ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » MQ explorer security

Post new topic  Reply to topic
 MQ explorer security « View previous topic :: View next topic » 
Author Message
csaunders
PostPosted: Mon May 16, 2005 3:33 pm    Post subject: MQ explorer security Reply with quote

Acolyte

Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va

Im getting AMQ4036 error when using MQ explorer to connect to solaris 5.9. Were using MQseries 5.3.

1.)My windows user name is csaunder, I have a UNIX account csaunder in the mqm group.

2)I created the CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(mqm), On the qmanager USVAS01.QM

Is there anything else I could be missing?
Back to top
View user's profile Send private message AIM Address
mq_crazy
PostPosted: Mon May 16, 2005 3:54 pm    Post subject: Reply with quote

Master

Joined: 30 Jun 2004
Posts: 295

make sure the command server is running.
Back to top
View user's profile Send private message
csaunders
PostPosted: Mon May 16, 2005 4:16 pm    Post subject: Reply with quote

Acolyte

Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va

how do i confirm that it is running?
Back to top
View user's profile Send private message AIM Address
mq_crazy
PostPosted: Mon May 16, 2005 4:40 pm    Post subject: Reply with quote

Master

Joined: 30 Jun 2004
Posts: 295

dspmqcsv qm

where qm is your queuemanager name
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Mon May 16, 2005 7:12 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

Hi,
Quote:
2)I created the CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(mqm), On the qmanager USVAS01.QM

Do you actually know what you have done????

First off, you are attempting to set the channel's UserID to mqm. That means ANYBODY connecting on that channel will get full access. This is absolutely the worst thing you could do for securing the queue manager.

Secondly, but even funnier, you shot yourself in the foot because you do not understand how runmqsc works. runmqsc will uppercase all fields that are not between quotes. Therefore, since you put MCAUSER(mqm) and not MCAUSER('mqm'), you will get 2035-not authorized message (because MQM is not the same UserID as mqm).

Define your channel as follows:
Code:
define CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(' ')

THen issue the REFRESH SECURITY command via runmqsc.

Finally, I would strongly suggest that you use some sort of security exit to manage users who are connecting the queue manager.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
csaunders
PostPosted: Tue May 17, 2005 5:44 am    Post subject: Reply with quote

Acolyte

Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va

Roger thanks for the help and Im glad I could make you laugh

I ran
define CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER(' ')

Also ran the refresh security command,

I am still getting the permission error,
anything else come to mind
Back to top
View user's profile Send private message AIM Address
mq_crazy
PostPosted: Tue May 17, 2005 6:00 am    Post subject: Reply with quote

Master

Joined: 30 Jun 2004
Posts: 295

did u check the command server??
Back to top
View user's profile Send private message
csaunders
PostPosted: Tue May 17, 2005 6:00 am    Post subject: Reply with quote

Acolyte

Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va

ok roger, your probably going to yell at me, but for jokes sake, I made the channel

alter CHANNEL(SYSTEM.ADMIN.SVRCONN) CHLTYPE(SVRCONN) MCAUSER('mqm')

Now it works.....

This allows anyone to connect to the QM and do anything? Kind of like being root? I dont understand why (' ') didnt work...
Back to top
View user's profile Send private message AIM Address
kevinf2349
PostPosted: Tue May 17, 2005 6:54 am    Post subject: Reply with quote

Grand Master

Joined: 28 Feb 2003
Posts: 1311
Location: USA

It works because 'mqm' is an authorised id. If you code ' ' then no id is used and so it fails.

What you have now done is opened up your queue manager so that anyone and everyone can do whatever they want to it. Roger is advising you to look for some security exit that will prevent you from having to expose the soft underbelly of your queue managers.

I think BlockIP is rapidly becoming the 'standard' Do a search on this sie and I am sure you will get plenty of hits.
Back to top
View user's profile Send private message
csaunders
PostPosted: Tue May 17, 2005 8:04 am    Post subject: Reply with quote

Acolyte

Joined: 27 Mar 2003
Posts: 64
Location: Arlington, Va

mq_crazy wrote:
did u check the command server??

yes sir, working now, but i guess im open to the world
Back to top
View user's profile Send private message AIM Address
PeterPotkay
PostPosted: Tue May 17, 2005 1:20 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

We bought Capitalware's MQAUSX solution to protect all our QMs. Anyone that tries to access our QMs with MQExplorer or MO71 is prompted for an ID and password, assuming they have the client side of the exit to begin with.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Wed May 18, 2005 8:36 pm    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada

All,

Yes, Capitalware sells 2 security solutions. For more information, go to:
http://www.capitalware.biz/products.html#mqausx

Now getting back to csaunders problem. I would look into the following areas:
(1) Did you actually create the 'csaunders' UserID on the remote server? (case IS important)

(2) Did you actually put the 'csaunders' UserID in the mqm group?

(3) Did you issue the REFRESH SECURITY via runmqsc after doing the above?

(4) Did you ever issue setmqaut against the UserID or against the UserID's primary group? If so, remove those setting. The OAM uses the more restrictive setting. (issue refresh security again)

(5) Is there a UserID on the remote server called: 'csaunder' (no 's')? UserIDs on Unix are unique on only the first 8 characters. Therefore, you are getting a mismatch on the UserID and there is nothing you can do (other than create a new UserID).

Since you have root access on the remote server, have you created a new UserID on it? Follow points 1,2 & 3 above (creating 'fred123').
- Now use a sample Java program and set MQEnvironment.userID = "fred123"; and you should get access
- Or if you do not code, then download 30-day trial of MQ Visual Edit and configure the queue manager and set the UserID to the new UserID and test it.

In either case, you should get full access. I have done this a million times over the years.

Finally, yes, I am most certainly advocating that people use a security exit to protect the queue manager.

Hope that helps.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » MQ explorer security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.