ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Performance Monitoring » MO71 security problems using client connection

Post new topic  Reply to topic
 MO71 security problems using client connection « View previous topic :: View next topic » 
Author Message
januckolls
PostPosted: Wed Sep 15, 2004 4:19 pm    Post subject: MO71 security problems using client connection Reply with quote

Newbie

Joined: 15 May 2003
Posts: 9

I am having difficculty in getting anything back from a request using MO71 with a client connection using a SVRCONN that contains an MCAUSER other than 'mqm'. I get the message "Request sent" and it never comes back. I have issued the following setmqaut commands in an "attempt" to authorize the group Id in addition to others authorizing access to specific queue name profiles:

setmqaut -m QM1 -t qmgr -g CAIS +connect
setmqaut -m QM1 -t q -g CAIS -n MQMON.** +allmqi +crt
setmqaut -m QM1 -t q -g CAIS -n SYSTEM.ADMIN.COMMAND.QUEUE +put
setmqaut -m QM1 -t q -g CAIS -n SYSTEM.DEFAULT.MODEL.QUEUE +allmqi +crt

I know it has to be something rather simple but perhaps a little obscure

Thanks for any help!

Cheers...
Jim Nuckolls
Back to top
View user's profile Send private message
Nigelg
PostPosted: Thu Sep 16, 2004 1:02 am    Post subject: Reply with quote

Grand Master

Joined: 02 Aug 2004
Posts: 1046

You are nearly there with the setmqaut commands.

Try this set:

Issue these setmqaut commands to grant minimal authority to the userID:

setmqaut -m QM1 -t qmgr -p CAIS +connect +inq +dsp
setmqaut -m QM1 -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p CAIS +inq +browse +get
setmqaut -m QM1 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p CAIS +inq +put

The purpose of these commands is:
1. Grant authority to access the qmgr
2. Grant authority to the client channel to get the command server reply messages
3. Grant authority to put messages onto the command server input queue

Administration setmqaut commands, +chg +clr +dlt +dsp, will be required on each object in the qmgr to be administered remotely.

Are you sure the group is really called CAIS? Is the remote system UNIX? I would have expected the group name to be in lower case.
If you are issuing the setmqaut commands on UNIX, you will need to protect the wildcards from the shell, i.e. enclose the queue spec in single quotes 'MQMON.**'.
Back to top
View user's profile Send private message
Nigelg
PostPosted: Thu Sep 16, 2004 3:51 am    Post subject: Reply with quote

Grand Master

Joined: 02 Aug 2004
Posts: 1046

Sorry, I should have put -g CAIS above, not -p. The -p flag is used when the entity is a user, not a group.
Back to top
View user's profile Send private message
januckolls
PostPosted: Thu Sep 16, 2004 2:07 pm    Post subject: Reply with quote

Newbie

Joined: 15 May 2003
Posts: 9

I followed your suggested settings (and a few more) but still no joy

Here is where things sit at present:

$ dspmqaut -m QMIIEP2 -t qmgr -g CAIS
Entity CAIS has the following authorizations for object QMIIEP2:
inq
connect
dsp

$ dspmqaut -m QMIIEP2 -t q -g CAIS -n SYSTEM.DEFAULT.MODEL.QUEUE
Entity CAIS has the following authorizations for object SYSTEM.DEFAULT.MODEL.QUEUE:
get
browse
put
inq
set
passid
passall
setid
setall


$ dspmqaut -m QMIIEP2 -t q -g CAIS -n SYSTEM.ADMIN.COMMAND.QUEUE
Entity CAIS has the following authorizations for object SYSTEM.ADMIN.COMMAND.QUEUE:
put
inq

$ dspmqaut -m QMIIEP2 -t q -g CAIS -n 'MQMON.**'
Entity CAIS has the following authorizations for object MQMON.**:
get
browse
put
inq

I set security on 'MQMON.**' so it would cover the actual temporary dynamic queue created using SYSTEM.DEFAULT.MODEL.QUEUE.

Attempted to get a Queue List as well as get a disply of the Qmgr object itself and in both cases I received the following error message:

Error opening queue 'QMIIEP2/SYSTEM.DEFAULT.MODEL.QUEUE' RC(2035) Not authorized.

This is beginning to get irritating
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu Sep 16, 2004 3:31 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

You need a lot more MQ auts then just the MQ API to admin the QM. Specifically, you need all the Admin rights. Issue +alladm + allmqi to the ID in question. And then if you really feel the need, start taking away the rights one by one to see what is really needed or not.

MO71 is an Admin tool primarily, so it should connect with full Admin rights.

If you want to limit what the user can do, use MO71's built in Security features to limit the user. You did read the pdf manual that comes with MO71, right? Especially the chapter on security?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
januckolls
PostPosted: Thu Sep 16, 2004 8:28 pm    Post subject: Reply with quote

Newbie

Joined: 15 May 2003
Posts: 9

This is a criminal justice system and nobody can have access to anything that doesn't belong to them, period! There can be no mqmon.aut file laying around somewhere, period! Access has to be granted using setmqaut and only mqm can do that. So, I am afraid that I am stuck with making it work and basically restricting agencies to what might be classed as a "view" of only a subset of MQ objects that belong to that agency.

I wish it were simpler

Cheers...
Jim
Back to top
View user's profile Send private message
Nigelg
PostPosted: Fri Sep 17, 2004 12:30 am    Post subject: Reply with quote

Grand Master

Joined: 02 Aug 2004
Posts: 1046

Hmm.
The settings I gave are actually the ones needed for Explorer to connect to a remote UNIX qmgr, and should give the permissions to the MODEL queue.
You do not need to set permissions on the dynamic queues created from a MODEL queue, you get those permissions anyway.

Is MO71 like Explorer?
Does it use the command server?

What is the user name?
Is it in group CAIS?
If the user name is in caps on Windows, then it will be translated to lower case on UNIX at connection time.
Back to top
View user's profile Send private message
jefflowrey
PostPosted: Fri Sep 17, 2004 3:15 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

januckolls wrote:
This is a criminal justice system and nobody can have access to anything that doesn't belong to them, period!

I wish it were simpler


Maybe you should think about a "professional" tool. All of the centralized monitoring/management tools that I know of allow you to scope users in exactly the way you are looking for.

Some of them are more expensive than others.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Sep 17, 2004 4:44 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

For example, QPASA from MQSoftware can be very granular as to what it allows individuals to see. You grant authorities on QPASA Security Groups, and then place members into those groups.

Back to MO71, couldn't that file that determines what people can and can't do be housed on a secure central server?

MO71 does use the command server.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
januckolls
PostPosted: Fri Sep 17, 2004 8:39 am    Post subject: Reply with quote

Newbie

Joined: 15 May 2003
Posts: 9

The client is going to implement a monitoring solution (vendor as yet unchosen). That may take some time if my past experiences hold true here. This is to provide some access while the monitoring effort slowly rolls forward.

As to the way things are defined currently:

1. There is a User Id and Group - both named CAIS (uppercase) that has been defined on an AIX system where the Qmgr resides.

2. A CAIS.SVRCONN channel has been defined with MCAUSER(CAIS).

3. CAIS.SVRCONN has been specified in the MO71 client connection.

If uppercase/lowercase is getting in the way here that is a relatively easy fix to implement given that is indeed the problem.

Thanks for all the replies by the way.

Cheers...
Jim[/list]
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Sep 17, 2004 8:49 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

Just be aware that any app can now connect to CAIS.SVRCONN and MQ with the authority you gave CAIS. You'll have to use SSL or a Security Exit to validate who the other side is.

SSL/Exits verify who the other side is.
setmqauts on UserIDs limit what those people can do.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Sep 18, 2004 12:30 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

januckolls
Here is an idea. Peter or jeff perhaps you can verify its validity...

If you need security so tight perhaps it would be advisable to create a qmgr for each group/agency needing access.
No group would have direct access to the qmgr for the application but each group would have access to their own qmgr which talks with the qmgr for the application.

Now you can set up channels and determine a command queue that is really a remote queue for the command queue on the qmgr running the app. The communication channels can each have their mcauser.

Now if you set the admin permissions right and admin is being done throuth the "pass through" qmgr you can guarantee that one group is not going to hit on stuff from the other.

I know a little bit complex of a setup MO71 only accessing the "pass through" qmgr... But after all it is security you are after...

Enjoy
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Performance Monitoring » MO71 security problems using client connection
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.