| Author |
Message
|
| hopsala |
 Posted: Sat Mar 01, 2008 10:22 am Post subject: Debugger Security |
 |
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Hello one and all,
I've lately been fuddling about with WMB's security settings, and came across an entirely undocumented topic (at least I think it is). I am trying to determine how exactly the debugger works in both 6.0 (RAC) and 6.1 (?) in general and specifically concerning security settings:
1. How does the connection process work? (concerning ESQL, Java, Nodes)
2. How does one authorize (and un-authorize) users to debug?
3. Can it be done per flow/per execution group?
4. How is the user and/or password transferred to the broker? Is it in clear text over the network? some kerberos mechanism perhaps? Any certificates involved?
5. What about blocking by IP? Peter mentioned this in his post http://www.mqseries.net/phpBB2/viewtopic.php?t=40054&start=15, but can I use wildcards or lists in this configurable option? It seems that this setting applies to RAC in general, what if I want to allow some IPs to debug a one broker and other IPs another?
What little I know about this I know from reading posts here and mining the product libraries, but only concerning v6; I have found nothing relevant to 6.1. Can anyone direct me to the appropriate literature? Has anyone worked with this before?
Cheers!  |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Mar 01, 2008 2:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I believe V6.1 just like V6 relies on the ACL of the config mgr.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Mar 03, 2008 8:35 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| fjb_saper wrote: |
I believe V6.1 just like V6 relies on the ACL of the config mgr.
|
I wish it were that simple.
Try this: stop the configuration manager, delete the domain connection from the toolkit workspace (just in case), create a new debug and click "debug". I've tried it in both 6.0 and 6.1, and it works. 
This means that debugging connects directly to the broker, and since the ACLs reside in the configmgr, there's no checking done against them at all (unless the broker has some ACL caching mechanism, which AFAIK is not the case). Also, in the chapter describing ACL security, there's no mention of "debug authority" or anything similar.
Anyway, the point is that if there is any authorization mechanism at work here at all, it is not your usual ACL stuff. So, what's going on? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Mar 03, 2008 9:14 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The debugger in 6.1 uses the JVM debug process.
Ergo, it inherits the same security mechanisms that that has. EDIT: At least as far as I know, I could be wrong.
It's never been a good idea to enable debugging in Production.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Mar 03, 2008 9:40 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
Update: I've made a little experiment in 6.1 - Opened up a new user, which doesn't have any wmq or wmb authorities, activated a debug, and the darn thing works!
This is by far the worst security breach i've seen in a while.  Everything was set up using default settings, and I was never asked anything about security settings whatsoever. Most users are probably blissfully unaware that this is going on under their noses...
| jefflowrey wrote: |
The debugger in 6.1 uses the JVM debug process.
Ergo, it inherits the same security mechanisms that that has. EDIT: At least as far as I know, I could be wrong. |
how do I configure "JVM debug" security settings? Could you direct me to some literature?
| jefflowrey wrote: |
| It's never been a good idea to enable debugging in Production. |
I agree. As of now, i'm going to recommend all of my clients to make sure debug is disabled in production (as I always have, but now for a real reason). In 6.0 it's easy - don't install RAC. What I'm wondering is how to disable debug in 6.1, do you think it's enough to simply not set up a java debug port? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Mar 03, 2008 9:56 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
My point is that it's likely that the debug security is the same for Broker v6.1 as it is for any other Java process. So you need to look at Java debug security, rather than anything different/custom with Broker.
And, yes, it should be sufficient to just not mqsichangebroker to enable a JVMDebug port... If the port is closed, no traffic can flow.
Regardless, however, Production should always be isolated at the network layer from desktops, anyway. So even if you do mqsichangebroker, the firewall will still prevent any users from connecting.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Tue Mar 04, 2008 2:02 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| Ok, thanks for the help. I've opened a PMR about this, I'll update here if I find out anything interesting. |
|
| Back to top |
|
|
| hopsala |
| Posted: Sun Sep 21, 2008 3:14 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
The reply I got from IBM: "The debugger does not implement any additional security provisions, as it is intended to be used only in a development environment."
Hardly a serious response, but it'll have to do. So the rule of thumb is: do not set java debug port (6.1) and do not install RAC (6.0) in production environments. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sun Sep 21, 2008 7:18 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Another reason not to use debugger in production:
http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/topic/com.ibm.etools.mft.doc/ag03640_.htm
| Quote: |
| When you debug message flows, choose a broker that is set up for test and not for production, because debugging might degrade the performance of all message flows that are deployed to the broker. Other flows in the same execution group, and those in other execution groups defined to the same broker might be affected by potential resource contention. |
| Quote: |
The following restrictions apply when you debug a message flow:
You must use the same version of the broker and the Message Broker Toolkit; for example, you cannot use the Message Broker Toolkit Version 6.1 to debug a message flow that you have deployed to a broker at an earlier version.
Do not debug message flows over the Internet; the security function has not been enabled. |
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| hopsala |
| Posted: Mon Sep 22, 2008 1:53 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| PeterPotkay wrote: |
| Quote: |
| debugging might degrade the performance of all message flows that are deployed to the broker |
|
Good point. In fact, "might" is quite an understatement. I have seen this on several sites - debugging, especially in low-memory environments, resulted in anywhere between 30% to 80% performance degradation, even if you click "run to completion" as soon as the debugger catches a message. 
Another reason not to use the debugger in production: you have to open your java EG ports between the developer workstation and the broker over the network (unless you're debugging locally). Usually you'd want to completely seperate the two, only opening a connection between the developer and the configmgr, for obvious security reasons. |
|
| Back to top |
|
|
|
|
