| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| OAM for MQ queues on Point to point sndr/rcvr chls scenario |
« View previous topic :: View next topic » |
| Author |
Message
|
| kishi_25 |
 Posted: Sun Mar 11, 2018 5:21 pm Post subject: OAM for MQ queues on Point to point sndr/rcvr chls scenario |
 |
|
Centurion
Joined: 19 Jul 2011
Posts: 100
|
How do I setup OAM for the following scenario?
QMGR A:
sndr chl: QMGRA.TO.QMGRB
Remote queue: TEST.RQ
QMGR B:
Receiver chl: QMGRA.TO.QMGRB
Alias Queue: TESTA.RQ
TARG Q: APP.TESTA
Now, when I put a message from application A on QMGR A to Remote queu: TEST.RQ, it should be received by Local Queue on QMGRB: APP.TESTA
For this scenario, I want to allow application A to give access for only Alias queues: TESTA.RQ.
i) what's is the best way to do OAM for this?
ii) if i don't specify any appliation id's and provide specific OAM's on receiver channel MCA, the messages are routing to local queue on QMGR B.
Does this mean, for sndr/rcvr channel scenario, by default the applications will get full permission to put messages? if so, what's the id they use?
iii) If I specify some application id, the message are not reaching local queue, and i don't see messages anywhere...what' happening to the messages? are they failing when i'm putting it self? i'm using rfhutil and mqexplorer to put these messages. I don't see them either on DLQ or xmit queues and it doesn't through even authorization error |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Mar 13, 2018 10:20 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I'd recommend searching google for 'securing mq channels' and begin researching this well-documented subject.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| kishi_25 |
| Posted: Thu Mar 15, 2018 6:09 pm Post subject: |
|
|
Centurion
Joined: 19 Jul 2011
Posts: 100
|
I have gone through IBM Redbooks document SG24-8069-00.
It says for QMGR - QMGR communication -
"When a connection originates from another queue manager, the code that drives API calls against the local queue manager is the message channel agent. This code is vendor code that is written by IBM, operates under control of the local administration team, and will only ever execute CONNECT, INQUIRE, OPEN, and PUT calls. This design limits an attacker’s ability to access operating system and queue manager resources. However, local administrators have no control over the user ID and other context information carried by the messages that arrive,unless they implement a message exit that is capable of enforcing policies on these fields"
I understood this as, by default QMGR A- QMGR B communication to put a message on Queue B on QMGR B, QMGR A i) will have good level of access to put messages ii) they can also get super privilege with context information carried in msg.
i) To give restricted access on queue B on QMGR B, I tried to set mca user id and gave oam for put access on Queue B. This is not working as it seems its expecting +setall access at qmgr level. But, again since this is super privilege I don't want to give this access.
Any better recommended approach? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 15, 2018 8:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Have you tried setting the MCAUser on the inbound channel?
You may need to allocate some channel privileges to the user to keep sequence numbers updated...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
