ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Users with or without passwords

Post new topic  Reply to topic Goto page Previous  1, 2
 Users with or without passwords « View previous topic :: View next topic » 
Author Message
fjb_saper
PostPosted: Fri Nov 03, 2017 6:39 am    Post subject: Re: Users with or without passwords Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

NickSz wrote:

I have put up the following config:
Add user and groups
mqa(mqcli)# groupcreate -g gxyz
mqa(mqcli)# groupcreate -g gzyx
mqa(mqcli)# usercreate -u abc -d abc -g gxyz
mqa(mqcli)# usercreate -u cba -d cba -g gzyx

Non privileged user ID
Code:
DEFINE CHANNEL(CLIENT.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL) HBINT(30) REPLACE

SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule')
SET CHLAUTH('CLIENT.SVRCONN') TYPE (USERMAP) CLNTUSER(abc) USERSRC(MAP) MCAUSER(abc)
SET CHLAUTH('CLIENT.SVRCONN') TYPE (USERMAP) CLNTUSER(cba) USERSRC(MAP) MCAUSER(cba)

SET AUTHREC OBJTYPE(QMGR)                   GROUP('gxyz') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QMGR)                   GROUP('gzyx') AUTHADD(ALLMQI)

SET AUTHREC OBJTYPE(QUEUE)    PROFILE('**') GROUP('gxyz') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE)    PROFILE('**') GROUP('gxyz') AUTHADD(CRT)
SET AUTHREC OBJTYPE(QUEUE)    PROFILE('**') GROUP('gzyx') AUTHADD(ALLMQI)

SET AUTHREC OBJTYPE(CHANNEL)  PROFILE('**') GROUP('gxyz') AUTHADD(ALL)
SET AUTHREC OBJTYPE(CHANNEL)  PROFILE('**') GROUP('gxyz') AUTHADD(CRT)
SET AUTHREC OBJTYPE(CHANNEL)  PROFILE('**') GROUP('gzyx') AUTHADD(ALLMQI)

...

and so on.

Am i correct or am i missing something.

Best regards
Nicolaie

Yes I believe you are missing something.
Where is the connect authority for the qmgr for group gzyx ?
Quote:
SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(ALLMQI)

I would not expect allmqi to have +connect for the qmgr...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
NickSz
PostPosted: Mon Nov 06, 2017 5:08 am    Post subject: Reply with quote

Novice

Joined: 26 Jul 2008
Posts: 12
Location: Zurich

fjb_saper, you are absolutely correct.
I have now following in my standard setup:
Code:
SET AUTHREC OBJTYPE(QMGR) GROUP('gxyz') AUTHADD(ALL, CONNECT, INQ)
SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(DSP, CONNECT, INQ)
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Mon Nov 06, 2017 5:28 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

NickSz wrote:
fjb_saper, you are absolutely correct.
I have now following in my standard setup:
Code:
SET AUTHREC OBJTYPE(QMGR) GROUP('gxyz') AUTHADD(ALL, CONNECT, INQ)
SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(DSP, CONNECT, INQ)


However if you need ALLMQI on the queues (set context authorities) you will also need ALLMQI on the queue manager.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Mon Nov 06, 2017 5:42 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Don't be lazy by using "**" for queues or other profiles, because that will include all SYSTEM objects in the permissions.

Make sure to use an application object naming convention prefix so that system objects are not modifiable by application users and can be separated from other applications and from other groups.

Granting update access to all system objects totally destroys any pretence of security or integrity.

So the queue profile might be "APP1.**"

There is a legitimate need for limited access to one or two system queues to allow tools like MQ explorer to function.

Quote:
setmqaut -m XXX -t queue -n SYSTEM.DEFAULT.MODEL.QUEUE -g appgroup +dsp +inq +allmqi
setmqaut -m XXX -t queue -n SYSTEM.ADMIN.COMMAND.QUEUE -g appgroup +dsp +inq +get +browse +put
setmqaut -m XXX -t queue -n SYSTEM.MQEXPLORER.REPLY.MODEL -g appgroup +inq +browse +get +dsp

_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » IBM MQ Security » Users with or without passwords
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.