution group.
so i'm looking for documentation on WMB security mode, mainly to understand how to secure WMB / toolkit connection in my development environment. 
My environment
WMB 8.0.0.4 running on windows 2008 r2 standard
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Oct 07, 2014 4:38 am Post subject: Re: Configuring security - MQ and Toolkit |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ruimadaleno wrote: |
| I want to understand how this remote connection from toolkit to WMB is established and how WMB handles this connections. |
It doesn't. The connection is to the broker's queue manager, and there's a wealth of information on how to secure an MQ client connection.
| ruimadaleno wrote: |
| My goal is to secure WMB , allowing only a set of users to connect remotely to broker, prevent users to start/stop message flow , prevent users to set/unset debug mode in an execution group. |
Noble. Rather a bit of overkill for a dev environment IMHO but hey, it's your dev environment not mine. Have at it. 
| ruimadaleno wrote: |
| so i'm looking for documentation on WMB security mode, mainly to understand how to secure WMB / toolkit connection in my development environment. |
Well the WMB security mode is "active" or "inactive", so that's not much help to you - I suspect you're looking at "active" as a choice. Connection security is,as I said, an MQ client connection that can be secured in all the many, many ways a client connection can be secured - if you think of Toolkit as Just Another MQ Client Application you won't go far wrong.
Access to functions within WMB (like deployment) are controlled by MQ authorities on the SYSTEM.BROKER queues and are documented in the WMB InfoCenter 
That's as big as the picture gets.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Thu Oct 09, 2014 2:13 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
Hi Vitor,
thank you for your reply. You are right, securing an DEV environment can be an overkill, but hey,it's not my environment , its company environment and if management want's security , i need to give that to them 
Right now i understand that to secure WMB from toolkit i have to define authorities on channels, and yes i'm navigating in infocenter, but as you said it is the bigger picture i can have and honestly i'm lost 
so, i'm looking for some guidance from you folks, who have walked this path of securing the wmb
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Oct 09, 2014 2:48 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Activate the broker security and use MQ ACLs on the system broker queues as per the infocenter.
You might want to have new Unix groups set up to represent different roles for the users, then get the users added to the appropriate group(s) and use the group name(s) on the MQ ACLs.
Never use the user (or principal) name on MQ ACLs as this bizarrely grants access to the users default group (which is often "users")!
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
