| Author |
Message
|
| jason_e |
 Posted: Tue Sep 09, 2003 11:32 am Post subject: MQ Security |
 |
|
Apprentice
Joined: 19 Aug 2003
Posts: 33
|
Hi,
I have to security questions.
1. If I have two partners that I have mq connection with, (a sender and receiver channel for each) how can I prevent one partner from putting or getting a message from a queue only meant for the other partner?
2. I have the MQ client setup on some machines and its acessing some queue's on the server to retrieve messages and sometimes get messages. The only security under w2k is the that username of the channel must be that of the logged in user.
How can I use a different security model with w2k (server and client) and the MQ client, I want to give the client a username and password and not use the currently logged in account as the user. I also want to prevent the client from accessing queues I don't want them to access.
Thanks
Jason |
|
| Back to top |
|
 |
| mgrabinski |
| Posted: Tue Sep 09, 2003 9:18 pm Post subject: |
|
|
Master
Joined: 16 Oct 2001
Posts: 246
Location: Katowice, Poland
|
In both cases you can use the PUTAUT attribute of a receiver channel. Set it to "CONTEXT". This will cause the incoming messages to be put to your queues with the remote user authority (the user name arrives in MQMD.UserID). Set up proper rights for all remote users.
_________________
Marcin Grabinski <>< |
|
| Back to top |
|
|
| techno |
| Posted: Wed May 05, 2004 12:28 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
| client-server channels do not seem to have that attribute. What is the parameter here to be changed? Or how do you do it? I have java app connection to mq server through client-server channels |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed May 05, 2004 12:30 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
For client access to be controlled using a username and password, you need to use a security exit.
Otherwise, you can use SSL and an MCA. Use SSL to ensure that only the particular client can access the particular client channel, and the MCA to control what queues the client can access over that channel.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed May 05, 2004 1:26 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Quote: |
In both cases you can use the PUTAUT attribute of a receiver channel. Set it to "CONTEXT". This will cause the incoming messages to be put to your queues with the remote user authority (the user name arrives in MQMD.UserID). Set up proper rights for all remote users.
|
And then pray no one creates an mqm user on their machine and starts sending messages to any queue they want.
The PUTAUT attribute when set to CONTEXT is a big headache. If you do this, you now have to keep track of all the valid users, but you have no protection against anyone that wants to mess with you.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
