| Author |
Message
|
| wmq_guy |
 Posted: Fri Mar 04, 2005 5:54 pm Post subject: remote MQ administration |
 |
|
Acolyte
Joined: 21 Oct 2004
Posts: 50
|
hello,
I am setting up a linux server that will be behind a firewall but when I build the two qmgrs, I also built SYSTEM.ADMIN.SVRCONN channels so I could use a tool for remote administration, such as MQJexplorer from a guy named kolban back in the day.
what port is this SYSTEM.ADMIN.SVRCONN accessed through?
I'm not too sure how it works , I guess.
let's say the I have QMGR1 that's listener is on 1414, and QMGR2 that is on 1415. is it sufficient to poke a hole in FW for these two ports and then I am able to use MQJexplorer from my windowsXP machine or do I need other ports also?
how do most people deal with this? I suppose I could even just run the regular MQexplorer against it too heh?
thank you |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Mar 04, 2005 5:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If the qmgrs are truly exposed to the world out there the only remote admin you want to do is through TELNET.
You do not want to have a svrconn channel running without an mcaname
nor do you want a command server running. Too much of a security risk.
Enjoy  |
|
| Back to top |
|
|
| PGoodhart |
| Posted: Mon Mar 07, 2005 9:02 am Post subject: |
|
|
Master
Joined: 17 Jun 2004
Posts: 278
Location: Harrisburg PA
|
TELNET isn't good either. It does exposes your passwords. You might want to look into SSH or some other secure telnet/virtual login.
_________________
Patrick Goodhart
MQ Admin/Web Developer/Consultant
WebSphere Application Server Admin |
|
| Back to top |
|
|
| javagate |
| Posted: Mon Mar 07, 2005 3:45 pm Post subject: |
|
|
Disciple
Joined: 15 Nov 2004
Posts: 159
|
Sounds like you need a security exit to sit on the channels. 
_________________
WebSphere Application Server 7.0 z/OS &
MQ 6.0. I work with WebSphere in the real world not in some IBM lab. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Mar 07, 2005 8:00 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Mar 07, 2005 11:41 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
To answer your q, the SYSTEM.ADMIN.SVRCONN works like any SVRCONN channel does, via the MQ Listener, on whichever port it may be - 1414 or 1415 in your case.
The MQ Explorer works by connecting to this channel and sending PCF commands to a queue called SYSTEM.ADMIN.COMMAND.QUEUE, which the Command Server service waits on.
Concerning the other commentry, I must concur. Keeping this channel open is asking for trouble, and is a huge security breach. So you have a few choices here:
1> Use SSL - apply one certificate to the computer running the MQJexplorer and another to each administered queue manager, and configure SYSTEM.ADMIN.SVRCONN to work with SSL. in this way only you can access the channel.
(this seems to me a viable alternative for a security exit, it is simpler and doesn't cost anything)
2> Use SSH, as previously suggested, or some other secure remote-control tool.
3> Or, If you don't give a hoot about security risk (possibly this is an internal small-company network), do nothing.
Enjoy,
Hop |
|
| Back to top |
|
|
| hguapluas |
| Posted: Tue Mar 08, 2005 11:11 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
| Does anybody know of a good book to read that explains in detail, setting security on the SYSTEM.ADMIN.SVRCONN, MCAUSER, etc etc. The books I have do not really do a good job of explaining setting security and locking down a QM (to include IBMs Redbooks). |
|
| Back to top |
|
|
| csmith28 |
| Posted: Tue Mar 08, 2005 2:50 pm Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
@hguapluas
Have you read, WMQ Security Guide? In most instances you don't want to use the MCAUSER attribute. For example:
SVRCONN.CL01 has a MCAUSER value of app01. app01 is a user you have defined and granted certain authorities to using the setmqaut command.
Then any client application that connects to the MQManager using SVRCONN.CL01 will connect with the authority of the app01 user whether the user has been granted access to the MQManager or not.
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Mar 08, 2005 8:21 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| hguapluas |
| Posted: Thu Mar 10, 2005 2:12 pm Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
Thanks for your replies. I have read WMQ Security Guide but looking for more. Will check out link provided.
Cheers, |
|
| Back to top |
|
|
| hopsala |
| Posted: Sun Mar 13, 2005 9:12 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
There's a book called "MQ v5.3 Security in an Enterprise Envioronment" filename sg246814.pdf.
link is http://www.redbooks.ibm.com/redbooks/SG246814/wwhelp/wwhimpl/common/html/switch.htm
(Do not search this through google, for some reason it gives you a bad link... If you want it in pdf goto "http://www.redbooks.ibm.com/" and search for "mq security", it is the only result, sadly enough)
This book is rather lengthy at times, but it gives a detailed, step-by-step description of the commands and actions that need be done to "lock down" a QM.
Hope it'll help,
Hop |
|
| Back to top |
|
|
|
|
