| Author |
Message
|
| sivakumar |
 Posted: Tue Sep 21, 2004 11:16 pm Post subject: authenticating users in MQ Series |
 |
|
Newbie
Joined: 21 Sep 2004
Posts: 9
|
Hi,
Can somebody tell how I can configure MQ server to authenticate and authorize users?
Thanks,
Siva |
|
| Back to top |
|
 |
| siliconfish |
| Posted: Wed Sep 22, 2004 12:12 am Post subject: |
|
|
Master
Joined: 12 Aug 2002
Posts: 203
Location: USA
|
|
| Back to top |
|
|
| sivakumar |
| Posted: Wed Sep 22, 2004 3:51 am Post subject: |
|
|
Newbie
Joined: 21 Sep 2004
Posts: 9
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 22, 2004 4:11 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What do you mean by "authenticate and authorize"?
MQ does this out of the box, using the Object Authority Manager (OAM) on distributed platforms.
You could read the System Administration Guide where it talks about the setmqaut command and the role of the group called 'mqm'.
Or you could use SSL, and provide certificates to your users. Then you would have to set up a separate channel for each user or team that had an MCAUser set up.
So, what needs are you trying to fill?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| sivakumar |
| Posted: Wed Sep 22, 2004 4:22 am Post subject: |
|
|
Newbie
Joined: 21 Sep 2004
Posts: 9
|
Thanks for your reply,
At present the application doesn't pass any username or password to MQ.
And working fine. Now, we want the application to be authorized before posting/reading any messages.
Is there any property we need to set to enable the MQ to quthorize?
If we authorize, where we can configure the authorization info?
I am only interested in application level authorization and not in admin authorization.
Thanks,
Siva |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Sep 22, 2004 4:24 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Websphere MQ does not really provide message level authentication as standard. You can write message exits or use OEM products to do this.
You can also transport security credentials in the message for the application to authenticate. Many people would say that it is the applications responsibility to verify the message before accepting it.
If you want transparent (to the application) message integrity and/or privacy then a IBM/Tivoli product (Access Manager for WMQ) can do this and it is available bundled with WMQ for about 1/3rd additional cost or can be purchased separately. |
|
| Back to top |
|
|
| sivakumar |
| Posted: Wed Sep 22, 2004 4:36 am Post subject: |
|
|
Newbie
Joined: 21 Sep 2004
Posts: 9
|
Thanks zpat,
I got the the following from the System admin doc of MQSeries.
Types of authorization
There are three types of authorization:
Authorizations applying to single objects, for example, the authority to put a message on an queue.
Authorizations applying to a class of objects, for example, the authority to create a queue.
Authorizations applying across all classes of objects, for example, the authority to perform operations on behalf of different users.
.....
.....
The paths of the object authorization files are based on those of the object itself, where auth is inserted ahead of the object type directory. You can use the dspmqfls command to display the path to a specified object.
For example, if the name and path of SYSTEM.DEFAULT.LOCAL.QUEUE is:
/var/mqm/qmgrs/saturn/queues/SYSTEM!DEFAULT!LOCAL!QUEUE
the name and path of the corresponding authorization file is:
/var/mqm/qmgrs/saturn/auth/queues/SYSTEM!DEFAULT!LOCAL!QUEUE
Now, when there is no auth files in their respective folders in a system which is working absolutely fine.
So, i want to know where I can configure MQSeries so that it will start using the auth files.
Regards,
Siva
[/i] |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 22, 2004 4:37 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| sivakumar wrote: |
Thanks for your reply,
At present the application doesn't pass any username or password to MQ. |
Is it written in Java?
Because if it is NOT written in Java, then it IS passing a username - the user name of the user that is executing the program. And that user has been authorized by the OAM.
If it IS written in Java, then you need to change the connection calls to include a user name and password.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| sivakumar |
| Posted: Wed Sep 22, 2004 4:52 am Post subject: connection calls to include a user name and password. |
|
|
Newbie
Joined: 21 Sep 2004
Posts: 9
|
Thanks jefflowrey,
Yes, I am using Java.
Can you tell how I can include the username and password into the connection calls.
Regards,
Siva |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 22, 2004 5:03 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I don't recall off the top of my head. There's been a number of posts about this whole issue in the Java/JMS forum.
Looking through the Using Java manual again, I see a "userID" and "password" member of MQEnvironment.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 22, 2004 8:51 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
MQ can validate a UserID against MQ Objects for use (i.e. open get, put, etc..) but MQ does NOT care about a password.
From Java JMS, you can pass in a UserID and password as follows:
| Code: |
private QueueConnection getQueueConnection() throws Exception
{
MQQueueConnectionFactory queueConnectionFactory = new MQQueueConnectionFactory();
queueConnectionFactory.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
queueConnectionFactory.setHostName("10.10.10.10");
queueConnectionFactory.setChannel("My_CHANNEL.CH01");
queueConnectionFactory.setPort(1414);
queueConnectionFactory.setQueueManager("MYQMGRNAME");
return queueConnectionFactory.createQueueConnection("myTestUserId", "password");
} |
But MQ does not use the password. If you want UserID and password checking then you will need to write 2 exits: client-side and server-side exits.
The client-side exit is called SendExit (in Java). It will intercept the UserID and password, format, encrypt and then initiate a 'security message exit send' to the server-side exit.
The server-side exit will be written in C and lives / configured at the queue manager. It will handle the client exit's 'security message exit send' but decrypting and validating the UserID and password against something. (i.e. native OS or LDAP or DB) Finally, it will either allow the channel to start or not.
Hope that helps. You might want to look at vendor products in this space.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| sivakumar |
| Posted: Mon Sep 27, 2004 4:22 am Post subject: Writing serverside exit |
|
|
Newbie
Joined: 21 Sep 2004
Posts: 9
|
Hi all,
Thanks for your contribution(s).
I want some info on writing server-side exits in C(Is it possible to write them in Java?). Can someone give me info or direct me from where I can get the needed info.
Also regarding the usage of setmqaut command.
- I found that MQ has to be stopped and started in order to make any change in authorization has to be effective.
- I am getting issues in giving authrorization to custom made groups.
Though the command sets appropriate authorizations, MQ doesn't get that.
I tried stopping and starting MQ also. Nothing works. Am I missing anything here? |
|
| Back to top |
|
|
| Nigelg |
| Posted: Tue Sep 28, 2004 1:39 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
Server-side exits have to be written in C.
WMQ does not have to be restarted, but authorisations are cached. Issue the mqsc command REFRESH SECURITY to clear the cache and cause the auth to be read again from the O/S. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Sep 28, 2004 11:17 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
The REFRESH SECURITY command is only valid for WMQ v5.3 or later on distributed platforms. For MQ v5.2 and earlier versions, you had to bounce the queue manager.
RTM, Download and read the WMQ Application Programming Guide (and WMQ Application Programming Reference) manual(s).
Writing server-side security exits is a non-trivial topic. First, you will need to know MQ extremely well and fully understand security topics like authentication vs reputation plus cryptology.
You will be embarking on a lonely path because those people with detailed knowledge work for vendors who make these products, hence, they won't be too willing to give it away for free.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Nigelg |
| Posted: Wed Sep 29, 2004 12:16 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
|
| Back to top |
|
|
|
|
