ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Channel Security

Post new topic  Reply to topic Goto page Previous  1, 2
 Channel Security « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Thu Jun 06, 2019 7:33 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
I have not come across a reason to not allow the Channel Initiator and thus outbound channels to run as mqm. I think there is no risk here. For outbound channels you are the initiator and you trust yourself.

Inbound channels are a completely different story. You likely do not have complete control of the partner system, so you can't trust it, so you shouldn't let inbound channels run as a highly privileged account, unless the connection has been authenticated to determine if the connection is originating from someone or something that should run as highly privileged.

Ideally you have all your inbound channels set up to run with zero access by default, and only after some level of authentication do you elevate that instance of the channel to run with an appropriate level of access.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Jun 06, 2019 8:58 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
saurabh25281 wrote:
There must be a reason why IBM documents talks about what authorizations would be required on a sender channels for non-privileged users .


Because some sites base security rules on politics not technology. I myself have worked on a site where mqm (which owned the software) wasn't allowed to run any process. For no technical reason anyone was able to articulate to me.

I repeat my earlier statement that I've never run the channels (or the queue manager come to that) as anything other than mqm.

But the situation is plausible, and IBM indicates their support for it with the documentation you mention.

saurabh25281 wrote:
We have already secured incoming connections i.e. Receiver, cluster-receiver & svrconns using ChlAuth (SSLPEERMAP) rules.


And do these run as mqm? If so, why do you consider this less risky than running the sender channels as mqm (given the receiver channels actually alter the contents of queues)?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Mon Jun 24, 2019 11:25 pm    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
Quote:
And do these run as mqm?

No they don't run as mqm.

Thanks for the valuable suggestions, we went with using the default user (mqm) for the Sender channels.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » IBM MQ Security » Channel Security
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.