| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
 |
|
| MQVB and MQVE Exploiting an MQ Security Hole? |
« View previous topic :: View next topic » |
| Author |
Message
|
| kdjasper |
 Posted: Fri Sep 24, 2004 2:54 pm Post subject: MQVB and MQVE Exploiting an MQ Security Hole? |
 |
|
Guest
|
I am curious how MQVB and MQVE (both v1.2.2c) are working under the covers. I can get either to work with a blank userid. When I put messages onto a queue with MQVE, it says in the MQMD Context that the user that put the message is MUSR_MQADMIN.
When I try to connect to the QMgr with a specified userid, the connection is refused with a 2035 (I know how to fix this). The Qmgr is on Windows 2000 Server, WebSphere MQ 5.3.0.7.
I am wanting to recommend purchase of this product at my company, but as an MQ Admin I cannot recommend a tool that allows a blank userid to emulate MUSR_MQADMIN (member of "domain mqm" and local "mqm" group on the Windows 2000 server.
I am a greenhorn MQ Admin, so I am guessing my QMgr appears to not be secured very well at the moment. I am connecting via a SVRCONN channel that I created--it has a blank MCA USER ID.
What have I overlooked in securing MQ that MQVB and MQVE can connect with a blank userid and emulate MUSR_MQADMIN?
Thanks for the assistance as I want to recommend purchase of these products. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Fri Sep 24, 2004 3:38 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
All the gory details are here:
http://www.mqseries.net/phpBB2/viewtopic.php?t=15366&highlight=java+security+channel
but briefly, it is just the way Java MQ Clients work. You will need to secure the channel (SSL or Security Exit). You just can't leave a SVRCONN wide open. If you do, legitimate users of MQVB and MQVE will be the least of your worries if security is your concern.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Sep 24, 2004 7:02 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi kdjasper,
First off, thank you for trying out MQ Visual Edit.
Secondly, Peter is correct in his answer. I get this question all the time by email, so here is the standard answer that I send out.
It is not what I have done or what I have not done that allows the user to access messages within the queues but rather how IBM implemented client channels.
When a MQ listener receives a message, if the "MCAUSER" of the SVRCONN channel is blank, then the MQMD.UserID from the message is used for security checking.
For C / C++ / COBOL / VB MQ client applications, the MQMD.UserID of the message is filled in by the MQ DLL (on Windows) or MQ shared module (Unix) when a MQCONN, MQPUT, MQGET, etc.. MQ API commands are issued.
But for Java life is a little different. The MQ jar file does NOT fill-in the MQMD.UserId field of the message, so the message is sent with a blank MQMD.UserID value. IBM decided that it would be up to the developer to set the correct MQMD.UserID value. i.e. by setting the Java code as: MQEnvironment.userID = "FRED";
So, the million dollar question is: what UserID is used if both the Message's MQMD.UserID value is blank and the MCAUSER is blank? The anwser is: the UserID of the MQ Listener process. The MQ Listener process is usually running under mqm for UNIX, MUSR_MQADMIN for Windows, etc... Therefore, the user will have full access!!!
Basically, this is what is going on with MQ Visual Edit. You can explicitly set a UserID in MQ Visual Edit by clicking on Edit -> Preferences and fill-in the UserID field.
If you want to completely lock out ALL users, then put garbage in the MCAUSER field of the SVRCONN channels (all of them!!!). i.e. MCAUSER('BADBOY')
If you didn't want to be so extreme then you could have a general Read-Only UserID (i.e. UREADME) and set the MCAUSER field of the SVRCONN channel as follows MCAUSER('UREADME').
I have had several people from various companies say that they would ONLY buy MQ Visual Edit as a commercial product if and if only it automatically set the UserID field with the Workstation's logged-in UserID value. So, I have created one (exactly same release v1.2.2C).
Therefore, if you purchase licenses for MQ Visual Edit (or MQ Visual Browse or MQ Batch Toolkit), you can request this version and I will send it to you.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| kdjasper |
| Posted: Mon Sep 27, 2004 7:56 am Post subject: Thanks |
|
|
Guest
|
Peter and Roger, thanks very much for your prompt replies. I read through all the other threads on this topic, and after reading in more detail the docs on MQ security this makes total sense to me as to how I now need to sequre the MQ infrastructure that I am administering.
Cheers!
 |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
