ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityOAM for MQ queues on Point to point sndr/rcvr chls scenario

Post new topicReply to topic
OAM for MQ queues on Point to point sndr/rcvr chls scenario View previous topic :: View next topic
Author Message
kishi_25
PostPosted: Sun Mar 11, 2018 5:21 pm Post subject: OAM for MQ queues on Point to point sndr/rcvr chls scenario Reply with quote

Voyager

Joined: 19 Jul 2011
Posts: 94

How do I setup OAM for the following scenario?


QMGR A:
sndr chl: QMGRA.TO.QMGRB
Remote queue: TEST.RQ

QMGR B:
Receiver chl: QMGRA.TO.QMGRB
Alias Queue: TESTA.RQ
TARG Q: APP.TESTA

Now, when I put a message from application A on QMGR A to Remote queu: TEST.RQ, it should be received by Local Queue on QMGRB: APP.TESTA

For this scenario, I want to allow application A to give access for only Alias queues: TESTA.RQ.
i) what's is the best way to do OAM for this?
ii) if i don't specify any appliation id's and provide specific OAM's on receiver channel MCA, the messages are routing to local queue on QMGR B.
Does this mean, for sndr/rcvr channel scenario, by default the applications will get full permission to put messages? if so, what's the id they use?
iii) If I specify some application id, the message are not reaching local queue, and i don't see messages anywhere...what' happening to the messages? are they failing when i'm putting it self? i'm using rfhutil and mqexplorer to put these messages. I don't see them either on DLQ or xmit queues and it doesn't through even authorization error
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Mar 13, 2018 10:20 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8128
Location: US: west coast, almost. Otherwise, enroute.

I'd recommend searching google for 'securing mq channels' and begin researching this well-documented subject.
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
kishi_25
PostPosted: Thu Mar 15, 2018 6:09 pm Post subject: Reply with quote

Voyager

Joined: 19 Jul 2011
Posts: 94

I have gone through IBM Redbooks document SG24-8069-00.

It says for QMGR - QMGR communication -

"When a connection originates from another queue manager, the code that drives API calls against the local queue manager is the message channel agent. This code is vendor code that is written by IBM, operates under control of the local administration team, and will only ever execute CONNECT, INQUIRE, OPEN, and PUT calls. This design limits an attackers ability to access operating system and queue manager resources. However, local administrators have no control over the user ID and other context information carried by the messages that arrive,unless they implement a message exit that is capable of enforcing policies on these fields"

I understood this as, by default QMGR A- QMGR B communication to put a message on Queue B on QMGR B, QMGR A i) will have good level of access to put messages ii) they can also get super privilege with context information carried in msg.

i) To give restricted access on queue B on QMGR B, I tried to set mca user id and gave oam for put access on Queue B. This is not working as it seems its expecting +setall access at qmgr level. But, again since this is super privilege I don't want to give this access.
Any better recommended approach?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Mar 15, 2018 8:31 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19744
Location: LI,NY

Have you tried setting the MCAUser on the inbound channel?
You may need to allocate some channel privileges to the user to keep sequence numbers updated...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityOAM for MQ queues on Point to point sndr/rcvr chls scenario
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.