| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ CLIENT Authorisation by userid on Z/OS |
« View previous topic :: View next topic » |
| Author |
Message
|
| thornga |
 Posted: Fri Nov 05, 2004 8:23 am Post subject: MQ CLIENT Authorisation by userid on Z/OS |
 |
|
Newbie
Joined: 05 Nov 2004
Posts: 6
|
We have a VB application on users PCs that access queues on an application on Z/OS MQ Server 5.3. Today the users IDs are authorised via a Windows Server running MQ Server 5.3 as previously RACF was not setup on Z/OS. I have now retro fitted a RACF solution but we do not authenticate between Servers internally.
Ideally we would like to eliminate the Windows Server from the setup and connect directly to Z/OS with a low cost/maintenance solution. I know SSL could be used as could channel exits. However is it possible to leave the MCA user blank so that the user ID is passed from the client application on windows and setup user IDs with the same name on Z/OS. These user IDs are then connected to a RACF group which have the relevant access against the queues, hence providing user ID authentication.
I understand that this is not a fool proof solution as potentially a user could create a user ID with the same name on a windows server. However they will need to know the user IDs within the RACF group and have the authority to create a user ID on a windows box.
I have the following switch profiles turned off:
CSQP.NO.CONTEXT.CHECKS
CSQP.NO.ALTERNATE.USER.CHECKS
From reading the manual 'User IDs for resource security (MQOPEN and MQPUT1)' Chapter 15 Z/OS System Setup Guide. I understand that unless the MQ_USER_ID environment variable is set on the client side the CHIN Started task user ID is used, invalidating authentication.
If the only secure way is to use a channel exit can anybody advise a good channel exit to use to fulfil my requirements? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri Nov 05, 2004 10:25 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It may be more expensive to connect your clients directly to your mainframe than through a gateway queue manager.
You will need to have the Client Attachment Facility installed and running on your mainframe - and I believe this is an addititional charge item.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Nov 05, 2004 10:34 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Your summary / descrption of UserIds & security is correct. You have 4 choices:
(1) Use SSL between the clients and the z/OS queue manager but that only means 'point A' to 'point B' is secured but you have no idea who the client is at 'point A'.
(2) Use BlockIP2 on the z/OS (but you need a C compiler on Z/OS). It can block (or allow) by IP address and UserID. This is far easier to implement than SSL but if the rule is to allow '192.168.*.*' then any Java program running on a box with an IP within that range can set any valid ID and get in!!!!!!!!!!!!!
(3) Buy an existing solution from 3rd party vendor. Primeur is a good place to start. www.primeur.com
(4) I (Capitalware) am in the middle of 'alpha' testing a 'Authentiate User Security Exit' (AUSX) with a client. I have Windows, Linux & Unixes covered off and I'll be building it for z/OS soon.
AUSX has 2 components: client-side and server-side security exit. Basically, it is seems to your application unless it is a Java app or it uses MQCONNX. Then it would need to support Security Exit.
The client-side, when invoked, displays a popup requesting UserID & Pasword (and optional ServerName or DomainName). The client-side encrypts the info and sends to the server-side where it validates the info against the native OS or domain controller for Windows (RACF for z/OS). If the UserID & Password are correct then the channel starts, otherwise it is closed. It also supports ProxyIds (used after successful validation) so that you don't have to define every person or group to MQ.
Think of it in terms of telnet-ing or a Windows Network logon. You supply full creditial to login.
I'm hoping that in a couple of weeks, I'll be able to have a semi-public beta testing program for anyone who wants to try it out. (But Christmas is around the corner, so you know what they say about 'well laid plans'!!)
The plan is to have the client-side support / tested for :
- WBIMB Toolkit
- Mecury SiteScope
- MO71 SupportPac
- MS03 SupportPac (actually any program that supports client channel table)
- MQ Explorer
- Capitalware's MQ Visual Edit / Browse
What I'll need is to test the thousands of client-side programs with AUSX that are out there.
I'll make a post in the Capitalware forum when we are ready.
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| thornga |
| Posted: Mon Nov 08, 2004 2:51 am Post subject: |
|
|
Newbie
Joined: 05 Nov 2004
Posts: 6
|
Thanks Jeff, we already have the client attachment so no problems there.
Roger, thanks for your reply and detailing the options available to me. Am I able to use multiple rules with BlockIP2? This way I could use fixed IP addresses and user IDs for a secure solution? |
|
| Back to top |
|
|
| thornga |
| Posted: Mon Nov 08, 2004 2:59 am Post subject: |
|
|
Newbie
Joined: 05 Nov 2004
Posts: 6
|
Ok Roger I have read the manual, looks like I can add multiple IP addresses. Thanks for your help and good luck with your AUSX release.
Cheers
Gary |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
